Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Getting ssl_error_bad_cert_alert on firefox after installing self signed p12 certificate

I am doing a tutorial on Mutual SSL authentication using tomcat. I tried google and stackoverflow for the answer but I haven't been lucky so far. I have done the following steps

1. Generated a self signed Certificate using the command as...

keytool -genkey -v -alias tomcat -keyalg RSA -validity 3650 -keystore D:\server.keystore -dname "CN=KeshavServer,OU=AppDev,O=Netambit,L=Noida,S=UP,C=IN" -storepass server123 -keypass server123

Result(DOS Output):

Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 3,650 days for: CN=KeshavServer, OU=AppDev, O=Netambit, L=Noida, ST=UP, C=IN
    New certificate (self-signed):
    [
    [
      Version: V3
      Subject: CN=KeshavServer, OU=AppDev, O=Netambit, L=Noida, ST=UP, C=IN
      Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

      Key:  Sun RSA public key, 2048 bits
      modulus: 169745031109692228700332160907879660712549791227819060217679327134557
    60724387920644418620368961814809125561438164385172820012631533276651192871536066
    44484789458740611952365817466495640787815691991239210085729312562284526930712191
    68874744017392521167643053301439564836240073082909781032758910760996909343586608
    99178037089977353808963798076122662239868847716719923568980681140353282369676681
    53737103284233931190726847482006084262000642602659963850552605206369455374224663
    42718874198088754429094645464054866254482989193982685337964154043630072713972109
    68332098433075932439269617793403644275259520886009675985568022246951
      public exponent: 65537
      Validity: [From: Mon Aug 12 12:16:13 IST 2013,
                   To: Thu Aug 10 12:16:13 IST 2023]
      Issuer: CN=KeshavServer, OU=AppDev, O=Netambit, L=Noida, ST=UP, C=IN
      SerialNumber: [    713ab315]

    Certificate Extensions: 1
    [1]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: D6 0E 1F 23 B2 11 92 D2   19 7B C9 AA 19 EF 82 EB  ...#............
    0010: A6 0C 35 57                                        ..5W
    ]
    ]

    ]
      Algorithm: [SHA256withRSA]
      Signature:
    0000: 4C 36 84 CD FE 2C 11 4B   88 C1 AE 3A 7A 6A A1 C4  L6...,.K...:zj..
    0010: 2C 6E F5 73 33 64 57 06   04 7F AC 1B D6 CA BF E0  ,n.s3dW.........
    0020: D2 88 09 A9 B8 4D 70 EE   73 6E 02 45 33 83 42 1E  .....Mp.sn.E3.B.
    0030: C4 8E 67 F3 51 D7 9C 53   08 CD C7 EA 4B BC 27 0D  ..g.Q..S....K.'.
    0040: 17 36 9B 12 4A F7 F7 23   0E C2 51 0A 18 06 B5 80  .6..J..#..Q.....
    0050: 1C 44 17 0D 99 14 6E 27   40 30 56 DF 31 D9 CC 15  .D....n'@0V.1...
    0060: 46 7C 72 C2 54 CE 2E 2B   41 94 19 54 9B 3A F7 85  F.r.T..+A..T.:..
    0070: 96 CE 5F 80 C5 A5 02 AE   09 17 A5 C3 E4 A6 BB 63  .._............c
    0080: A3 EF 99 4F BC A4 FF 4F   2B BD 46 E5 BE 57 C7 BD  ...O...O+.F..W..
    0090: 85 54 F9 B1 5F 01 18 07   9F DD 02 99 91 B3 35 FB  .T.._.........5.
    00A0: 62 74 2A 0A 37 8A 9B 0D   E8 BF B4 24 CE 24 12 8A  bt*.7......$.$..
    00B0: 22 68 39 90 BD 02 24 A4   E9 9B 52 E1 AA 76 1D 16  "h9...$...R..v..
    00C0: 91 2A 60 49 D3 F6 91 0A   01 E4 98 1B BB EB B7 E5  .*`I............
    00D0: E3 DF 39 B8 73 02 C3 1D   EA 95 D1 95 A7 27 53 FC  ..9.s........'S.
    00E0: 28 2B 21 50 90 BF 48 9A   25 92 28 D8 EC FE 82 60  (+!P..H.%.(....`
    00F0: B9 21 28 B3 1A 37 B6 79   17 8B FF 4C 0B C1 6D 0C  .!(..7.y...L..m.

