TLS, https, tomcat, p12

TLS.md

Server cert

private key

openssl genrsa -out restapi.key 2048                                                                   

Cert Signing Request

openssl req -new -key restapi.key -out restapi.csr                                                     

server cert

openssl x509 -req -days 24855 -in restapi.csr -signkey restapi.key -out restapi.cert 

Combine private key + cert in a PKCS#12 (P12) bundle

openssl pkcs12 -export -in restapi.cert -inkey restapi.key -out restapi.p12 -name restapi

tomcat catalina config

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"                       
            maxThreads="150" SSLEnabled="true" scheme="https" secure="true"                            
            keystoreFile="/Users/prayagupd/restapi.p12"                                                     
            keystoreType="PKCS12"                                                                      
            keystorePass="restapi"                                                                     
            clientAuth="false" sslProtocol="TLS" /> 

TLS12.md

root ca

openssl genrsa -des3 -out restapi-root-ca.key 2048 
##password restapi-root

openssl req -new -x509 -days 13210 -key restapi-root-ca.key -out restapi-root-ca.cert

server cert

openssl genrsa -out restapi-server.key 2048
openssl req -new -sha256  -key restapi-server.key -out restapi-server.csr

openssl x509 -req -sha256 -days 13210 -in restapi-server.csr -signkey restapi-server.key -CA restapi-root-ca.cert -CAkey restapi-root-ca.key -CAcreateserial -out restapi-server.cert

openssl pkcs12 -export -name restapi-server -in restapi-server.cert -out restapi-server.p12 -inkey restapi-server.key -CAfile restapi-root-ca.cert -caname restapi-root -chain 
#export password restapi-server

error

Error self signed certificate getting chain

solution
---------

- have different DNs

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:WA
Locality Name (eg, city) []:Seattle
Organization Name (eg, company) [Internet Widgits Pty Ltd]:duwamish inc
Organizational Unit Name (eg, section) []:server
Common Name (e.g. server FQDN or YOUR name) []:server                                    
Email Address []:prayag.upd@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

server error

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"                       
            maxThreads="150" SSLEnabled="true" scheme="https" secure="true"                            
            keystoreFile="/Users/as18/possibilities/programming/s2/eccount-rest/conf3/restapi-server.p12" 
            keystoreType="PKCS12"                                                                      
            keystorePass=""                                                                            
            clientAuth="false"                                                                         
            sslProtocol="TLS" />  
            
5613  java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded     
5614         at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:410)                 
5615         at java.security.KeyStore.getKey(KeyStore.java:1023)                                        
5616         at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)            
5617         at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70) 
5618         at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)                         
5619         at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:617)
5620         at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:546)
5621         at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:370)                        
5622         at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:810)              
5623         at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:476)                       
5624         at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
5625         at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)                 
5626         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)                      
5627         at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568)          
5628         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)                      
5629         at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:871)            
5630         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)                      
5631         at org.apache.catalina.startup.Catalina.load(Catalina.java:580)                             
5632         at org.apache.catalina.startup.Catalina.load(Catalina.java:603)                             
5633         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)                              
5634         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)            
5635         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)    
5636         at java.lang.reflect.Method.invoke(Method.java:498)                                         
5637         at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)                           
5638         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484) 


solution

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"                       
            maxThreads="150" SSLEnabled="true" scheme="https" secure="true"                            
            keystoreFile="/Users/as18/possibilities/programming/s2/eccount-rest/conf3/restapi-server.p12" 
            keystoreType="PKCS12"                                                                      
            keystorePass="restapi-server"                                                                                      
            clientAuth="false"                                                                         
            sslProtocol="TLS" />   

client cert

openssl genrsa -out restapi-client.key 2048

# Use common name = <tomcat-user.xml's user say 'admin'>, department = Tomcat Client CSR
# take Cert Signing Request from API user, and respond with a restapi-client.cert

openssl req -new -sha256  -key restapi-client.key -out restapi-client.csr

openssl x509 -req -sha256 -days 13210 -in restapi-client.csr -signkey restapi-client.key -CA restapi-root-ca.cert -CAkey restapi-root-ca.key -CAcreateserial -out restapi-client.cert

openssl pkcs12 -export -name restapi-client -in restapi-client.cert -out restapi-client.p12 -inkey restapi-client.key -CAfile restapi-root-ca.cert -caname restapi-root -chain 

#export password restapi-client

TLS communication from client

- install root cert copying the cert PEM to /etc/pki/tls/certs/ca-bundle.crt
- openssl verify -verbose /etc/pki/tls/certs/restapi-root-ca.cert 

-  curl -v --cert /home/ec2-user/restapi-client.cert --key /home/ec2-user/restapi-client.key https://customerorder-dev.duwamish.com

resources

http://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html

root cert

openssl genrsa -out ca-key.pem 2048;
openssl req -new -x509 -nodes -days 1000 -key ca-key.pem -out ca-cert.pem;

server cert

openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem -out server-req.pem;
openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem;

client cert

openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem -out client-req.pem;
openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem;

How to create a self-signed certificate with openssl?

