How to generate and implement a third party signed SSL Web Service certificate (CA signed) on NetBackup 3.1.x-4.1.x appliances
Description
This article describes how to generate and add a third-party CA signed SSL certificates to implement web service support on NetBackup 3.1.x - 4.1.x appliances. The appliance uses the Java KeyStore (JKS) as the repository of security certificates. A JKS is a repository of security certificates, like the authorization certificates or the public key certificates that are used for instance in SSL encryption.
Overview of Steps
Most of the steps are carried out on the NetBackup appliance, and these steps are run at your working directory.
The following steps are required in order to use a third party Certificate Authority (CA) signed certificate with the NetBackup Appliance Web Console instead of the default self-signed certificate for client/host validation:
- Before you begin: save copies of the keystore, certificate pem files, config files and password files. (See Important Notes below)
- Generate your own tomcat keystore.
- Create a certificate signing request (CSR) file, and send/upload the contents of this CSR to the third party CA for a signed certificate chain. After the CA signs the request, they will provide a signed certificate in several possible forms.
- Import the signed certificate reply.
- Remove the /opt/apache-tomcat/security/keystore file and replace it with our new one.
- Export the "tomcat" alias certificate stored in the keystore to PKCS#12 format.
- Export all keystore certificates (private key included) in PKCS#12 format to a readable PEM certificate (X.509) file.
- Copy the third party CA signed keystore, certificate PEM files to the Web Server services directories.
- Update the password of the tomcat keystore and other SSL certificate related config files, only if a password other than the default "appliance" password is used.
- Restart all Web Server related services.
- Validation
- Perform test connection to the Web Server services.
Important Notes
Please read and understand these steps completely before starting this procedure. It is crucial to understand the tomcat keystore, the certificate chain, the commands used before starting this procedure.
Prior to start the steps in this article, make sure you have a good backup copy of the keystore, certificate pem files, config files and password files:
Note: for 4.1.x appliances tomcat keystore type is BCFKS. So on 4.1.x appliances run below one command to set alias for keytool.
alias keytool='keytool -J--module-path=/opt/IMAppliance/lib/soacommon/thirdparty/ccj.jar -J--add-modules=ccj -J--add-exports=java.base/sun.security.provider=ccj -J--add-exports=java.base/sun.security.internal.spec=ccj -storetype BCFKS'
- /opt/apache-tomcat/security/keystore
- /opt/apache-tomcat/vxos/conf/server.xml
- /opt/apache-tomcat/vrts/config/tomcat_keystore.conf
- /etc/rc.d/init.d/as-functions
- (make a save copy of this init startup script, and DO NOT put the copy in /etc/rc.d/init.d)
- /etc/nginx/nginx_ssl.pass
- /etc/vxos-ssl/cert.conf
- /etc/mongod.conf
- /etc/vxos-ssl/servers/certs/{hostname}*.pem
- # cd /etc/cron.d
- # mv as-* cronjob_soa /tmp
Stop AutoSupport and WebService related services:
- /opt/IMAppliance/scripts/infraservices.sh database stop
- systemctl status mongod
- IF STILL NOT STOPPED: systemctl stop mongod
- /opt/IMAppliance/scripts/infraservices.sh webserver stop
- Always specify "tomcat" for the -alias, -srcalias and -destalias options where applicable.
- Always specify the same password for the keystore and SSL key, if a password other than the default "appliance" password is used. In these examples, veritas2 is used to show how to use a different password.
IMPORTANT!!! Please do not to use non-alphanumeric characters when setting the keypass password.
keypass is a password used to protect the private key of the generated key pair.
keypass must be at least 6 characters long.
DO NOT Use non-alphanumeric characters in the keypass password. (See chart)
It accepts non-alphanumeric characters at the initial steps of document below but will fail at step 10 with below error. Please see internal notes section.
ERROR: non-alphanumric character is not supported
Some Common Non-Alphanumeric Characters
Character |
Name |
# |
Number sign |
@ |
At sign |
- |
Dash |
. |
Period |
$ |
Dollar sign |
* |
Asterisk |
( |
Left parenthesis |
) |
Right parenthesis |
+ |
Plus sign |
; |
Semicolon |
~ |
Tilde |
: |
Colon |
' |
Apostrophe |
/ |
Slash |
% |
Percent sign |
_ |
Underscore |
? |
Question mark |
, |
Comma |
= |
Equals sign |
& |
Ampersand |
! |
Exclamation mark |
Steps
In the following steps, the commands specify hostnames that are specific to a lab environment. Please be sure to change the hostnames in the commands to reflect the actual appliance hostname. The hostname will vary depending on what was selected during initial setup. All commands are run at the shell command prompt. At CLISH > Support > Maintenance > elevate to access the shell command prompt.
