Author |
Message
|
shantanu1621 |
Posted: Tue Jun 21, 2016 3:20 am Post subject: Certificate chaining error |
|
|
Novice
Joined: 24 May 2013 Posts: 10
|
Hi All
We have been facing the following issue for pas couple of days as there nedded to be a fresh installation of an SSL certificate in one of environment.
I followed following steps for certificate installation:
Quote: |
keytool -genkey -alias newjfsbkr02 -keystore newjfsbkr02.jks -keysize 2048
keytool -certreq -alias newjfsbkr02 -keystore newjfsbkr02.jks -file newjfsbkr02.csr
keytool -import -trustcacerts -alias root -file /home/mbuser/Integration/Root_certificate.cer -keystore newjfsbkr02.jks
keytool -import -trustcacerts -alias CAroot -file /home/mbuser/Integration/CA_certificate.cer -keystore newjfsbkr02.jks
keytool -import -trustcacerts -alias server -file /home/mbuser/Integration/Server_certificate.cer -keystore newjfsbkr02.jks
keytool -import -trustcacerts –alias root -file "/home/mbuser/Integration/Root_certificate.cer" -keystore "/opt/IBM/mqsi/9.0.0.2/jre17/lib/security/cacerts"
keytool -import -trustcacerts -alias CAroot -file "/home/mbuser/Integration/CA_certificate.cer" -keystore "/opt/IBM/mqsi/9.0.0.2/jre17/lib/security/cacerts"
keytool -import -trustcacerts –alias server -file /home/mbuser/Integration/Server_certificate.cer -keystore /opt/IBM/mqsi/9.0.0.2/jre17/lib/security/cacerts
mqsireportproperties Broker -o BrokerRegistry -r
mqsichangeproperties Broker -b httplistener -o HTTPListener -n enableSSLConnector -v true
mqsichangeproperties Broker -b httplistener -o HTTPSConnector -n keystoreFile -v "/home/mbuser/newjfsbkr02.jks"
mqsichangeproperties Broker -o BrokerRegistry -n brokerKeystoreFile -v "/home/mbuser/newjfsbkr02.jks"
mqsichangeproperties Broker -o BrokerRegistry -n brokerTruststoreFile -v "/opt/IBM/mqsi/9.0.0.2/jre17/lib/security/cacerts"
mqsisetdbparms Broker -n brokerKeystore::password -u temp -p newjfsbkr02
mqsisetdbparms Broker -n brokerTruststore::password -u temp -p changeit
mqsichangeproperties Broker -b httplistener -o HTTPSConnector -n keystorePass -v newjfsbkr02
|
but even after following these steps , we are getting following error:
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
Quote: |
java.security.cert.CertPathValidatorException: The certificate issued by EMAILADDRESS=xxx@xxx.com, CN=IDRBT CA TEST 2015-TEST, OID.2.5.4.51=Castle Hills, STREET=Road No.1, ST=TELANGANA, POSTALCODE=500057, OU=Certifying Authority, O=IDRBT, C=IN is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error |
I checked the truststore (cacerts) and the keystore. Both the places I can see the certificates (alias) present .
Please  |
|
Back to top |
|
 |
mqjeff |
Posted: Tue Jun 21, 2016 4:07 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008 Posts: 17447
|
Certificate Chaining error usually means something like "you didn't add the full certificate signing chain". So you only added the personal cert, and not the root cert or one or more of the intermediate certs. _________________ chmod -R ugo-wx / |
|
Back to top |
|
 |
shantanu1621 |
Posted: Tue Jun 21, 2016 4:20 am Post subject: |
|
|
Novice
Joined: 24 May 2013 Posts: 10
|
Thanks mqjeff
Quote: |
Certificate Chaining error usually means something like "you didn't add the full certificate signing chain". So you only added the personal cert, and not the root cert or one or more of the intermediate certs |
But the certificate i have installed in both the keystore and trust store .
