How to generate and implement a third party signed SSL Web Service certificate (CA signed) on NetBackup 3.1.x-4.1.x appliances

Article: 100042837
Last Published: 2022-07-06
Ratings: 0 6
Product(s): Appliances

Description

This article describes how to generate and add a third-party CA signed SSL certificates to implement web service support on NetBackup 3.1.x - 4.1.x appliances.  The appliance uses the Java KeyStore (JKS) as the repository of security certificates.  A JKS is a repository of security certificates, like the authorization certificates or the public key certificates that are used for instance in SSL encryption.

Overview of Steps

Most of the steps are carried out on the NetBackup appliance, and these steps are run at your working directory.

The following steps are required in order to use a third party Certificate Authority (CA) signed certificate with the NetBackup Appliance Web Console instead of the default self-signed certificate for client/host validation:

  1. Before you begin: save copies of the keystore, certificate pem files, config files and password files.  (See Important Notes below)
  2. Generate your own tomcat keystore.
  3. Create a certificate signing request (CSR) file, and send/upload the contents of this CSR to the third party CA for a signed certificate chain.  After the CA signs the request, they will provide a signed certificate in several possible forms. 
  4. Import the signed certificate reply.
  5. Remove the /opt/apache-tomcat/security/keystore file and replace it with our new one. 
  6. Export the "tomcat" alias certificate stored in the keystore to PKCS#12 format.
  7. Export all keystore certificates (private key included) in PKCS#12 format to a readable PEM certificate (X.509) file. 
  8. Copy the third party CA signed keystore, certificate PEM files to the Web Server services directories.
  9. Update the password of the tomcat keystore and other SSL certificate related config files, only if a password other than the default "appliance" password is used. 
  10. Restart all Web Server related services.
  11. Validation
  12. Perform test connection to the Web Server services.

 

Important Notes

Please read and understand these steps completely before starting this procedure.  It is crucial to understand the tomcat keystore, the certificate chain, the commands used before starting this procedure.

 

Prior to start the steps in this article, make sure you have a good backup copy of the keystore, certificate pem files, config files and password files:

 

Note: for 4.1.x appliances tomcat keystore type is BCFKS. So on 4.1.x  appliances run below one command to set alias for keytool. 

alias keytool='keytool -J--module-path=/opt/IMAppliance/lib/soacommon/thirdparty/ccj.jar -J--add-modules=ccj -J--add-exports=java.base/sun.security.provider=ccj -J--add-exports=java.base/sun.security.internal.spec=ccj -storetype BCFKS'
  • /opt/apache-tomcat/security/keystore
  • /opt/apache-tomcat/vxos/conf/server.xml
  • /opt/apache-tomcat/vrts/config/tomcat_keystore.conf
  • /etc/rc.d/init.d/as-functions                     
    • (make a save copy of this init startup script, and DO NOT put the copy in /etc/rc.d/init.d)
  • /etc/nginx/nginx_ssl.pass
  • /etc/vxos-ssl/cert.conf
  • /etc/mongod.conf
  • /etc/vxos-ssl/servers/certs/{hostname}*.pem
  • # cd /etc/cron.d 
    • # mv as-* cronjob_soa /tmp

Stop AutoSupport and WebService related services:

  • /opt/IMAppliance/scripts/infraservices.sh database stop
    • systemctl status mongod
    • IF STILL NOT STOPPED:  systemctl stop mongod
  • /opt/IMAppliance/scripts/infraservices.sh webserver stop
  •  
  • Always specify "tomcat" for the -alias, -srcalias and -destalias options where applicable.
  • Always specify the same password for the keystore and SSL key, if a password other than the default "appliance" password is used.  In these examples, veritas2 is used to show how to use a different password.

 

IMPORTANT!!! Please do not to use non-alphanumeric characters when setting the keypass password.

keypass is a password used to protect the private key of the generated key pair.

keypass must be at least 6 characters long.

DO NOT  Use non-alphanumeric characters in the keypass password. (See chart)

It accepts non-alphanumeric characters at the initial steps of document below but will fail at step 10 with below error. Please see internal notes section.