All certificate related files and keystore will be created in your working directory on the appliance.
Make save copy of the keystore, certificate pem files, config files and password files. (See Important Notes)
Make a working directory under the maintenance directory, and cd to it.
Example:
nb5240-01:~ # mkdir /home/maintenance/cert-work
nb5240-01:~ # cd /home/maintenance/cert-work
Generate a new tomcat keystore:
keytool -genkeypair -alias tomcat -dname "CN={common_name}, OU={organization_unit}, O={organization}, L={location}, ST={State_Province}, C={Country_code}" -keypass {password} -keyalg RSA -keystore mykeystore -storepass {password; see notes about the password} -keysize 2048
Example:
nb5240-01:/home/maintenance/cert-work # keytool -genkeypair -alias tomcat -dname "CN=KK, OU=sydlab, O=veritas, L=Sydney, ST=NSW, C=au" -keypass veritas2 -keyalg RSA -keystore mykeystore -storepass veritas2 -keysize 2048
Create a certificate signing request (CSR) file, and send/upload the contents of this CSR to the third party CA for a signed certificate chain.
keytool -certreq -alias tomcat -keyalg RSA -file {certreq.csr}
-keypass {password} -keystore {mykeystore} -storepass {password} -sigalg SHA256withRSA -ext SAN=dns:{appliance-shortname}ip:{IP for host name},dns:{appliance_FQDN_hostname},ip{any additional IPs},dns:{Any other hostnames for this host},dns:localhost,ip:127.0.0.1
Note: It may also be necessary to add another DNS name attribute with any other appliance host names it answers to and additional IPs for browsers to stop showing the certificate as un-trusted.
This creates a CSR for the entity identified by the default alias tomcat and puts the request in the file named certreq.csr. Submit this file to a CA, which returns a certificate or a chain of certificates, signed by the CA, authenticating your public key. (cat the certreq.csr file, copy and paste the content of certreq.csr to the third party CA (often a web browser signing form). Provide the third party CA the text between the " -----BEGIN NEW CERTIFICATE REQUEST----- " and " -----END NEW CERTIFICATE REQUEST----- ".)
Example:
nb5240-01:/home/maintenance/cert-work # keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore mykeystore -storepass veritas2 -keypass veritas2 -sigalg SHA256withRSA -ext SAN=dns:nb5240-01,dns:nb5240-01.applab.vrts,dns:localhost,ip:127.0.0.1
nb5240-01:/home/maintenance/cert-work # cat certreq.csr
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDJjCCAg4CAQAwXDELMAkGA1UEBhMCYXUxDDAKBgNVBAgTA05TVzEPMA0GA1UE
BxMGU3lkbmV5MRAwDgYDVQQKEwd2ZXJpdGFzMQ8wDQYDVQQLEwZzeWRsYWIxCzAJ
... {SNIP}
ynqZXCoNL9nkQVkbHscDhJ1TmwTrIMZGV2WkCebQlrdCzoM5zoz3Y8wx
-----END NEW CERTIFICATE REQUEST-----
Import the signed certificate reply.
The test scenario covered by the example below is a PKCS#7 (.p7b) signed certificate chain reply. The keytool command can import X.509 v1, v2, and v3 certificates, and PKCS#7 formatted certificate chains consisting of certificates of that type. This would also support a .CER file if there is no intermediate certificate. The data to be imported must be provided either in binary encoding format or in printable encoding format (Base64 encoding).
NOTE: repeat the command in these steps for any intermediate CA certificates adjusting the alias name to reflect the level. This must be done in order.
