How to set up an inbound SSL connection using a certificate issued by the internal CA?
255 views
Skip to first unread message
Alex Solovey
Dec 28, 2017, 3:04:27 PM12/28/17
to membrane-monitor
Hi,
I am trying to set up Membrane service proxy in the development environment and therefore I want to use a certificate issued by our company's internal Certificate Authority.
I installed the certificate in the keystore however it is showing a certificate error in the browser. I added the internal CA trust certificate to the store as well but it did not help.
I noticed that the browser shows the fingerprint of my private key instead of the issued certificate. What am I doing wrong?
I am using Membrane version 4.5.1.
Here is the configuration:
<serviceProxy port="443">
<ssl>
<keystore location="keystore.jks" password="membrane" keyPassword="membrane" />
</ssl>
<target host="target-host" port="8080"/>
</serviceProxy>
Here are two entries in the keystore:
cert, Dec 27, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): D3:D0:.....
privkey, Nov 15, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): 3A:13:.....
The browser shows that the site cert has thumbprint starting with 3A:13.... which is the private key. It does not show the correct certificate path either.
Please let me know what other information do you need to know in order to help me.
Thank you for your help!
Alexander Solovey
I am trying to set up Membrane service proxy in the development environment and therefore I want to use a certificate issued by our company's internal Certificate Authority.
I installed the certificate in the keystore however it is showing a certificate error in the browser. I added the internal CA trust certificate to the store as well but it did not help.
I noticed that the browser shows the fingerprint of my private key instead of the issued certificate. What am I doing wrong?
I am using Membrane version 4.5.1.
Here is the configuration:
<serviceProxy port="443">
<ssl>
<keystore location="keystore.jks" password="membrane" keyPassword="membrane" />
</ssl>
<target host="target-host" port="8080"/>
</serviceProxy>
Here are two entries in the keystore:
cert, Dec 27, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): D3:D0:.....
privkey, Nov 15, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): 3A:13:.....
The browser shows that the site cert has thumbprint starting with 3A:13.... which is the private key. It does not show the correct certificate path either.
Please let me know what other information do you need to know in order to help me.
Thank you for your help!
Alexander Solovey
Tobias Polley
Jan 17, 2018, 3:37:27 AM1/17/18
to membrane-monitor
Hi Alexander,
privkey, Nov 15, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): 3A:13:.....
my guess would be that "PrivateKeyEntry" is one entry containing both the private key as well as the certificate. "3A:13:..." is listed as "Certificate fingerprint" and would then refer to the fingerprint of the certificate, not of the key.
The certificate validation path shown in browsers is a combination of certificates they have installed, cached or received from the server. Without any more information, it is therefore hard to say it is actually incorrect.
My preferred way of debugging these situations is issuing the command
openssl s_client -host www.predic8.de -port 443
and looking at the output.
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=predic8.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=predic8.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
is saying that the server identified itself using the key corresponding to certificate 0, and transmitted not only certificate 0, but also 1 and 2.
If the client trusts the signer of any certificate in the chain (e.g. has the "AddTrust External CA Root" certificate in its (client-side) CA store), validation can proceed.
These chains are a bit of a headache to setup in the JKS format. I once saw a very good Java GUI program which could be used to explore and setup keystores, although I forgot its name. I would try to start there.
Best, Tobias
Reply all
Reply to author
Forward
0 new messages