How to provide a cetificate chain?

889 views
Skip to first unread message

mathias

unread,
Nov 17, 2015, 4:46:10 PM11/17/15
to vert.x
I am running vertx 3.2.0 and don't know how to add an intermediate certificate. Currently I have one certificate:

httpServerOptions
       
.setSsl(true)
       
.setPemKeyCertOptions(new PemKeyCertOptions().setKeyValue(myKeyStoreAsABuffer).setCertValue(myTrustStoreAsABuffer))

Where to add an intermediate ceritificate required for a complete chain o trust?

The docu can be found here http://vertx.io/docs/vertx-core/java/#ssl

mathias

unread,
Nov 17, 2015, 5:18:56 PM11/17/15
to vert.x
The ssl verification tool https://globalsign.ssllabs.com/analyze.html more about my trust path:

1. Sent by server (my certificate)
2. Extra downloaded (the intermediate certificate which I have trouble to install in httpServerOptions)
3. In trust store (the root certificate)

Any idea how to get the second certificate sent by my server?

Michel Guillet

unread,
Nov 18, 2015, 8:54:34 AM11/18/15
to ve...@googlegroups.com
Have you tried with NetServerOptions.setPemTrustOptions ?

I haven’t tested it but it look like the proper place to add you CA and intermediate certs.

Cheers,

Michel

Another way of providing server certificate authority using a list .pem files.

NetServerOptions options = new NetServerOptions().
    setSsl(true).
    setClientAuth(ClientAuth.REQUIRED).
    setPemTrustOptions(
        new PemTrustOptions().
            addCertPath("/path/to/your/server-ca.pem")
    );
NetServer server = vertx.createNetServer(options);


--
You received this message because you are subscribed to the Google Groups "vert.x" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vertx+un...@googlegroups.com.
Visit this group at http://groups.google.com/group/vertx.
To view this discussion on the web, visit https://groups.google.com/d/msgid/vertx/bd9dd6e6-e225-42fc-b397-d420a852d602%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

mathias

unread,
Nov 18, 2015, 10:47:46 AM11/18/15
to vert.x
No,

yes but it didn't work (same behavior as withouth the PermTrustOptions)

httpServerOptions.setSsl(true);
httpServerOptions
.setPemTrustOptions(new PemTrustOptions().addCertValue(intermediateAsABuffer));
httpServerOptions
.setPemKeyCertOptions(new PemKeyCertOptions().setKeyValue(myKeyStoreAsABuffer).setCertValue(myTrustStoreAsABuffer))

The PemTrustOptions doesn't allow me to set a privatekey while the PemKeyCertOptions doesn't allow me to add more than one certificate. So I am stuck atm :(
Maybe I should add both CAs to the PemTrustOptions and set the key to the PemKeyCertOptions?

Michel Guillet

unread,
Nov 18, 2015, 1:10:26 PM11/18/15
to ve...@googlegroups.com
It seems that setPemTrustOptions is used to authenticate TLS client connections.

From the document and the API I’m not seeing any way of providing the certificate chain directly from PEM files.

Maybe if you use a p12 file holding everything (key + cert + chain) it will work or a JKS file.

I know it worked with Vert.x 2.x with a JKS file...

Michel
> --
> You received this message because you are subscribed to the Google Groups "vert.x" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vertx+un...@googlegroups.com.
> Visit this group at http://groups.google.com/group/vertx.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/vertx/7c503bc9-a754-4ace-b1dc-cd5a50998248%40googlegroups.com.

mathias

unread,
Nov 18, 2015, 2:12:07 PM11/18/15
to vert.x
Ok, I will try to combine both certificates in one file as you suggested. Thanks so far!

mathias

unread,
Nov 18, 2015, 5:26:37 PM11/18/15
to vert.x
I managed to create a JKS file from my existing files in the following way:
1. create p12 file from mycertificate and privatekey (using openssl)
2. create a JKS file from the p12 file (using keytool) <- remember "keystorepassword"
3. import intermediateCA to the JKS (using keytool)

And using the following setup:
Buffer jksBuffer = vertx.fileSystem().readFileBlocking("cert/mydomain.jks");
JksOptions jksOptions = new JksOptions().setValue(jksBuffer).setPassword(keystorepassword);
httpServerOptions
.setKeyStoreOptions(jksOptions);

And the exception I get now is this one: java.security.UnrecoverableKeyException: Cannot recover key

Any ideas what went wrong?

mathias

unread,
Nov 18, 2015, 5:27:59 PM11/18/15
to vert.x
Does the order of -imports to the JKS matter?

Michel Guillet

unread,
Nov 19, 2015, 4:58:11 AM11/19/15
to ve...@googlegroups.com
Well I never encountered java.security.UnrecoverableKeyException but from what I can see on Google or StackOverflow it can happened when you entered a bad password for the JKS or if your private key and jks have different password...

Honestly, I don’t use JKS nor P12 files and I’m using vert.x behind Nginx so I’m not of a huge help. But I’m sure this is possible with Vert.x

Michel

On 18 Nov 2015, at 23:27, mathias <roleba...@gmail.com> wrote:

Does the order of -imports to the JKS matter?

--
You received this message because you are subscribed to the Google Groups "vert.x" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vertx+un...@googlegroups.com.
Visit this group at http://groups.google.com/group/vertx.

mathias

unread,
Nov 24, 2015, 1:03:16 PM11/24/15
to vert.x
Thanks Michael!
The certificate chain finally works using one jks file.

Two important things I learned were:
1. Private key and jks key need to be the same
2. Instead of importing the intermediateCA one has to append it to the certificate chain of the server certificate

Instead of using the command line tool keytool I used the Keystore-Explorer: http://keystore-explorer.sourceforge.net/ which is much easier :-)

Ryan Houlette

unread,
Aug 26, 2016, 3:23:28 PM8/26/16
to vert.x
Hi Mathias, I'm curious if you can provide more details about how exactly you got this to work. I'm in exactly the same situation now. I was able to create a JKS in two steps with keytool that appears to contain two entries, one with my chain and one with the server cert/key. Vertx loads this but still refuses to send the entire cert chain.

Thanks!
Ryan
Reply all
Reply to author
Forward
0 new messages