For example, if there is a root CA and two intermediate CA's then the order to import would be:
- root ca (import this first)
- next closest intermediate CA in the chain
- next closest intermediate CA in the chain
- the signed certificate (last)
Import the root CA certificate:
# keytool -import -alias root -keystore mykeystore -trustcacerts -file {signed-cert-reply}
...answer 'yes' if the certificate contents look correct
(If needed) Import the intermedia certificate(s):
# keytool -import -alias intermediate -keystore mykeystore -trustcacerts -file {signed-cert-reply}
...answer 'yes' if the certificate contents look correct
Import the signed certificate:
# keytool -importcert -alias tomcat -trustcacerts -file {signed-cert-reply} -keystore mykeystore -storepass {password}
Example:
nb5240-01:/home/maintenance/cert-work # keytool -importcert -alias tomcat -trustcacerts -file signed-cert.p7b -keystore mykeystore -storepass veritas2
Top-level certificate in reply:
Owner: CN=labs-ROS-BL-AD-CA-1, DC=labs, DC=veritas, DC=com
Issuer: CN=labs-ROS-BL-AD-CA-1, DC=labs, DC=veritas, DC=com
Serial number: 391f7b4f3082619643203165a665e4ad
Valid from: Fri May 19 03:06:20 AEST 2017 until: Thu May 19 03:16:19 AEST 2022
Certificate fingerprints:
MD5: BA:BD:8B:52:8D:AF:6D:CF:C3:7E:41:18:F1:C6:81:C8
SHA1: 64:F7:6F:05:4F:BC:B0:D5:71:B5:CD:F4:D1:96:4A:7B:DD:4F:53:F7
SHA256: 43:E8:FA:A7:13:D3:CA:2D:C7:8D:5D:8A:BE:42:F1:CF:2F:AD:ED:1F:BA:85:FE:1F:C6:96:B0:1F:AD:84:82:98
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
... {SNIP}
#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: BE 6A AD 19 1D C1 97 86 56 F5 CB 6B 5C DA 6E 94 .j......V..k\.n.
0010: 0C 22 EC FE ."..
]
]
... is not trusted. Install reply anyway? [no]: yes
Certificate reply was installed in keystore
Remove the /opt/apache-tomcat/security/keystore file and replace it with the new keystore.
This assumes user is still in the working directory where the new keystore was just updated.
# rm -f /opt/apache-tomcat/security/keystore
# cp mykeystore /opt/apache-tomcat/security/keystore
# chown tomcat:tomcat /opt/apache-tomcat/security/keystore
# chmod 600 /opt/apache-tomcat/security/keystore
Export the "tomcat" alias certificate stored in the keystore to PKCS#12 format.
# keytool -importkeystore -srckeystore {mykeystore} -destkeystore {mykeystore.p12} -deststoretype PKCS12 -srcalias tomcat -destalias tomcat -srcstorepass {password} -deststorepass {password} -srckeypass {password} -destkeypass {password} -noprompt
Example:
nb5240-01:/home/maintenance/cert-work # keytool -importkeystore -srckeystore mykeystore -destkeystore mykeystore.p12 -deststoretype PKCS12 -srcalias tomcat -destalias tomcat -srcstorepass veritas2 -deststorepass veritas2 -srckeypass veritas2 -destkeypass veritas2
Importing keystore mykeystore to mykeystore.p12...
Export all keystore certificates (private key included) in PKCS#12 format to a readable PEM certificate (X.509) file.
Transfer contents of the /home/maintenance/cert-work/mykeystore.p12 to the
/etc/vxos-ssl/servers/certs/{hostname}-self.keycert.pem and
/etc/vxos-ssl/servers/certs/{FQDN hostname or short hostname}-self.cert.pem files:
# openssl pkcs12 -nokeys -in mykeystore.p12 -out /etc/vxos-ssl/servers/certs/{hostname}-self.cert.pem -passin pass:{password} -passout pass:{password}
# openssl pkcs12 -nokeys -in mykeystore.p12 -out /etc/vxos-ssl/servers/certs/{hostname}-self.cert.pem -passin pass:{password} -passout pass:{password}
NOTE: this one excludes the '-nokeys' argument because we want to export the encrypted private key to the {shortname}-self.keycert.pem file:
# openssl pkcs12 -in mykeystore.p12 -out /etc/vxos-ssl/servers/certs/{hostname}-self.keycert.pem -passin pass:{password} -passout pass:{password}
openssl pkcs12 -in mykeystore.p12 -out {hostname}-self.keycert.pem -passin pass:{password} -passout pass:{password}
Note: The readable PEM certificate file is named as {hostname}-self.keycert.pem.
Run "grep server_cert /etc/vxos-ssl/cert.conf" to get the keycert PEM file name.