ERROR: non-alphanumric character is not supported

Some Common Non-Alphanumeric Characters

Character

Name

#

Number sign

@

At sign

-

Dash

.

Period

$

Dollar sign

*

Asterisk

(

Left parenthesis

)

Right parenthesis

+

Plus sign

;

Semicolon

~

Tilde

:

Colon

'

Apostrophe

/

Slash

%

Percent sign

_

Underscore

?

Question mark

,

Comma

=

Equals sign

&

Ampersand

!

Exclamation mark

Steps

In the following steps, the commands specify hostnames that are specific to a lab environment.  Please be sure to change the hostnames in the commands to reflect the actual appliance hostname.  The hostname will vary depending on what was selected during initial setup.  All commands are run at the shell command prompt.  At CLISH > Support > Maintenance > elevate to access the shell command prompt.

All certificate related files and keystore will be created in your working directory on the appliance.

Make save copy of the keystore, certificate pem files, config files and password files.  (See Important Notes)

Make a working directory under the maintenance directory, and cd to it.

 

Example:

nb5240-01:~ # mkdir /home/maintenance/cert-work

nb5240-01:~ # cd /home/maintenance/cert-work

 

Generate a new tomcat keystore:

keytool -genkeypair -alias tomcat -dname "CN={common_name}, OU={organization_unit}, O={organization}, L={location}, ST={State_Province}, C={Country_code}" -keypass {password} -keyalg RSA -keystore mykeystore -storepass {password; see notes about the password} -keysize 2048

 

Example:

nb5240-01:/home/maintenance/cert-work # keytool -genkeypair -alias tomcat -dname "CN=KK, OU=sydlab, O=veritas, L=Sydney, ST=NSW, C=au" -keypass veritas2 -keyalg RSA -keystore mykeystore -storepass veritas2 -keysize 2048 

 

Create a certificate signing request (CSR) file, and send/upload the contents of this CSR to the third party CA for a signed certificate chain.

keytool -certreq -alias tomcat -keyalg RSA -file {certreq.csr}  -keypass {password} -keystore {mykeystore}  -storepass {password} -sigalg SHA256withRSA -ext SAN=dns:{appliance-shortname}ip:{IP for host name},dns:{appliance_FQDN_hostname},ip{any additional IPs},dns:{Any other hostnames for this host},dns:localhost,ip:127.0.0.1

 

Note:  It may also be necessary to add another DNS name attribute with any other appliance host names it answers to and additional IPs for browsers to stop showing the certificate as un-trusted.

 

This creates a CSR for the entity identified by the default alias tomcat and puts the request in the file named certreq.csr.  Submit this file to a CA, which returns a certificate or a chain of certificates, signed by the CA, authenticating your public key. (cat the certreq.csr file, copy and paste the content of certreq.csr to the third party CA (often a web browser signing form). Provide the third party CA the text between the " -----BEGIN NEW CERTIFICATE REQUEST----- " and " -----END NEW CERTIFICATE REQUEST----- ".)

 

Example:

nb5240-01:/home/maintenance/cert-work # keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore mykeystore -storepass veritas2   -keypass veritas2 -sigalg SHA256withRSA -ext SAN=dns:nb5240-01,dns:nb5240-01.applab.vrts,dns:localhost,ip:127.0.0.1

 

nb5240-01:/home/maintenance/cert-work # cat certreq.csr

-----BEGIN NEW CERTIFICATE REQUEST-----

MIIDJjCCAg4CAQAwXDELMAkGA1UEBhMCYXUxDDAKBgNVBAgTA05TVzEPMA0GA1UE

BxMGU3lkbmV5MRAwDgYDVQQKEwd2ZXJpdGFzMQ8wDQYDVQQLEwZzeWRsYWIxCzAJ

 

... {SNIP}

 

ynqZXCoNL9nkQVkbHscDhJ1TmwTrIMZGV2WkCebQlrdCzoM5zoz3Y8wx

-----END NEW CERTIFICATE REQUEST-----

 

Import the signed certificate reply.