    ]
    [Storing D:\server.keystore]

2. Generated the developer key by using the command as...

        keytool -genkey -v -alias developerKey -keyalg RSA -storetype PKCS12 -keystore dev.p12 -dname "CN=KeshavClient,OU=AppDev,O=Netambit,L=Noida,S=UP,C=IN" -storepass dev123 -keypass dev123

    Result(DOS Output):

    Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) wi
    th a validity of 90 days
            for: CN=KeshavClient, OU=AppDev, O=Netambit, L=Noida, ST=UP, C=IN
    New certificate (self-signed):
    [
    [
      Version: V3
      Subject: CN=KeshavClient, OU=AppDev, O=Netambit, L=Noida, ST=UP, C=IN
      Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

      Key:  Sun RSA public key, 2048 bits
      modulus: 257861330490904259854513552509935970316490717846991127699603148980652
    01114722960469328519589253139525292368465436006354129813882061510118729695295380
    60706390500779076802188937858019079525575493711793923541823056735274180328061957
    20693618061100873813154701306998418961615717804323475393466678818363454317730604
    32071710089666113885067366725913386597296681138020057906688646996872449490785655
    01898351843152376966821908896570275550705585694195185294854938453556896208850780
    54361881798687601045808741784626686357148783050499722574071065943861302398542177
    91929018282855348848062666985932392623629290470810910913665654471519
      public exponent: 65537
      Validity: [From: Mon Aug 12 12:16:26 IST 2013,
                   To: Sun Nov 10 12:16:26 IST 2013]
      Issuer: CN=KeshavClient, OU=AppDev, O=Netambit, L=Noida, ST=UP, C=IN
      SerialNumber: [    503c03cf]

    Certificate Extensions: 1
    [1]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: AD 4A E3 0E 3D E9 DB B0   8E DF 8F 66 34 28 AE AF  .J..=......f4(..
    0010: 34 63 F2 4C                                        4c.L
    ]
    ]

    ]
      Algorithm: [SHA256withRSA]
      Signature:
    0000: 91 79 CF CC 0F FD CA BB   2A 60 5E 87 8F 2F 6D B6  .y......*`^../m.
    0010: DD 71 05 6A B1 21 DB B0   B0 0F D7 3E 7A DB 12 84  .q.j.!.....>z...
    0020: 3A C0 63 1B C1 FE FD C5   60 27 E3 2E 14 A0 38 2C  :.c.....`'....8,
    0030: EE 82 8C 6E 13 05 8A BC   24 2F A1 4F 5C 25 24 10  ...n....$/.O\%$.
    0040: EC 5A D1 E3 23 AC 51 BA   D4 33 6C AF AF A2 68 2F  .Z..#.Q..3l...h/
    0050: 29 4F 33 F9 0A 56 C1 83   0C 07 30 14 40 A2 CF 17  )O3..V....0.@...
    0060: B1 A1 18 AD 51 76 EA 8E   D6 6E 50 4E 7A 7C F5 89  ....Qv...nPNz...
    0070: B1 73 F4 05 D2 E9 1B 94   48 2F 65 30 33 F4 1B 28  .s......H/e03..(
    0080: AA 36 4C 11 52 C5 2A 9D   4A 11 6D FA 9B C6 09 37  .6L.R.*.J.m....7
    0090: A1 CC AC A3 67 B1 60 E6   65 F1 0C 98 0E 5E C0 89  ....g.`.e....^..
    00A0: BD 54 98 81 51 DB 6C 53   A5 8C AD 05 57 60 46 20  .T..Q.lS....W`F
    00B0: 5E 60 74 58 F8 88 2A 46   F6 F5 5A D3 20 FC 9E FA  ^`tX..*F..Z. ...
    00C0: 8D 14 A8 72 99 F5 FF 9E   0B 5B F9 68 77 30 75 93  ...r.....[.hw0u.
    00D0: 3E 7A 16 38 55 11 30 D6   A1 39 97 97 DB 86 B8 9E  >z.8U.0..9......
    00E0: 3F 08 84 93 A3 A7 E0 4F   6D 07 A2 E6 F9 09 E8 3B  ?......Om......;
    00F0: 6C 86 F2 26 F6 20 04 D9   92 66 DC 3B 69 FA 75 30  l..&. ...f.;i.u0

    ]
    [Storing dev.p12]

3 Exported and saved the certificate in dev.cer keytool -export -alias developerKey -keystore dev.p12 -storetype PKCS12 -storepass dev123 -rfc -file dev.cer

Result(DOS Output):
Certificate stored in file <dev.cer>

4.Imported dev.cer in the keystore as using the command as... and selected y keytool -import -v -file dev.cer -keystore tomcat.keystore -storepass server123

