Is a truststore neeeded if the server certificate is signed by a CA?
I have a server SSL certificate that has been signed by a trusted certificate authority (CA). I'm using a java desktop application to consume web services at that server over ssl/https using Axis 2 (no client certificate authentication). Everything is working fine, but I see code examples using a truststore or keystore (by the way, what is the difference?) and I'm starting to wonder if I need to use this kind of mechanism. Some articles I have read imply that I don't need to use a keystore because the server's certificate is signed by a CA. I've read lately about some man-in-the-middle attacks that involve intercepting https traffic and impersonating the server. Will my solution be vulnerable to this kind of attack if I don't use a keystore? If I simply provide Axis with an https endpoint url of the web services, will my solution be secure? Any help would be appreciated. Thanks.
SSL provides you with privacy, integrity, and authentication. That is, the messages are encrypted, tamper-evident, and come from an authenticated identity. Whether that's the identity you want to talk to is another question. So the application has to perform the authorization step, i.e. check the identity against what is expected. You do this by getting the peer certificates out of the SSLSession, usually in a HandshakeCompletedListener, and check that the identity of the server is what you expect. SSL can't do this for you as only the application knows who it expects to talk to. Another way around this is to ship a custom truststore that only contains the server certificate for the correct server, so it won't trust anybody else.
Similar Messages
-
How to get the Server Certificate Chain File?
Hi all,
I config the SSL for weblogic 6.0 on a Win2k Machine .I followed WebLogic
documentation:
Generate a private key file, then submit to Verisign, get the certificate
file.
Because I have only one WebLogic server. I clear the "Server Certificate
Chain File" field.
But I get error message after reboot WebLogic. Following is the error
message:
<2001-1-21 04:57:56 pm> <Alert> <WebLogicServer> <Inconsistent security con
figuration, java.lang.Exception: Required file server-certchain.pem which is
spe
cified by ServerCertificateChainFileName, was not found>
java.lang.Exception: Required file server-certchain.pem which is specified
by Se
rverCertificateChainFileName, was not found
at
weblogic.t3.srvr.SSLListenThread.resolvePropertyFromLocalFile(SSLList
enThread.java:152)
at
weblogic.t3.srvr.SSLListenThread.resolvePropertyFromAdminServer(SSLLi
stenThread.java:180)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:425)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:939)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
My question is: Should I input the rootCA certificate into the Server
Certificate Chain File field? If yes, where can I get the rootCA certificate
file?
Thanks[sorry, deleted irrelevant wrong answer]
-
Has anyone had this problem with VPN iPad vpn connection could not validate the server certificate
Has anyone had this problem with IPad 3 after upgrade to IOS 7,
trying to to connect VPN , but I get this messag, "could not validate the server certificate".
I am trying to connect to Oracle VPN.Has anyone found a solution for this yet? I am still getting the could not validate server certificate error. I have tried importing the entire certificate chain as well as importing each individual cert in the chain. My certificate works perfectly with the cisco vpn on my pc.
This is my first experience owning an apple product, and I am very disappointed with the customer support that I have received. I tried calling the help line and no one would even attempt to answer my question. I was then told that the Mac "geniuses" wouldn't know either and that I may be able to find an answer on the message boards. So I am reaching out to the community...Has anyone been able to figure out how to resolve this issue or even the specific cause? Any help is appreciated. -
Device Enrollment - Error: The server certificate for "myserver" is invalid?
Hello,
I am attempting to enroll my iPhone in the Lion Server Profile Manager. I have aquires and SSL certificate on my Lion Server but do not have a code signing certificate. From my iPhone, I can log into http://myserver.mydomain.lan/mydevices and log in using my AD credentials when I try to install the Device Enrollment Profile I am prompted with the following message: The server certificate for "https://myserver.mydomain.lan/devicemanagment/api/device/ota_service" is invalid.
Not sure how to get around this...
I am using AD with an extended schema and was not sure if MDM absolutely requires OD credentials or if I could use my AD credentials when enrolling a device. I was also unsure if I needed the code signing certificate which appears to be a bit pricey from Go-Daddy. I am just test bedding MDM and do not wish to go through the expense of a code signing certificate at this point.
Has anyone else encountered this problem?
Thanks,
RayNot sure if this will help, but we encountered the same problem. Our workaround was to click on the "Profiles" tab & install the Trust Profile first (not the Everyone Profile) and then enroll the device. That seemed to work, but I don't know what's causing that error message. Hopefully someone with more knowledge than me can answer that one.