The test scenario covered by the example below is a PKCS#7 (.p7b) signed certificate chain reply.  The keytool command can import X.509 v1, v2, and v3 certificates, and PKCS#7 formatted certificate chains consisting of certificates of that type.  This would also support a .CER file if there is no intermediate certificate.  The data to be imported must be provided either in binary encoding format or in printable encoding format (Base64 encoding).

 

NOTE: repeat the command in these steps for any intermediate CA certificates adjusting the alias name to reflect the level. This must be done in order.

For example, if there is a root CA and two intermediate CA's then the order to import would be:

- root ca (import this first)

- next closest intermediate CA in the chain

- next closest intermediate CA in the chain

- the signed certificate (last)

 

 

Import the root CA certificate:

# keytool -import -alias root -keystore mykeystore -trustcacerts -file {signed-cert-reply} 

...answer 'yes' if the certificate contents look correct

 

(If needed) Import the intermedia certificate(s):

# keytool -import -alias intermediate -keystore mykeystore -trustcacerts -file {signed-cert-reply} 

...answer 'yes' if the certificate contents look correct

 

Import the signed certificate:

# keytool -importcert -alias tomcat -trustcacerts -file {signed-cert-reply} -keystore mykeystore -storepass {password}

 

 

Example:

nb5240-01:/home/maintenance/cert-work # keytool -importcert -alias tomcat -trustcacerts -file signed-cert.p7b -keystore mykeystore -storepass veritas2

 

Top-level certificate in reply:

 

Owner: CN=labs-ROS-BL-AD-CA-1, DC=labs, DC=veritas, DC=com

Issuer: CN=labs-ROS-BL-AD-CA-1, DC=labs, DC=veritas, DC=com

Serial number: 391f7b4f3082619643203165a665e4ad

Valid from: Fri May 19 03:06:20 AEST 2017 until: Thu May 19 03:16:19 AEST 2022

Certificate fingerprints:

         MD5:  BA:BD:8B:52:8D:AF:6D:CF:C3:7E:41:18:F1:C6:81:C8

         SHA1: 64:F7:6F:05:4F:BC:B0:D5:71:B5:CD:F4:D1:96:4A:7B:DD:4F:53:F7

         SHA256: 43:E8:FA:A7:13:D3:CA:2D:C7:8D:5D:8A:BE:42:F1:CF:2F:AD:ED:1F:BA:85:FE:1F:C6:96:B0:1F:AD:84:82:98

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

 

... {SNIP}

 

#5: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: BE 6A AD 19 1D C1 97 86   56 F5 CB 6B 5C DA 6E 94  .j......V..k\.n.

0010: 0C 22 EC FE                                        ."..

]

]

 

... is not trusted. Install reply anyway? [no]:  yes

Certificate reply was installed in keystore

 

Remove the /opt/apache-tomcat/security/keystore file and replace it with the new keystore. 

This assumes user is still in the working directory where the new keystore was just updated.

# rm -f /opt/apache-tomcat/security/keystore

# cp mykeystore /opt/apache-tomcat/security/keystore

# chown tomcat:tomcat /opt/apache-tomcat/security/keystore

# chmod 600 /opt/apache-tomcat/security/keystore

 

 

Export the "tomcat" alias certificate stored in the keystore to PKCS#12 format.

# keytool -importkeystore -srckeystore {mykeystore} -destkeystore {mykeystore.p12}  -deststoretype PKCS12 -srcalias tomcat -destalias tomcat -srcstorepass {password} -deststorepass {password} -srckeypass {password} -destkeypass {password} -noprompt

 

Example:

nb5240-01:/home/maintenance/cert-work # keytool -importkeystore -srckeystore mykeystore -destkeystore mykeystore.p12  -deststoretype PKCS12 -srcalias tomcat -destalias tomcat -srcstorepass veritas2 -deststorepass veritas2 -srckeypass veritas2 -destkeypass veritas2

Importing keystore mykeystore to mykeystore.p12...

 

 

Export all keystore certificates (private key included) in PKCS#12 format to a readable PEM certificate (X.509) file. 