Example:
nb5240-01:/home/maintenance/cert-work # grep server_cert /etc/vxos-ssl/cert.conf
server_cert=/etc/vxos-ssl/servers/certs/nb5240-01-self.keycert.pem
nb5240-01:/home/maintenance/cert-work # openssl pkcs12 -in mykeystore.p12 -out nb5240-01-self.keycert.pem -passin pass:veritas2 -passout pass:veritas2
MAC verified OK
nb5240-01:/home/maintenance/cert-work # cat nb5240-01-self.keycert.pem
Bag Attributes
friendlyName: tomcat
localKeyID: 54 69 6D 65 20 31 35 32 34 31 31 37 30 38 37 34 36 38
Key Attributes: {No Attributes}
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIQxBjCw5XDtsCAggA
MBQGCCqGSIb3DQMHBAgeaC9mjPJTswSCBMhbmmTerUHWapzKaMgzvwleBsCfFICQ
... {SNIP}
Kn4TRcq6SCuvzmoFMZRd1NHOIwSeJtXDpPNtnY5kC8b1U/WrAAOpej2/ks+ApPXJ
Bvc=
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: tomcat
localKeyID: 54 69 6D 65 20 31 35 32 34 31 31 37 30 38 37 34 36 38
subject=/C=au/ST=NSW/L=Sydney/O=veritas/OU=sydlab/CN=KK
issuer=/DC=com/DC=veritas/DC=labs/CN=labs-ROS-BL-AD-CA-1
-----BEGIN CERTIFICATE-----
MIIF2jCCBMKgAwIBAgITQQAAAFWZsO5GcEr2FAAAAAAAVTANBgkqhkiG9w0BAQsF
... {SNIP}
F0jdjKtbxrx/9NmDRqO2i3WiU7GWbrXs1FL+1kS0/uZbFl+5nDvJUuyGpHoyYyov
+OWwpK7TLfOj+a3M0lo=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: CN=labs-ROS-BL-AD-CA-1,DC=labs,DC=veritas,DC=com
subject=/DC=com/DC=veritas/DC=labs/CN=labs-ROS-BL-AD-CA-1
issuer=/DC=com/DC=veritas/DC=labs/CN=labs-ROS-BL-AD-CA-1
-----BEGIN CERTIFICATE-----
MIIDtzCCAp+gAwIBAgIQOR97TzCCYZZDIDFlpmXkrTANBgkqhkiG9w0BAQsFADBi
... {SNIP}
Ku4fK4dxI38zxxGg6XtZOk3cXM3cqnN/dAO9Q5d76OOcNq+pLyvo3WJTUQ==
-----END CERTIFICATE-----
Update the password of the tomcat keystore and other SSL certificate related config files, only if a password other than the default "appliance" password is used. This procedure used a different password in each example to demonstrate this option. This step can be skipped, if the password of keystore and SSL key certificate is the default "appliance" password.
Make sure a good backup copy of keystore password, and config files has already been created.
Update tomcat keystore password:
/opt/apache-tomcat/vrts/scripts/tomcat_instance.py update --keystore --password {password}
Edit
/opt/apache-tomcat/vxos/conf/server.xml
Search for "keystorePass=", then update the password.
Edit
/etc/rc.d/init.d/as-functions
Search for "Tomcat_Keystore_Passwd=", then update the password.
Example:
nb5240-01:~ # /opt/apache-tomcat/vrts/scripts/tomcat_instance.py update --keystore --password veritas2
nb5240-01:/opt/apache-tomcat/vrts/config # cat tomcat_keystore.conf
keystoreFile=/opt/apache-tomcat/security/keystore
keyAlias=tomcat
keystorePass=veritas2
nb5240-01:~ # grep -i storepass /opt/apache-tomcat/vxos/conf/server.xml
{Connector SSLEnabled="True" Server=" " URIEncoding="UTF-8" acceptCount="100" ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" compressableMimeType="text/html,text/xml,text/javascript,text/css" compression="on" compressionMinSize="10" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keyAlias="tomcat" keystoreFile="/opt/apache-tomcat/security/keystore" keystorePass="veritas2" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" port="8446" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslEnabledProtocols="TLSv1.2" useBodyEncodingForURI="true" useServerCipherSuitesOrder="true" /}
# grep -i Tomcat_Keystore_Passwd /etc/rc.d/init.d/as-functions
Tomcat_Keystore_Passwd="veritas2"
...
Update "pem_password" setting in /etc/vxos-ssl/cert.conf.
Update the password in /etc/nginx/nginx_ssl.pass.
Update "PEMKeyPassword" setting in /etc/mongod.conf
Example:
nb5240-01:/home/maintenance # cat /etc/vxos-ssl/cert.conf
server_cert=/etc/vxos-ssl/servers/certs/nb5240-01-self.keycert.pem
client_cert=/etc/vxos-ssl/servers/certs/nb5240-01-self.cert.pem
pem_password=veritas2
nb5240-01:/home/maintenance # cat /etc/nginx/nginx_ssl.pass
veritas2
nb5240-01:/home/maintenance # grep -i password /etc/mongod.conf
PEMKeyPassword: veritas2
Update SSL key password:
Update "pem_password" setting in /etc/vxos-ssl/cert.conf.