I had 3 certificate , one is root , other is intermediate and the 3rd one is server certificate.
I feel some thing is wrong with the keystore I am creating as :
Quote: |
Alias name: newjfsbkr02
Creation date: Jun 17, 2016
Entry type: keyEntry
Certificate chain length: 1 |
Am i missing something while generating keystore? |
|
Back to top |
|
 |
mqjeff |
Posted: Tue Jun 21, 2016 4:46 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008 Posts: 17447
|
I don't think it's an issue with the keystore itself.
I think it's an issue with the certs in the keystore.
But that's mostly a guess. _________________ chmod -R ugo-wx / |
|
Back to top |
|
 |
joebuckeye |
Posted: Tue Jun 21, 2016 5:00 am Post subject: |
|
|
 Partisan
Joined: 24 Aug 2007 Posts: 365 Location: Columbus, OH
|
You should really only need to install Root certificates if you are making an HTTPS call. The intermediate and server certs should be returned by the endpoint you are calling if they are configured correctly.
Since the error you are seeing is saying that the certificate is not trusted I don't think the cert you added is the one being returned.
Do you still have to restart the broker to include cacerts updates?
Over the years we have learned many lessons in regards to certs, some of them painful.
Whatever certs you put into cacerts will be trusted by the broker. If you put in the server cert it will trust that. But server certs have a very short life (1 or 2 years) and you don't want to be replacing certs all the time.
Intermediate certs have a longer life so you can trust them if you want but these should be returned by the endpoint.
Root certs have a very long life. You should only trust them. The endpoints you are calling should return the server cert (this is me) and any intermediate certs (these prove where I came from) and then you build the chain from the server cert to any intermediate certs to a final Root cert that you trust. Once the chain is complete then the SSL connection is trusted. |
|
Back to top |
|
 |
shantanu1621 |
Posted: Tue Jun 21, 2016 9:27 pm Post subject: |
|
|
Novice
Joined: 24 May 2013 Posts: 10
|
mqjeff wrote: |
I don't think it's an issue with the keystore itself.
I think it's an issue with the certs in the keystore.
But that's mostly a guess. |
Thanks mqjeff,
Actually I read some where that while creating a keystore for chained certificates we need to first import Root certificate with x alias , intermediate with y alias and finally when importing the server certificate use the same alias as the keystore alias .
I am trying doing it but getting following error:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
Hence was suspecting I was doing something wrong here. |
|
Back to top |
|
 |
shantanu1621 |
Posted: Wed Jun 22, 2016 1:32 am Post subject: |
|
|
Novice
Joined: 24 May 2013 Posts: 10
|
Quote: |
Do you still have to restart the broker to include cacerts updates? |
Yes restart is still needed but now we have mqsireload for that.
Quote: |
Whatever certs you put into cacerts will be trusted by the broker. If you put in the server cert it will trust that. But server certs have a very short life (1 or 2 years) and you don't want to be replacing certs all the time.
Intermediate certs have a longer life so you can trust them if you want but these should be returned by the endpoint.
Root certs have a very long life. You should only trust them. The endpoints you are calling should return the server cert (this is me) and any intermediate certs (these prove where I came from) and then you build the chain from the server cert to any intermediate certs to a final Root cert that you trust. Once the chain is complete then the SSL connection is trusted. |
that is there , but we have been adding certificated to cacert every time as they are being provided to us when ever they get expired , and as you suggested i removed server and intermediate certificate but still getting the same error , the error is regarding the intermediate certificate . |
|
Back to top |
|
 |
fjb_saper |
Posted: Wed Jun 22, 2016 4:40 am Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
The intermediate certificate can generally be downloaded from the CA's web site.
Event though the CA root may be the same the intermediate certs change over time. So you may need to have in your cert store 2 (or more) intermediate certs at the same level for a single root CA.
Have fun  _________________ MQ & Broker admin |
|
Back to top |
|
 |
|