Transfer contents of the /home/maintenance/cert-work/mykeystore.p12 to the

/etc/vxos-ssl/servers/certs/{hostname}-self.keycert.pem and

/etc/vxos-ssl/servers/certs/{FQDN hostname or short hostname}-self.cert.pem files:

 

# openssl pkcs12 -nokeys -in mykeystore.p12 -out /etc/vxos-ssl/servers/certs/{hostname}-self.cert.pem -passin pass:{password}  -passout pass:{password}

 

# openssl pkcs12 -nokeys -in mykeystore.p12 -out /etc/vxos-ssl/servers/certs/{hostname}-self.cert.pem -passin pass:{password} -passout pass:{password}

 

NOTE: this one excludes the '-nokeys' argument because we want to export the encrypted private key to the {shortname}-self.keycert.pem file:

# openssl pkcs12 -in mykeystore.p12 -out /etc/vxos-ssl/servers/certs/{hostname}-self.keycert.pem -passin pass:{password} -passout pass:{password}

 

openssl pkcs12 -in mykeystore.p12 -out {hostname}-self.keycert.pem -passin pass:{password} -passout pass:{password}

 

Note:  The readable PEM certificate file is named as {hostname}-self.keycert.pem.

           Run "grep server_cert /etc/vxos-ssl/cert.conf" to get the keycert PEM file name.

 

Example:

nb5240-01:/home/maintenance/cert-work # grep server_cert /etc/vxos-ssl/cert.conf

server_cert=/etc/vxos-ssl/servers/certs/nb5240-01-self.keycert.pem

 

nb5240-01:/home/maintenance/cert-work # openssl pkcs12 -in mykeystore.p12 -out nb5240-01-self.keycert.pem -passin pass:veritas2 -passout pass:veritas2

MAC verified OK

 

nb5240-01:/home/maintenance/cert-work # cat nb5240-01-self.keycert.pem

Bag Attributes

    friendlyName: tomcat

    localKeyID: 54 69 6D 65 20 31 35 32 34 31 31 37 30 38 37 34 36 38

Key Attributes: {No Attributes}

-----BEGIN ENCRYPTED PRIVATE KEY-----

MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIQxBjCw5XDtsCAggA

MBQGCCqGSIb3DQMHBAgeaC9mjPJTswSCBMhbmmTerUHWapzKaMgzvwleBsCfFICQ

 

... {SNIP}

 

Kn4TRcq6SCuvzmoFMZRd1NHOIwSeJtXDpPNtnY5kC8b1U/WrAAOpej2/ks+ApPXJ

Bvc=

-----END ENCRYPTED PRIVATE KEY-----

Bag Attributes

    friendlyName: tomcat

    localKeyID: 54 69 6D 65 20 31 35 32 34 31 31 37 30 38 37 34 36 38

subject=/C=au/ST=NSW/L=Sydney/O=veritas/OU=sydlab/CN=KK

issuer=/DC=com/DC=veritas/DC=labs/CN=labs-ROS-BL-AD-CA-1

-----BEGIN CERTIFICATE-----

MIIF2jCCBMKgAwIBAgITQQAAAFWZsO5GcEr2FAAAAAAAVTANBgkqhkiG9w0BAQsF

 

... {SNIP}

 

F0jdjKtbxrx/9NmDRqO2i3WiU7GWbrXs1FL+1kS0/uZbFl+5nDvJUuyGpHoyYyov

+OWwpK7TLfOj+a3M0lo=

-----END CERTIFICATE-----

Bag Attributes

    friendlyName: CN=labs-ROS-BL-AD-CA-1,DC=labs,DC=veritas,DC=com

subject=/DC=com/DC=veritas/DC=labs/CN=labs-ROS-BL-AD-CA-1

issuer=/DC=com/DC=veritas/DC=labs/CN=labs-ROS-BL-AD-CA-1

-----BEGIN CERTIFICATE-----

MIIDtzCCAp+gAwIBAgIQOR97TzCCYZZDIDFlpmXkrTANBgkqhkiG9w0BAQsFADBi

 

... {SNIP}

 

Ku4fK4dxI38zxxGg6XtZOk3cXM3cqnN/dAO9Q5d76OOcNq+pLyvo3WJTUQ==

-----END CERTIFICATE-----

 

Update the password of the tomcat keystore and other SSL certificate related config files, only if a password other than the default "appliance" password is used.  This procedure used a different password in each example to demonstrate this option.  This step can be skipped, if the password of keystore and SSL key certificate is the default "appliance" password.

