SSL intermediate cert issue

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

SSL intermediate cert issue

Christine Karman
I want to switch from using a self-signed certificate in Restlet, which
worked well, to a startcom certificate. The reason I want to change it
is that I want to give third parties access to the server without having
to give them my self signed cert.

Now I see an issue with Restlet apparently not sending the certificate
chain, which my android app doesn't like. When I type

openssl s_client -showcerts -connect pengo.christine.nl:9005

in a shell, I get this error:

CONNECTED(00000003)
depth=0 CN = pengo.christine.nl
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = pengo.christine.nl
verify error:num=21:unable to verify the first certificate
verify return:1

When I type
openssl s_client -showcerts -connect pengo.christine.nl:9005 -CAfile
./chain.crt

with chain.crt containing the root cert and intermediate cert, I get

CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate
Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = StartCom Certification
Authority, CN = StartCom Class 1 DV Server CA
verify return:1
depth=0 CN = pengo.christine.nl
verify return:1

My restlet configuration contains

         params.add("sslContextFactory",
"org.restlet.engine.ssl.DefaultSslContextFactory");
         params.add("keystorePath",
"/home/christine/motogymkhana/pengo_ssl.jks");
         params.add("keystorePassword", ServerConstants.keyStorePw);
         params.add("keystoreType", "JKS");
         params.add("keyAlias", ServerConstants.keyAlias);
         params.add("keyPassword", ServerConstants.keyPw);

The keystore does contain the same certificates as the chain.crt file.

How do I make Restlet send the chain with the certificate?

dagdag
Christine


--
dagdag is just a two character rotation of byebye

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3164075
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL intermediate cert issue

Thierry Boileau-4
Hello Christine,

I wonder if all the intermediate certificates have been registered in the keystore with the same alias entry.
Could you have a look at this post?

Best regards,
Thierry Boileau

Le mer. 2 mars 2016 à 22:45, Christine Karman <[hidden email]> a écrit :
I want to switch from using a self-signed certificate in Restlet, which
worked well, to a startcom certificate. The reason I want to change it
is that I want to give third parties access to the server without having
to give them my self signed cert.

Now I see an issue with Restlet apparently not sending the certificate
chain, which my android app doesn't like. When I type

openssl s_client -showcerts -connect pengo.christine.nl:9005

in a shell, I get this error:

CONNECTED(00000003)
depth=0 CN = pengo.christine.nl
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = pengo.christine.nl
verify error:num=21:unable to verify the first certificate
verify return:1

When I type
openssl s_client -showcerts -connect pengo.christine.nl:9005 -CAfile
./chain.crt

with chain.crt containing the root cert and intermediate cert, I get

CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate
Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = StartCom Certification
Authority, CN = StartCom Class 1 DV Server CA
verify return:1
depth=0 CN = pengo.christine.nl
verify return:1

My restlet configuration contains

         params.add("sslContextFactory",
"org.restlet.engine.ssl.DefaultSslContextFactory");
         params.add("keystorePath",
"/home/christine/motogymkhana/pengo_ssl.jks");
         params.add("keystorePassword", ServerConstants.keyStorePw);
         params.add("keystoreType", "JKS");
         params.add("keyAlias", ServerConstants.keyAlias);
         params.add("keyPassword", ServerConstants.keyPw);

The keystore does contain the same certificates as the chain.crt file.

How do I make Restlet send the chain with the certificate?

dagdag
Christine


--
dagdag is just a two character rotation of byebye

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3164075
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL intermediate cert issue

Christine Karman
On 04-03-16 15:29, Thierry Boileau wrote:
Hello Christine,

I wonder if all the intermediate certificates have been registered in the keystore with the same alias entry.
Could you have a look at this post?

Thierry,
I made a mistake in building the keystore, sorry for the fuss. It works now.

I'm very happy with Restlet :-)


dagdag
Christine


Best regards,
Thierry Boileau

Le mer. 2 mars 2016 à 22:45, Christine Karman <[hidden email]> a écrit :
I want to switch from using a self-signed certificate in Restlet, which
worked well, to a startcom certificate. The reason I want to change it
is that I want to give third parties access to the server without having
to give them my self signed cert.