-
Why does a reboot set the modified-date of the server certificate?
I was inspecting my certificates and noticed that the certificate I use for my server had a modified date of Dec 12, whereas it was created around April of this year.
Dec 12 saw a reboot of my server and adding the `uptime` to the 'modified date' of the certificate gets me to 'now'. So, it seems a reboot sets the modified date of the server certificate. Can someone confirm this and does anybody know wht this is the case?Yes, I found the same tricks but if I only set pereferred width. the result is not that I expected. so I use the following code to do it:
tc.setPreferredWidth(maxsize+5);
tc.setMaxWidth(maxsize+5);I don't know why must I add 5 point to display the string completely. -
CA Certificate is not in the server certificate chain...
Use keytool command to import server certificate.
I got this error when running an ldap browser (I downloaded from the Net) to connect to my Active Directory server via SSL. Connecting via non-ssl is successful and I can browse the ldap tree. I'm not sure what is causing the problem. I did the following, but no success:
1. I used the keytool command to successfully import a certificate to cacerts file found in the \java\j2re1.4...\lib\security\directory.
2. I verified that the domain server accepts ldap queries via ssl over port 636.
Now I'm wondering if I used the keytool command properly or is there anything I need to do to get this to work.
Peter
3.Perhaps you may want to post the output from keytool (you may want to edit any confidential information).
For example from my Active Directory domain & Certificate Authority:
#keytool -list -alias antipodes -keystore /usr/java/jdk1.5.0_01/jre/lib/security/cacerts
Enter keystore password: xxxxxxx
antipodes, 20-Aug-2005, trustedCertEntry,
Certificate fingerprint (md5): B7:5B:DE:61:D5:89:A1:91:96:0E:C7:0A:52:86:BB:79My guess is that you have either not imported the certificate as a Trusted Certifcate entry, you may not have imported the correct CA certificate, or if you have a CA hierarchy, you may only have imported the intermediate CA certificate, and not the root CA certificate.
Also I have noticed that many applications have separate keystores. I recall that when I first played around with Java/JNDI on Linux to access my AD, and imported my CA cert into the Java keystore, that when I wanted to use a browser on the Linux desktop to access my secure web site, I had to also import the same CA cert into the Netscape browser's keystore. (As a Windows guy, I thought how dumb, but that's another story) -
Since downloading Yosemite 10.10.1 on my MacBook Pro and Mac desktop I have had email problems. When linking to the server a popup message appears saying "The identity of POP3.knology.net cannot be verified." It may be another server is attempting to steal the data. My email server says this is an apple problem that they've seen with 10.10.1 (They may just be passing the buck) but they can't solve it. The self-signed server is "map.example.com" which expired on Friday, Nov 2, 2012.
Your email provider is using a self-signed certificate? LOL.
This is not an Apple issue. Somebody has their certificate screwed up, and OS X is doing the right thing to protect you.
It _is_ possible for you to go to the certificate and explicitly trust it, always, even though it's an invalid and/or expired certificate. That will probably address the issue. But this "map.example.com' has "screwed up" written ALL OVER IT. -
SSL Server socket: controlling the alias for the server certificate ?
Hi,
Could anyone please clear up the following ?
When you create an SSL server socket, it needs a certificate (to prove its identity), and for this it relies on a keystore:
System.setProperty("javax.net.ssl.keyStore", "c:/mystore");
My question is, what if the keystore contains several certificates ?
Eg:
keytool -import -alias AAA -file cert1.cer -keystore mystore
keytool -import -alias BBB -file cert2.cer -keystore mystore
Which certificate would the server use ?
And is there a way to control the alias it would use ?
Thanks :)This is a very good question and one that should be described in the Guide to Features. See javax.net.ssl.X509KeyManager.chooseServerAlias(). It does a search looking for aliases of a given key type, i.e. one of the ones the peer understands, & which are trusted by the peer. Any alias which the peer can accept will do.
-
Import a valid Server Certificate as a trustStore.?
How do I import a valid server certificate as a trustStore and put
this in jre/lib/security.
I have a Java class that needs to connect to a valid HTTPS Server
having a certificate issued by a CA.
Now,I have a Java client that connects to this server,and sends and
receives data.
I will need to import the server certificate into the jre/lib/security
directory?
I guess we need to do this so that the client accepts the server's
certificate
Has anyone understood my question?
