See OWASP's TLS Cheatsheet and Rule - Always Provide All Needed Certificates. You solve it by having the server send all required intermediates along with the server's certifcate. Essentially, it means a client does not know where to go to fetch a missing intermediate certificate. The problem you are experiencing is called the "Which Directory" problem. If the server is not sending all intermediate certificates required to build the chain, then the server is misconfigured. The server is responsible for sending all intermediate certificates required to build the chain. You should only need to trust the root certificate, and not the entire chain. You will need a trusted distribution channel to ensure your program is not modified while sitting on the server waiting to be picked or while traveling down the wire while being installed. SSLContext context = SSLContext.getInstance("TLS") Ĭontext.init(null, tmf.getTrustManagers(), null) Ks.setCertificateEntry(Integer.toString(1), ca) KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()) generateCertificate(new BufferedInputStream(fis)) X509Certificate ca = (X509Certificate) CertificateFactory.getInstance("X.509") static String CA_FILE = "ca-cert.pem" įileInputStream fis = new FileInputStream(CA_FILE) You can even hard code it into your program so there's no separate file to manage. You don't need to put it in any store - just carry around the PEM encoded file. Here's code you can use for clients to programatically add your CA at runtime. Is the above code not equivalent to keytool -import? I feel like I'm either adding certificates to the KeyStore incorrectly, or I'm not installing the Keystore into the TrustManager in the right way.įYI: I am also attempting to address this issue by implementing an X509TrustManager. SSLContext ctx = SSLContext.getInstance("TLSv1") Ĭtx.init(null, tmf.getTrustManagers(), null) īut when I run it, the PKIX error reappears. TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()) Add each cert in the chain one at a time InputStream fis = new FileInputStream("cert_chain.crt") īufferedInputStream bis = new BufferedInputStream(fis) ĬertificateFactory cf = CertificateFactory.getInstance("X.509") Ĭollection certs = cf.generateCertificates(bis) Create an empty keystore that we can load certificate into I thought, "no problem, I'll just add this certificate chain to the keystore programmatically" so I removed it from my JVM: keytool -delete -alias envmgrchain -keystore cacerts -storepass changeitĪnd added this code: KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()) The problem is we'll be putting our application up on a cloud server like rackspace or AWS and I think there is a good chance that we won't have access to modify the keystore of the JVM to add this chain. Openssl s_client -host -port 443 -showcerts > cert_chain.crtĪnd installed it into my JDK's keystore: keytool -import -alias envmgrchain -file cert_chain.crt -keystore cacerts -storepass changeit I fixed it by importing a certificate chain using openssl: If you want to open Certificate Manager in current user scope using PowerShell, you type certmgr in the console window.I was getting an SSL Handshake Exception error: PKIX "path does not chain" ( described here). If you can't find the certificate under Current User\Personal\Certificates, you may have accidentally opened "Certificates - Local Computer", rather than "Certificates - Current User"). This opens the Certificate Export Wizard. Locate the certificate, typically in 'Certificates - Current User\Personal\Certificates', and right-click. cer file from the certificate, open Manage user certificates. cer file for your certificate: Export public certificate We'll then concatenate all the client CA certificates into one trusted client CA certificate chain. In this example, we will use a TLS/SSL certificate for the client certificate, export its public key and then export the CA certificates from the public key to get the trusted client CA certificates. Trusted client CA certificate is required to allow client authentication on Application Gateway. PrerequisitesĪn existing client certificate is required to generate the trusted client CA certificate chain. In this article, you'll learn how to export a trusted client CA certificate chain that you can use in your client authentication configuration on your gateway. If you have multiple certificate chains, you'll need to create the chains separately and upload them as different files on the Application Gateway. In order to configure mutual authentication with the client, or client authentication, Application Gateway requires a trusted client CA certificate chain to be uploaded to the gateway.
0 Comments
Leave a Reply. |