I have implemented Client Authentication in Tomcat6. I wanted to add CRL file to the server. How to do the same?
i had same problem. i asked same question as well. Refer this link:
Certificate Revocation List in Tomcat6
Anyways in tomcat Connector tag you have crlFile parameter which can be generated using openssl. The commands looks some thing like this
openssl ca -config openssl.my.cnf -revoke certs/server.crt
openssl ca -config openssl.my.cnf -gencrl -out crl/myca.crl
And the file myca.crl is to be updated in Connector tag of Tomcat which looks something like this:
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="8443"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
clientAuth="true"
sslProtocol="TLS"
keystoreFile="one.mamoi.semdev.com.pkcs12"
keystoreType="PKCS12"
keystorePass="changeit"
truststoreFile="server.truststore"
truststorePass="changeit"
truststoreType="JKS"
crlFile="/home/ubuntu/myCA/crl/myca.crl"/>
Related
Can't open config/certs/http_ca.crt for reading, No such file or directory
139762353411904:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('config/certs/http_ca.crt','r')
139762353411904:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
unable to load certificate
getting this issue does anybody help me to figure out this problem
https://www.elastic.co/guide/en/elasticsearch/reference/8.0/configuring-stack-security.html#_connect_clients_to_elasticsearch_5 ..... following this documentation for connecting of Elasticsearch to filebeat
$ sudo openssl x509 -fingerprint -sha256 -in config/certs/http_ca.crt
Instead of fingerprint you can also use the CA certificate (2nd option in the document) to establish SSL between Filebeat and Elasticsearch.
Try the below settings in your filebeat.yml for ES connection. Note: In case you want to disbale SSL, you can add the line "ssl.verification_mode: none"
output.elasticsearch:
hosts: ["https://localhost:9200"]
username: "elastic"
password: "xxxxxxxxxxxxxxxxxxxxxx"
ssl.certificate_authorities: "/etc/elasticsearch/certs/http_ca.crt"
index: "myindex"
pipeline: "mypipeline"
I have deployed my project on a compute engine VM instance. React is running on some port and Spring Boot server is running on another port. I've downloaded certs for a subdomain on the VM. How do I apply them to the project so that it opens on HTTPS
We get PEM file from Let's Encrypt using certbot
certbot certonly -a standalone -d example.com
Create PKCS12 format using openssl
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name tomcat -CAfile chain.pem -caname root
Add these properties to application.properties to add SSL certificate from Let's Encrypt
server.port: 443
security.require-ssl=true
server.ssl.key-store:/etc/letsencrypt/live/example.com/keystore.p12
server.ssl.key-store-password: store-password
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: tomcat
You may install NGINX on your instance and use it as a reverse proxy to pass requests to each server depending on the subdomain, then you may update the configuration with SSL config.
If you plan on using certificates issued by Let's Encrypt, then you can use Certbot to amend the NGINX configuration with SSL config automatically.
I installed a SSL certificate for my google app engine app and Google Apps domain. HTTPS is working ok, but when I try to use openssl cli tool I get this error:
$ openssl s_client -showcerts -connect mysite.com:443
CONNECTED(00000003)
140625875744448:error:1409E0E5:SSL **routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:**
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 226 bytes
---
Any insight on what could be the problem? From what I google'd, it could be a server config problem, but being Google App Engine server, I don't think I can do anything about it.
The main problem is that this prevents connecting securely via low level APIs like openssl, or programming languages (tried with python and it doesn't work). Strange thing is that the web can be accessed using HTTPS with no problems.
If it helps, here's the site: https://www.proofofexistence.com/
This usually happens when you have set up SNI SSL as this is not supported by default on openssl.
To make this work, just set the -servername flag to the name of the vhost you are testing.
$ openssl s_client -showcerts -servername www.proofofexistence.com -connect www.proofofexistence.com:443
In order to enable SSL in Appengine.
I try to enable SSL for my custom domain
So far I found this article:
setup SSL on AppEngine... Assigned URLs "empty"
openssl genrsa -out rsaprivkey.pem 1024
openssl req -new -x509 -key rsaprivkey.pem -out dsacert.pem
then I uploaded the generated .pem to google app SSL setting page
dsacert.pem > PEM encoded X.509 certificate
rsaprivkey.pem > Unencrypted PEM encoded RSA private key
However, I got this error message after Upload.