Update the password in /etc/nginx/nginx_ssl.pass.
Update "PEMKeyPassword" setting in /etc/mongod.conf
Example:
nb5240-01:/home/maintenance # cat /etc/vxos-ssl/cert.conf
server_cert=/etc/vxos-ssl/servers/certs/nb5240-01-self.keycert.pem
client_cert=/etc/vxos-ssl/servers/certs/nb5240-01-self.cert.pem
pem_password=veritas2
nb5240-01:/home/maintenance # cat /etc/nginx/nginx_ssl.pass
veritas2
nb5240-01:/home/maintenance # grep -i password /etc/mongod.conf
PEMKeyPassword: veritas2
Restart all Web Server related services.
First start the mongoDB process and check for SSL errors:
# /opt/IMAppliance/scripts/infraservices.sh database start
Ensure it is running:
# ps -ef | grep /usr/bin/mongod | grep -v grep
Check log for SSL/ssl errors:
# tail /log/mongodb/mongod.log
# systemctl start nginx
Start webserver (tomcat-vxos) and then start AutoSupport:
# /opt/IMAppliance/scripts/infraservices.sh webserver start
# service as-alertmanager start ; service as-analyzer start ; service as-transmission start ; service as-collector start ; sh /opt/SYMCnbappgui/bin/appwebadmin.sh start
Put the cron related files back:
# cp -p /tmp/as-* /etc/cron.d
# cp -p /tmp/cronjob_soa /etc/cron.d
Validation
View contents of the keystore:
# keytool -v -list -keystore /opt/apache-tomcat/security/keystore | less
View contents of the pem file:
# openssl x509 -in /etc/vxos-ssl/servers/certs/{hostname}-self.keycert.pem -inform pem -noout -text | less
# openssl x509 -in /etc/vxos-ssl/servers/certs/{hostname}-self.cert.pem -inform pem -noout -text | less
View contents of the Certificate Signing Request (CSR) contents:
# openssl req -noout -text -in certreq.csr
- view the cert chain:
# openssl s_client -CAfile /etc/vxos-ssl/servers/certs/nb5240-02-self.cert.pem -connect localhost:8446
Perform test connection to the Web Server services.
This is the web UI dedupe summary widget. This will report a SSL error with mongod if it fails indicating a problem with the cert chain in the /etc/vxos-ssl/servers/certs/{hostname}-self.cert.pem file.
# /opt/NBUAppliance/bin/perl -I /opt/NBUAppliance/scripts/ /opt/NBUAppliance/scripts/landing_report.pl --getDedupeRatio --show
Using "curl" command to connect to the Web URL.
Using "openssl" with "s_client -connect" to test the SSL certificates. Press "Ctrl-D" key to terminate the connection, or wait for 300 sec (default time-out) for connection to close.
Use keytool with -list option to view the tomcat alias info stored in the keystore.
Test connectivity to the Appliance Web Console. The HTTPS connection will be “trusted” in the browser, which is represented as a padlock icon in most browsers. Check the certificate in the browser by using the browser’s functions to "view a certificate" to further confirm it is the expected certificate.