Attached is my java class:
public class HttpsSender
String sURL = "SomeServerAddress";
public static String ec(String sMess)
String response=null;
try {
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
/* Temporarily testing on Tomcat and hence the Context:A_SYMBIAN_SERVLET */
URL url;
String uri = "https://" + sURL
url = new URL(uri);
HttpsURLConnection hpCon= (HttpsURLConnection)url.openConnection();
hpCon.setRequestMethod("POST");
hpCon.setDoOutput(true);
hpCon.setDoInput(true);
/** Transfer Data over https */
DataOutputStream dos = new DataOutputStream(hpCon.getOutputStream());
dos.writeUTF(sMess);
/* Response from the Receiving Servlet.*/
DataInputStream dis = new DataInputStream(hpCon.getInputStream());
try {
response = dis.readUTF();
}finally
dos.close();
dis.close();
}catch(IOException e)
System.out.println("Error in Client " + e);
return response;
} // End of Method Encrypt.You can import a valid server certificate into a Store with the keytool!
Good link:
http://forum.java.sun.com/thread.jsp?forum=2&thread=4240
You must provide to the Java-VM where it can find the TrustStore:
-> on command line:
java -Djavax.net.ssl.trustStore=XXX/jssesamples/samplecacerts
For Testing the Debug Output can be usefull! Enable with:
java -Djavax.net.debug=handshake,ssl
-> in source code:
System.setProperty("javax.net.ssl.trustStore",STORE_FILE);
System.setProperty("javax.net.ssl.trustStorePassword",STORE_PASS); -
I'm now using a root CA which was listed above.
But when I try to connect WLAN via EAP with RADIUS initially, I should click the accept button for the certificate of the RADIUS Server.
Why should it work?Hi,
I'm still looking for the reason.
Isn't there any way which can avoid the verification for a public certificate of authentication server using EAP-TLS.
Why should I click the accept button in initial step for authenticating with RADIUS server using EAP-TLS although the root CA of the server certificate is listed in the default trusted CA on iOS? -
Weblogic server 9.2 and SSL server certificate for the wrong site
I turned on SSL service for a weblogic 9.2 server and later on changed the hostname of the machine that weblogic was running on. So the hostname that my SSL server certificate was issued to has now became an invalid hostname. But my weblogic server continues to run SSL service without any exception. I can still access my web applications thru the SSL port (except of course I get a warning for the server certificate every time that it is for the "wrong site"). My question is this: should weblogic 9.2 verify the hostname in the server certificate and stop SSL service if the certificate is for the wrong site? Or is verifying the certificate strictly the job of the browser? Just want to make sure there is nothing wrong with my SSL configuration. Thanks.
So you are saying that something is wrong with my weblogic 9.2 ssl configuration? And that given a server certificate issued to a different hostname, my weblogic server should NOT be servicing ssl request and/or it should throw some sort of exception during startup? Thanks for clarifying.
-
There was a problem verifying the certificate from the server
i can not sign in to my lync server in client user and the error message is "There was a problem verifying the certificate from the server".
i can sign in in my lync server by any account but i can not sign in in other pc clients.Hi,there,
Just some additional info...
Please go through the following old threads with the same error message
http://social.technet.microsoft.com/Forums/en-US/ocscertificates/thread/19d74620-9ea8-4f19-bc01-25387e4ee380/
http://social.technet.microsoft.com/Forums/en-US/ocscertificates/thread/7a973094-6cd1-4f3f-9af0-6d330a9b8428
http://social.technet.microsoft.com/Forums/en-US/ocscertificates/thread/4034e791-6c3c-4c35-b936-bca734204fd4/
Hope these helpful!
B/R
Sharon
Sharon Shen
TechNet Community Support
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. -
Trust the server's certificate
hello
I have a certificate already generate by the server and I do not know its alias, how I can make:
- to export the server certificate from the certs keystore.
with keytool:
keytool -export -keystore "java.home"/lib/security/cacerts -alias jamie -file server.cer
but I had the error: alias does not exist.
somebody will be able to give me an indication thank you .You can always use the "keytool -list" to print all the aliases in a keystore.
BTW, are you sure your certificate is inside "java.home"/lib/security/cacerts? That's the root CA collections comes with the JRE. -
OBIEE 11g SSL Configuration Issue : Unable to import the Server certs
Hello All,
We are trying to configure OBIEE 11.1.1.6.0 with SSL using Windows server 2003 (IIS) and facing some issues with that.