What should I do next?
Domain name in certificate should only contain allowed characters (RFC
1034).
Solve!
It this article
setup SSL on AppEngine... Assigned URLs "empty"
when open ssl asks you questions for your app's name, make sure to
include the entire url as in your answer, www.abc.com to secure
https://www.abc.com
But I didn't find any place to enter my app's name during the openssl pem generation at first.
finally I find out the domain should be filled in organization and common name fields.
http://www.rackspace.com/knowledge_center/article/generate-a-csr-with-openssl
Organization Name (eg, company) [Internet Widgits Pty Ltd]: > example.com
Common Name (eg, YOUR name) > *.example.com
Google just announced SSL support for custom domain but I can't understand how it can be set-up as there is no way to generate Certificate Signing Request (CSR) on GAE ?!
http://support.google.com/a/bin/answer.py?hl=en&hlrm=en&answer=2644386
Am I missing something ?
To expand on the above:
The following three steps should be sufficient to generate a private key and a self-signed certificate suitable for testing SSL on GAE on a linux box:
openssl genrsa -out yourdomain.com.key 1024
openssl req -new -key yourdomain.com.key -out yourdomain.com.csr
openssl x509 -req -days 365 -in yourdomain.com.csr -signkey yourdomain.com.key -out yourdomain.com.crt
Disclaimer: It works but I do not know what I'm doing
Various programs exist to create a Certificate Signing Request (CSR.) I used 'openssl' on a linux machine to generate the Key and CSR.
1) I generated an Unencrypted PEM encoded RSA private key as specified by Google's SSL for a Custom Domain (https://cloud.google.com/appengine/docs/ssl)
cd $HOME
openssl genrsa -out rsa_private_key.key 2048
2) Use the 'rsa_private_key.key' to generate the required Certificate Signing Request (CSR) file.
openssl req -new -key rsa_private_key.key -out request.csr
You will be asked the following questions:
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: Illinois
Locality Name (eg, city) []: Chicago
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Chicago Company, Ltd.
Organizational Unit Name (eg, section) []: IT
Common Name (eg, YOUR name) []: checkout.customedomain.com
Email Address []:
I ignored two additional questions and everything worked fine. The 'request.csr' located on your home directory ($HOME) is the CSR file needed by the Certificate Authority provider to generate your certificate(s). Again, it doesn't have to be openssl: Many tools for various platforms are supported by providers. Just keep in mind Google's requirements.
A side note regarding Custom Domains:
Make sure your CUSTOM DOMAIN includes a subdomain or 'Full Qualified Domain Name.' The 'www.' is considered a subdomain and it's ALWAYS required for ssl in Google Appengine (10/2014.) So in my example if I wanted SSL at customedomain.com I would add 'www.customedomain.com' You can re-direct your naked domain to your Full Qualified Domain Name.
Google Appengine DOES NOT provide SSL support for naked domains like: https://customedomain.com
This is reposted from my answer at:
How to get .pem file from .key and .crt files?
I was trying to go from godaddy to app engine. What did the trick was using this line in the terminal (mac) to generate the the key and csr:
openssl req -new -newkey rsa:2048 -nodes -keyout name.unencrypted.priv.key -out name.csr
Exactly as is, but replacing name with my domain name (not that it really even mattered)
Also, what follows that is a bunch of questions and I answered all the questions pertaining to common name / organization as www.name.com , and I skipped the pass code and company name by just pressing enter
Then I opened the .csr file, copied it, pasted it in go daddy's csr form, waited for godaddy to approve it, then downloaded it, unzipped it, navigated to the unzipped folder in the terminal and entered:
cat otherfilegodaddygivesyou.crt gd_bundle-g2-g1.crt > name.crt
Then I used these instructions from the post Trouble with Google Apps Custom Domain SSL, which were:
openssl rsa -in privateKey.key -text > private.pem
openssl x509 -inform PEM -in www_mydomain_com.crt > public.pem
exactly as is, except instead of privateKey.key I used name.unencrypted.priv.key, and instead of www_mydomain_com.crt, I used name.crt
Then I uploaded the public.pem to the admin console for the "PEM encoded X.509 certificate",
and uploaded the private.pem for the "Unencrypted PEM encoded RSA private key"..
.. And that finally worked.
You need to generate a certificate with a CA and upload it. They aren't offering certificate creation as a service.