Result(DOS Output):
Owner: CN=KeshavClient, OU=AppDev, O=Netambit, L=Noida, ST=UP, C=IN
Issuer: CN=KeshavClient, OU=AppDev, O=Netambit, L=Noida, ST=UP, C=IN
Serial number: 503c03cf
Valid from: Mon Aug 12 12:16:26 IST 2013 until: Sun Nov 10 12:16:26 IST 2013
Certificate fingerprints:
         MD5:  7A:CE:AD:78:31:12:89:3A:20:94:01:63:5C:E6:6D:48
         SHA1: 4C:E3:4A:CF:93:EF:69:46:AD:01:B1:AC:22:F4:E6:91:B5:62:D1:C3
         SHA256: D1:E6:20:9C:A7:3C:82:46:7A:2A:E6:61:1E:30:E3:F0:B9:E6:F0:03:DA:
19:87:B4:6F:F2:B1:BE:D3:89:A8:2B
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AD 4A E3 0E 3D E9 DB B0   8E DF 8F 66 34 28 AE AF  .J..=......f4(..
0010: 34 63 F2 4C                                        4c.L
]
]

Trust this certificate? [no]:  y
Certificate was added to keystore
[Storing tomcat.keystore]

5.Added the connecter entry to server.xml as...

     <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
     maxThreads="150" scheme="https" secure="true"
     keystoreFile="D:/server.keystore" keystorePass="server123"
     truststoreFile="D:/server.keystore" truststorePass="server123"
     clientAuth="true" sslProtocol="TLS" />

6. Started Tomcat, firefox and on Tools->Options->Advanced->View Certificates->Your Certificate->import, imported the dev.p12 file Result: asked me for the password which I entered as dev123 then i hit next, next till finish

Final Result on opening https://localhost:8443/CertificatePOC/
Secure Connection Failed  

An error occurred during a connection to localhost:8443.

SSL peer cannot verify your certificate.

(Error code: ssl_error_bad_cert_alert)

If in the server.xml I change the attribute clientAuth to false then the web page opens correctly.

Any help will be appreciated I am using tomcat7 with eclipse indigo OS windows 7 If any more details/screenshot is required I will happily provide

like image 629
Keshav Jha Avatar asked Aug 12 '13 09:08

Keshav Jha


1 Answers

The ssl_error_bad_cert_alert error in this case means the server doesn't trust your self-signed cert. One way to solve this is to generate certs and CSR's, and then sign them with a local development CA. Then you just add your dev CA to the JVM truststore. It is slightly more setup, but is more flexible (e.g., you can create signed certs for a whole development team, test revocation via OCSP/CRL, etc).

These steps are copied from my history and probably require changes:

Create a local dev CA

openssl genrsa -out ca.key -aes256 -passout pass:changeit 4096
openssl req -new -x509 -key ca.key -config openssl.conf -days 3560 -sha256 -out ca.pem -passin pass:changeit
openssl rsa -in ca.key -out ca.key -passin pass:changeit

Generate client and server keystores with a keypair in each

keytool -genkey -keyalg RSA -alias client -keystore client.jks -storepass changeit -validity 1000
keytool -genkey -keyalg RSA -alias tomcat -keystore ~/.keystore -storepass changeit -validity 1000

Generate client and server cert signing requests (csr) based on above keystore keypairs

keytool -certreq -v -alias client -keystore client.jks -storepass changeit -file client.csr
keytool -certreq -v -alias tomcat -keystore ~/.keystore -storepass changeit -file tomcat.csr

Sign the requests (create certs) for client/server csr's

openssl x509 -req -CA ca.pem -CAkey ca.key -in client.csr -out client.cer -days 1000 -CAcreateserial
openssl x509 -req -CA ca.pem -CAkey ca.key -in tomcat.csr -out tomcat.cer -days 1000 -CAcreateserial

Import the CA cert into client/server keystores (possibly not necessary, since it must be added to truststore anyway)

keytool -import -keystore client.jks -file ca.pem -alias rootca
keytool -import -keystore ~/.keystore -file ca.pem -alias rootca

Import the client and server certs into their respective keystores

keytool -import -keystore client.jks -file client.cer -alias client
keytool -import -keystore ~/.keystore -file tomcat.cer -alias tomcat

Convert the client cert to a p12 (PKCS12) so it can be imported into firefox or wherever

keytool -importkeystore -srckeystore client.jks -destkeystore client.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass changeit -deststorepass changeit -srcalias client -destalias client -srckeypass changeit -destkeypass changeit -noprompt

Import the CA cert into the JVM truststore

sudo keytool -import -trustcacerts -alias suter-dev-ca -file ca.pem -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_60.jdk/Contents/Home/jre/lib/security/cacerts

Optionally, import the CA cert into your browser.

Your post was hard to read because of the formatting. Hope this helps.

Sources: http://shib.kuleuven.be/docs/ssl_commands.shtml, https://docs.oracle.com/cd/E19509-01/820-3503/ggezy/index.html

like image 177
andyk Avatar answered Sep 27 '22 23:09

andyk