Followed the document : OBIEE11g SSL Setup and Configuration [1326781.1]
http://obieedue.blogspot.sg/2012/08/obiee11g-ssl-setup-and-configuration.html
and also completed generating the required certificate signing request and keystores for SSL communication and sent it to the CA (IT Admin team) to to have the certificate signed by CA. The issue comes when I am trying to import the CA certificate (Root certificate) and Server Certificate into the Java Keystore.
I am importing the Root CA Certificate first which is successfully added to the keystore.
keytool -import -trustcacerts -alias mycacert -file cacert.pem -keystore mykeystore.jks -storepass Welcome1
Trust this certificate? [no]: yes
Certificate was added to keystore.
But when trying to add the Server Certificate to the keystore using the command below :
keytool -import -v -alias testserver -file server.cer -keystore mykeystore.jks -keypass Welcome1 -storepass Welcome1
Certificate reply was installed in keystore
I get the following error:
keytool error: java.lang.Exception: Failed to establish chain from reply
java.lang.Exception: Failed to establish chain from reply
at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2662)
at sun.security.tools.KeyTool.installReply(KeyTool.java:1870)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:807)
at sun.security.tools.KeyTool.run(KeyTool.java:172)
at sun.security.tools.KeyTool.main(KeyTool.java:166)
Read many forums and tried to convert it to the PKCS#7 format and import the cert to the identity keystore, but was not successful in that either. I have also checked with the IT Admin team and found there is only one RootCA and no other intermediate CA's.
Please advice if any one has similar issues or suggestions.
Thanks in advance,
SVSHi,
One obvious reason would be that you did not specify -trustcacerts, and the root CA is not included in the present server keystore. In that case, using the -trustcacerts option would solve the problem, if the root CA is indeed in the JDK cacerts.
To print out the certificates present in the JDK cacerts, use the following command:
keytool -list -keystore <JAVA_HOME>/jre/lib/security/cacerts -storepass changeit -v
Then check if the root CA that signed your server certificate is present, and has not expired (in which case,you would need to re-import a newer one into cacerts).
Another common reason for that error message is when you have used a proprietary CA to sign your server certificate. Then it would obviously not be in the JDK cacerts. The solution in that case is to import your proprietary root CA into the JDK cacerts, using the following command:
keytool -import -keystore <JAVA_HOME>/jre/lib/security/cacerts -file yourRootCA.pem -storepass changeit -alias youralias
A third reason for that error message is when your server was signed by an intermediate certificate. In that case, you would have received from your CA a chain of certificates. One way to solve this (not the only one, but this one works well): Prepend your intermediate CA file to your server cert file, and import the obtained concatenated file into the server keystore. Be careful, the intermediate CA must be BEFORE the server cert. Example:
copy rootca.cer certchain.p7b
type server.cer >> certchain.p7b
The file certchain.p7b will be the concatenation of the intermediate CA and the signed server cert. Then import the newly created file under the key alias as follows:
keytool -import -keystore serverks.jks -file certchain.p7b -alias yourkey -trustcacerts
If you only prepend the intermediate root CA, you must make sure the the final root CA is in cacerts. But you can also prepend your whole chain of trust inside the server keystore.
Regards,
Kal -
How to add a certificate to IIS global "Server Certificates" list using PowerShell?
Hi, been surfing the web for an example on how to add a certificate to the "global" IIS "Server Certificates" list using PowerShell but to no luck. I already have code in place on how to tie / associate a specific website with a specific cert but not how
to add the new .cer file using the "Complete Certificate Request..." wizard using PowerShell.... I dont expect the final code to become published but if someone had an idea on howto integrate / get an entry point on where to interact between the "Server Certificate"
list in IIS and POSH I would be super happy! :|
I am runnign IIS on a Windows 2008R2 x64 Standard Edition if that helps..... of course, I would saddle for an CLI if there is no other way, but POSH is of course the way to go! :)
Thanks for the help in advance guys, take care!
br4tt3Hi and thanks for the suggestions!
Although it comes close, the suggested code example points on howto import / incorporate .pfx files - I am getting fed by .cer files which I need to add into the IIS console using POSH.