https://dst.lbl.gov/~boverhof/openssl_certs.html

https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

https://stackoverflow.com/a/38861586/432903

[root@ip-172-18-26-40 ~]# ll /etc/pki
total 36
drwxr-xr-x 2 root root 4096 Jan 20  2017 backup-traditional-original-config
drwxr-xr-x 2 root root 4096 Jan 20  2017 backup-traditional-recent-config
drwxr-xr-x 6 root root 4096 Feb 28  2017 CA
drwxr-xr-x 4 root root 4096 Jan 20  2017 ca-trust
drwxr-xr-x 2 root root 4096 Jan 20  2017 java
drwxr-xr-x 2 root root 4096 Jun 10 00:39 nssdb
drwxr-xr-x 2 root root 4096 Apr  3 21:01 rpm-gpg
drwx------ 2 root root 4096 Nov 11  2014 rsyslog
drwxr-xr-x 5 root root 4096 Apr  3 21:01 tls

root ca

openssl genrsa -des3 -out restapi-root-ca.key 2048
openssl req -new -x509 -days 36520 -key restapi-root-ca.key -out restapi-root-ca.cert

server cert

openssl genrsa -out restapi-server.key 2048
openssl req -new -sha256  -key restapi-server.key -out restapi-server.csr
openssl x509 -req -sha256 -days 36520 -in restapi-server.csr -signkey restapi-server.key -CA restapi-root-ca.cert -CAkey restapi-root-ca.key -CAcreateserial -out restapi-server.cert

openssl pkcs12 -export -name restapi-server -in restapi-server.cert -out restapi-server.p12 -inkey restapi-server.key -CAfile restapi-root-ca.crt -caname restapi-root -chain

client cert

openssl genrsa -out restapi-client.key 2048

  # Use common name = <tomcat-user.xml's user say 'admin'>, department = Tomcat Client CSR
openssl req -new -sha256  -key restapi-client.key -out restapi-client.csr

openssl x509 -req -sha256 -days 36520 -in restapi-client.csr -signkey restapi-client.key -CA restapi-root-ca.cert -CAkey restapi-root-ca.key -CAcreateserial -out restapi-client.cert

openssl pkcs12 -export -name restapi-client -in restapi-client.cert -out restapi-client.p12 -inkey restapi-client.key -CAfile restapi-root-ca.cert -caname restapi-root -chain

$ openssl x509 -enddate -noout -in restapi-server.cert 
notAfter=Oct 31 17:18:16 2053 GMT

[ec2-user@ip-172-18-20-233 ~]$ curl -v --cacert /home/ec2-user/restapi-client.cert --key restapi-client.key https://customerorder-dev.us-west-2.elasticbeanstalk.com
* Rebuilt URL to: https://customerorder-dev.us-west-2.elasticbeanstalk.com/
*   Trying 172.18.20.191...
* TCP_NODELAY set
* Connected to customerorder-dev.us-west-2.elasticbeanstalk.com (172.18.20.191) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /home/ec2-user/restapi-client.cert
  CApath: none
* Server certificate:
* 	subject: CN=customerorder-dev.us-west-2.elasticbeanstalk.com,OU=supply chain - WM,O=Nordstrom Inc,L=Seattle,ST=WA,C=US
* 	start date: Aug 31 17:18:16 2017 GMT
* 	expire date: Oct 31 17:18:16 2053 GMT
* 	common name: customerorder-dev.us-west-2.elasticbeanstalk.com
* 	issuer: CN=customerorder-dev.us-west-2.elasticbeanstalk.com,OU=Supply chain,O=Nordstrom Inc,L=Seattle,ST=WA,C=US
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Curl_http_done: called premature == 1
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.


## mac

curl -vv --cacert restapi-client.cert --key restapi-client.key https://customerorder-dev.us-west-2.elasticbeanstalk.com/
*   Trying 172.18.20.191...
* TCP_NODELAY set
* Connected to customerorder-dev.us-west-2.elasticbeanstalk.com (172.18.20.191) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: restapi-client.cert
  CApath: /usr/local/etc/openssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.

trust root cert

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain root-ca.pem
sudo security delete-certificate -c localhost

/etc/pki/ca-trust/source/anchors/

Server cert

1. create a server key, sign a server cert with the CA root key

2. configure the server cert and server key to elastic-beanstalk that will turn on port 443 with TLS

aws iam upload-server-certificate --server-certificate-name myapi-e2e-tls --certificate-body file://server.cert --private-key file://server.key --profile aws-federated --region us-west-2

Client cert

1. Client has to send a cert request to CA where "Common Name" has to be REST Endpoint.
   cert request can be sent via email.

eg. CN=restapi-prod.us-west-2.elasticbeanstalk.com

2. CA signs the client cert request and gives back certificate chain.

Download cert chain and convert to PEM.

openssl pkcs7 -print_certs -in certnew.p7b -out restapi-prod-client.cert                      

responds back signed cert chain to HL

3. client hash to install the cert chain to /etc/pki/ca-trust/source/anchors/

cURL example

curl -GET https://restapi-dev.us-west-2.elasticbeanstalk.com                                  

Client Cert auth

https://security.stackexchange.com/a/25569/9260

https://github.com/jmmcatee/cracklord/wiki/Creating-Certificate-Authentication-From-Scratch-OpenSSL

This server could not prove that it is customerorder-e2e.us-west-2.elasticbeanstalk.com; its security certificate does not specify Subject Alternative Names. This may be caused by a misconfiguration or an attacker intercepting your connection.

https://stackoverflow.com/a/45334213

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -sha256 -subj '/CN=my-domain.com/subjectAltName=DNS.1=192.168.0.222/' -keyout my-domain.key -out my-domain.crt