Examples:
nb5240-01:/home/maintenance # curl --tlsv1.2 -k -i -X POST -d '{"username":"admin","password":"P@ssw0rd","clientId":"webgui"}' -H "Content-Type:application/json" https://localhost:8446/appliance/authservice/api/v1/auth/login
HTTP/1.1 200 OK
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 20 Apr 2018 05:38:31 GMT
Server:
{"tokenType":"bearer","accessToken":"29ae340b-5616-48ed-adfb-e432511ae3db","accessTokenExpTime":1799,"refreshToken":"b99c500d-19ff-48c3-947f-cf4ad449d8f8","scope":"read write"}
nb5240-01:/home/maintenance # openssl s_client -connect localhost:443
CONNECTED(00000003)
depth=1 DC = com, DC = veritas, DC = labs, CN = labs-ROS-BL-AD-CA-1
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/C=au/ST=NSW/L=Sydney/O=veritas/OU=sydlab/CN=KK
i:/DC=com/DC=veritas/DC=labs/CN=labs-ROS-BL-AD-CA-1
1 s:/DC=com/DC=veritas/DC=labs/CN=labs-ROS-BL-AD-CA-1
i:/DC=com/DC=veritas/DC=labs/CN=labs-ROS-BL-AD-CA-1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF2jCCBMKgAwIBAgITQQAAAFWZsO5GcEr2FAAAAAAAVTANBgkqhkiG9w0BAQsF
... {SNIP}
F0jdjKtbxrx/9NmDRqO2i3WiU7GWbrXs1FL+1kS0/uZbFl+5nDvJUuyGpHoyYyov
+OWwpK7TLfOj+a3M0lo=
-----END CERTIFICATE-----
subject=/C=au/ST=NSW/L=Sydney/O=veritas/OU=sydlab/CN=KK
issuer=/DC=com/DC=veritas/DC=labs/CN=labs-ROS-BL-AD-CA-1
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3135 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 66EF8E1F4A85002C37C87AE5C648E7EDFCB1D8D869F1239BB6A97E3AEC3A2DC8
Session-ID-ctx:
Master-Key: A38484C428983C51A65B9ECEF90AA9EE4BB54C09437E37AD2BB00A6E5EFFCE2CAEFC384BE17102E9F6E8B7258538819B
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - a4 fa 0b 7d 16 52 5d 35-98 be 84 4b 89 0a 6f ba ...}.R]5...K..o.
... {SNIP}
Start Time: 1524202988
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
DONE
nb5240-01:/home/maintenance # openssl s_client -connect localhost:8446
CONNECTED(00000003)
depth=1 DC = com, DC = veritas, DC = labs, CN = labs-ROS-BL-AD-CA-1
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/C=au/ST=NSW/L=Sydney/O=veritas/OU=sydlab/CN=KK
i:/DC=com/DC=veritas/DC=labs/CN=labs-ROS-BL-AD-CA-1
1 s:/DC=com/DC=veritas/DC=labs/CN=labs-ROS-BL-AD-CA-1
i:/DC=com/DC=veritas/DC=labs/CN=labs-ROS-BL-AD-CA-1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF2jCCBMKgAwIBAgITQQAAAFWZsO5GcEr2FAAAAAAAVTANBgkqhkiG9w0BAQsF
... {SNIP}
F0jdjKtbxrx/9NmDRqO2i3WiU7GWbrXs1FL+1kS0/uZbFl+5nDvJUuyGpHoyYyov
+OWwpK7TLfOj+a3M0lo=
-----END CERTIFICATE-----
subject=/C=au/ST=NSW/L=Sydney/O=veritas/OU=sydlab/CN=KK
issuer=/DC=com/DC=veritas/DC=labs/CN=labs-ROS-BL-AD-CA-1
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2944 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 5AD97F10293B13E8CC67C71FFB6D712E524906A76F8D782E696CF80DFF5C1C7D
Session-ID-ctx:
Master-Key: 785700C83685C8957689461CA97120556313B181DE311BF6FA2CAE2CCB602ADE26C0F17FBF7540F720CE277241520275
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1524203280
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate c
hain)
---
closed
nb5240-01:/home/maintenance # keytool -list -v -keystore /opt/apache-tomcat/security/keystore -storepass veritas2 | less
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 105 entries
Alias name: verisignclass2g2ca [jdk]
Creation date: Apr 20, 2018
Entry type: trustedCertEntry
... {SNIP}
Alias name: tomcat
Creation date: Apr 19, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=KK, OU=sydlab, O=veritas, L=Sydney, ST=NSW, C=au
Issuer: CN=labs-ROS-BL-AD-CA-1, DC=labs, DC=veritas, DC=com
Serial number: 410000005599b0ee46704af614000000000055
Valid from: Thu Apr 19 15:06:42 AEST 2018 until: Sat Apr 18 15:06:42 AEST 2020
Certificate fingerprints:
MD5: F8:3A:42:E1:7E:A8:F5:25:44:D5:EE:91:74:47:90:FF
SHA1: 1B:5E:B4:E3:FF:FC:C1:64:07:77:77:93:34:F4:86:C7:C8:F4:D1:94
SHA256: EE:5C:74:AB:8B:C9:E6:19:2C:AF:F9:24:EC:8F:D3:9C:94:77:97:AF:F2:F8:1C:A8:FF:1A:F6:B3:50:09:5E:05
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
... {SNIP}
References
For more information on keytool usage, refer to https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html.
For more information on openssl usage, refer to https://www.openssl.org/.For more information on PKCS#7, PKCS#12, refer to https://en.wikipedia.org/wiki/PKCS.