I tried explore the IIS.CertObj object but was not able to work out if this one could be used for importing / adding .cer files into IIS! However, launching the following command from a POSH console with Import-Module Webadministration already
loaded into that shell;
$certMgr = New-Object -ComObject IIS.CertObj returns the following error message:
New-Object : Cannot load COM type IIS.CertObj
From an IIS perspective I have the following components installed;
[X] Web Server (IIS) Web-Server
[X] Web Server Web-WebServer
[ ] Common HTTP Features Web-Common-Http
[ ] Static Content Web-Static-Content
[ ] Default Document Web-Default-Doc
[ ] Directory Browsing Web-Dir-Browsing
[ ] HTTP Errors Web-Http-Errors
[ ] HTTP Redirection Web-Http-Redirect
[ ] WebDAV Publishing Web-DAV-Publishing
[X] Application Development Web-App-Dev
[ ] ASP.NET
Web-Asp-Net
[X] .NET Extensibility Web-Net-Ext
[ ] ASP
Web-ASP
[ ] CGI
Web-CGI
[ ] ISAPI Extensions Web-ISAPI-Ext
[ ] ISAPI Filters Web-ISAPI-Filter
[ ] Server Side Includes Web-Includes
[ ] Health and Diagnostics Web-Health
[ ] HTTP Logging Web-Http-Logging
[ ] Logging Tools Web-Log-Libraries
[ ] Request Monitor Web-Request-Monitor
[ ] Tracing
Web-Http-Tracing
[ ] Custom Logging Web-Custom-Logging
[ ] ODBC Logging Web-ODBC-Logging
[X] Security
Web-Security
[ ] Basic Authentication Web-Basic-Auth
[ ] Windows Authentication Web-Windows-Auth
[ ] Digest Authentication Web-Digest-Auth
[ ] Client Certificate Mapping Authentic... Web-Client-Auth
[ ] IIS Client Certificate Mapping Authe... Web-Cert-Auth
[ ] URL Authorization Web-Url-Auth
[X] Request Filtering Web-Filtering
[ ] IP and Domain Restrictions Web-IP-Security
[ ] Performance Web-Performance
[ ] Static Content Compression Web-Stat-Compression
[ ] Dynamic Content Compression Web-Dyn-Compression
[X] Management Tools Web-Mgmt-Tools
[X] IIS Management Console Web-Mgmt-Console
[X] IIS Management Scripts and Tools Web-Scripting-Tools
[ ] Management Service Web-Mgmt-Service
[ ] IIS 6 Management Compatibility Web-Mgmt-Compat
[ ] IIS 6 Metabase Compatibility Web-Metabase
[ ] IIS 6 WMI Compatibility Web-WMI
[ ] IIS 6 Scripting Tools Web-Lgcy-Scripting
[ ] IIS 6 Management Console Web-Lgcy-Mgmt-Console
[X] FTP Server Web-Ftp-Server
[X] FTP Service Web-Ftp-Service
[X] FTP Extensibility Web-Ftp-Ext
[ ] IIS Hostable Web Core Web-WHC
More or less the one thing that I am trying to get up and running is an automated FTPS solution - I just use the IIS console to be able to troubleshoot / compare how things scripted from POSH interacts in the MMC representation. The error I am getting
might be that I am lacking some IIS components to be in place to be able to automate some parts of the IIS - as suggested by the IIS.CertObj object listed in the example..... I will get back if I can track down which component needs to be added to be
able to reference the IIS.CertObj object.
Br4tt3 signing out...
br4tt3
Maybe you are looking for
-
I have i phone 4s i there is problem of wifi my wifi is not working when i go to the wifi there is no working on off when i update it as a 6.1 ios on that time again it was good but after 2 days again the same problem i am too tired and i also reset
-
We have a situation that when the vendor has a credit balance, we request a check from the vendor and we deposit the check. When request for a check, we will have a lockbox collect the check. How can I configure this situation in AP? Please help S
-
Assigning Numeric Identifiers Based on Group
Hi there, Currently I have a set of data consisting of an unique identifier (ID), four product properties (Brand.1.1, Brand.1.2, ...), and a preference. What I would like to do is for each product category (i.e. Brand, Price, and Preference) is assig
-
Help MWI light just stopped working.
I have a client we deployed a UC560 system. Everythign was working but now the MWI lights stopped working. I have checked everything I can think of but I can not get them to light up. Any ideas would be helpful. I have attached a config. Below is
-
hi, When I try to start LiveCache Monitoring option with LC10 it's failing with Error: DBM Error; Return code -11; Error Message: tp error: operable programe or batch file And if say okay at this stage, it displays in status bar as 'Error in DBMSERV