prayagupa/TLS.md

## TLS.md

      
    Raw
  

              TLS.md
            
          
    Server cert

private key
openssl genrsa -out restapi.key 2048                                                                   

Cert Signing Request
openssl req -new -key restapi.key -out restapi.csr                                                     

server cert
openssl x509 -req -days 24855 -in restapi.csr -signkey restapi.key -out restapi.cert 

Combine private key + cert in a PKCS#12 (P12) bundle
openssl pkcs12 -export -in restapi.cert -inkey restapi.key -out restapi.p12 -name restapi

tomcat catalina config
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"                       
            maxThreads="150" SSLEnabled="true" scheme="https" secure="true"                            
            keystoreFile="/Users/prayagupd/restapi.p12"                                                     
            keystoreType="PKCS12"                                                                      
            keystorePass="restapi"                                                                     
            clientAuth="false" sslProtocol="TLS" /> 

  
## TLS12.md

      
    Raw
  

              TLS12.md
            
          
    root ca

openssl genrsa -des3 -out restapi-root-ca.key 2048 
##password restapi-root

openssl req -new -x509 -days 13210 -key restapi-root-ca.key -out restapi-root-ca.cert

server cert

openssl genrsa -out restapi-server.key 2048
openssl req -new -sha256  -key restapi-server.key -out restapi-server.csr

openssl x509 -req -sha256 -days 13210 -in restapi-server.csr -signkey restapi-server.key -CA restapi-root-ca.cert -CAkey restapi-root-ca.key -CAcreateserial -out restapi-server.cert

openssl pkcs12 -export -name restapi-server -in restapi-server.cert -out restapi-server.p12 -inkey restapi-server.key -CAfile restapi-root-ca.cert -caname restapi-root -chain 
#export password restapi-server

error

Error self signed certificate getting chain

solution
---------

- have different DNs

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:WA
Locality Name (eg, city) []:Seattle
Organization Name (eg, company) [Internet Widgits Pty Ltd]:duwamish inc
Organizational Unit Name (eg, section) []:server
Common Name (e.g. server FQDN or YOUR name) []:server                                    
Email Address []:prayag.upd@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


server error

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"                       
            maxThreads="150" SSLEnabled="true" scheme="https" secure="true"                            
            keystoreFile="/Users/as18/possibilities/programming/s2/eccount-rest/conf3/restapi-server.p12" 
            keystoreType="PKCS12"                                                                      
            keystorePass=""                                                                            
            clientAuth="false"                                                                         
            sslProtocol="TLS" />  
            
5613  java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded     
5614         at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:410)                 
5615         at java.security.KeyStore.getKey(KeyStore.java:1023)                                        
5616         at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)            
5617         at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70) 
5618         at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)                         
5619         at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:617)
5620         at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:546)
5621         at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:370)                        
5622         at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:810)              
5623         at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:476)                       
5624         at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
5625         at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)                 
5626         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)                      
5627         at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568)          
5628         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)                      
5629         at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:871)            
5630         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)                      
5631         at org.apache.catalina.startup.Catalina.load(Catalina.java:580)                             
5632         at org.apache.catalina.startup.Catalina.load(Catalina.java:603)                             
5633         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)                              
5634         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)            
5635         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)    
5636         at java.lang.reflect.Method.invoke(Method.java:498)                                         
5637         at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)                           
5638         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484) 


solution

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"                       
            maxThreads="150" SSLEnabled="true" scheme="https" secure="true"                            
            keystoreFile="/Users/as18/possibilities/programming/s2/eccount-rest/conf3/restapi-server.p12" 
            keystoreType="PKCS12"                                                                      
            keystorePass="restapi-server"                                                                                      
            clientAuth="false"                                                                         
            sslProtocol="TLS" />   
client cert

openssl genrsa -out restapi-client.key 2048

# Use common name = <tomcat-user.xml's user say 'admin'>, department = Tomcat Client CSR
# take Cert Signing Request from API user, and respond with a restapi-client.cert

openssl req -new -sha256  -key restapi-client.key -out restapi-client.csr

openssl x509 -req -sha256 -days 13210 -in restapi-client.csr -signkey restapi-client.key -CA restapi-root-ca.cert -CAkey restapi-root-ca.key -CAcreateserial -out restapi-client.cert
openssl pkcs12 -export -name restapi-client -in restapi-client.cert -out restapi-client.p12 -inkey restapi-client.key -CAfile restapi-root-ca.cert -caname restapi-root -chain 

#export password restapi-client
TLS communication from client

- install root cert copying the cert PEM to /etc/pki/tls/certs/ca-bundle.crt
- openssl verify -verbose /etc/pki/tls/certs/restapi-root-ca.cert 

-  curl -v --cert /home/ec2-user/restapi-client.cert --key /home/ec2-user/restapi-client.key https://customerorder-dev.duwamish.com

resources

http://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html