Now I see an issue with Restlet apparently not sending the certificate
chain, which my android app doesn't like. When I type

openssl s_client -showcerts -connect pengo.christine.nl:9005

in a shell, I get this error:

CONNECTED(00000003)
depth=0 CN = pengo.christine.nl
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = pengo.christine.nl
verify error:num=21:unable to verify the first certificate
verify return:1

When I type
openssl s_client -showcerts -connect pengo.christine.nl:9005 -CAfile
./chain.crt

with chain.crt containing the root cert and intermediate cert, I get

CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate
Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = StartCom Certification
Authority, CN = StartCom Class 1 DV Server CA
verify return:1
depth=0 CN = pengo.christine.nl
verify return:1

My restlet configuration contains

         params.add("sslContextFactory",
"org.restlet.engine.ssl.DefaultSslContextFactory");
         params.add("keystorePath",
"/home/christine/motogymkhana/pengo_ssl.jks");
         params.add("keystorePassword", ServerConstants.keyStorePw);
         params.add("keystoreType", "JKS");
         params.add("keyAlias", ServerConstants.keyAlias);
         params.add("keyPassword", ServerConstants.keyPw);

The keystore does contain the same certificates as the chain.crt file.

How do I make Restlet send the chain with the certificate?

dagdag
Christine


--
dagdag is just a two character rotation of byebye

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3164075


-- 
dagdag is just a two character rotation of byebye 
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL intermediate cert issue

Thierry Boileau-4
Hello Christine,

nice to hear such good news :)

Best regards,
Thierry Boileau

Le mar. 15 mars 2016 à 21:24, Christine Karman <[hidden email]> a écrit :
On 04-03-16 15:29, Thierry Boileau wrote:
Hello Christine,

I wonder if all the intermediate certificates have been registered in the keystore with the same alias entry.
Could you have a look at this post?

Thierry,
I made a mistake in building the keystore, sorry for the fuss. It works now.

I'm very happy with Restlet :-)


dagdag

Christine



Best regards,
Thierry Boileau

Le mer. 2 mars 2016 à 22:45, Christine Karman <[hidden email]> a écrit :
I want to switch from using a self-signed certificate in Restlet, which
worked well, to a startcom certificate. The reason I want to change it
is that I want to give third parties access to the server without having
to give them my self signed cert.

Now I see an issue with Restlet apparently not sending the certificate
chain, which my android app doesn't like. When I type

openssl s_client -showcerts -connect pengo.christine.nl:9005

in a shell, I get this error:

CONNECTED(00000003)
depth=0 CN = pengo.christine.nl
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = pengo.christine.nl
verify error:num=21:unable to verify the first certificate
verify return:1

When I type
openssl s_client -showcerts -connect pengo.christine.nl:9005 -CAfile
./chain.crt

with chain.crt containing the root cert and intermediate cert, I get

CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate
Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = StartCom Certification
Authority, CN = StartCom Class 1 DV Server CA
verify return:1
depth=0 CN = pengo.christine.nl
verify return:1

My restlet configuration contains

         params.add("sslContextFactory",
"org.restlet.engine.ssl.DefaultSslContextFactory");
         params.add("keystorePath",
"/home/christine/motogymkhana/pengo_ssl.jks");
         params.add("keystorePassword", ServerConstants.keyStorePw);
         params.add("keystoreType", "JKS");
         params.add("keyAlias", ServerConstants.keyAlias);
         params.add("keyPassword", ServerConstants.keyPw);

The keystore does contain the same certificates as the chain.crt file.

How do I make Restlet send the chain with the certificate?

dagdag
Christine


--
dagdag is just a two character rotation of byebye

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3164075


-- 
dagdag is just a two character rotation of byebye 
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL intermediate cert issue

Christine Karman
In reply to this post by Thierry Boileau-4
On 04-03-16 15:29, Thierry Boileau wrote:
> Hello Christine,
>
> I wonder if all the intermediate certificates have been registered in
> the keystore with the same alias entry.
> Could you have a look at this post?
> http://stackoverflow.com/questions/9299133/why-doesnt-java-send-the-client-certificate-during-ssl-handshake/9300727#9300727
>
Thierry,
I was mistaken in my previous post. This linked solved my problem. Thank
you.

dagdag
Christine

--
dagdag is just a two character rotation of byebye

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3167359
Loading...