 

Make sure a good backup copy of keystore password, and config files has already been created.

Update tomcat keystore password:

 

/opt/apache-tomcat/vrts/scripts/tomcat_instance.py update  --keystore  --password {password}

 

Edit 

/opt/apache-tomcat/vxos/conf/server.xml

Search for "keystorePass=", then update the password.

 

Edit  

/etc/rc.d/init.d/as-functions

Search for "Tomcat_Keystore_Passwd=", then update the password.

 

 

Example:

nb5240-01:~ # /opt/apache-tomcat/vrts/scripts/tomcat_instance.py update  --keystore  --password veritas2

 

nb5240-01:/opt/apache-tomcat/vrts/config # cat tomcat_keystore.conf

keystoreFile=/opt/apache-tomcat/security/keystore

keyAlias=tomcat

keystorePass=veritas2

 

nb5240-01:~ # grep -i storepass /opt/apache-tomcat/vxos/conf/server.xml

    {Connector SSLEnabled="True" Server=" " URIEncoding="UTF-8" acceptCount="100" ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" compressableMimeType="text/html,text/xml,text/javascript,text/css" compression="on" compressionMinSize="10" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keyAlias="tomcat" keystoreFile="/opt/apache-tomcat/security/keystore" keystorePass="veritas2" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" port="8446" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslEnabledProtocols="TLSv1.2" useBodyEncodingForURI="true" useServerCipherSuitesOrder="true" /}

 

# grep -i Tomcat_Keystore_Passwd  /etc/rc.d/init.d/as-functions

Tomcat_Keystore_Passwd="veritas2"

...

Update "pem_password" setting in /etc/vxos-ssl/cert.conf.

Update the password in /etc/nginx/nginx_ssl.pass.

Update "PEMKeyPassword" setting in /etc/mongod.conf

Example:

nb5240-01:/home/maintenance # cat /etc/vxos-ssl/cert.conf

server_cert=/etc/vxos-ssl/servers/certs/nb5240-01-self.keycert.pem

client_cert=/etc/vxos-ssl/servers/certs/nb5240-01-self.cert.pem

pem_password=veritas2

 

nb5240-01:/home/maintenance # cat /etc/nginx/nginx_ssl.pass

veritas2

 

nb5240-01:/home/maintenance # grep -i password /etc/mongod.conf

    PEMKeyPassword: veritas2

 

Update SSL key password:

Update "pem_password" setting in /etc/vxos-ssl/cert.conf.

Update the password in /etc/nginx/nginx_ssl.pass.

Update "PEMKeyPassword" setting in /etc/mongod.conf

 

Example:

nb5240-01:/home/maintenance # cat /etc/vxos-ssl/cert.conf

server_cert=/etc/vxos-ssl/servers/certs/nb5240-01-self.keycert.pem

client_cert=/etc/vxos-ssl/servers/certs/nb5240-01-self.cert.pem

pem_password=veritas2

 

nb5240-01:/home/maintenance # cat /etc/nginx/nginx_ssl.pass

veritas2

 

nb5240-01:/home/maintenance # grep -i password /etc/mongod.conf

    PEMKeyPassword: veritas2

Restart all Web Server related services.

First start the mongoDB process and check for SSL errors:

# /opt/IMAppliance/scripts/infraservices.sh database start

Ensure it is running:

# ps -ef | grep /usr/bin/mongod | grep -v grep

Check log for SSL/ssl errors:

# tail /log/mongodb/mongod.log

 

# systemctl start nginx

 

Start webserver (tomcat-vxos) and then start AutoSupport:

# /opt/IMAppliance/scripts/infraservices.sh webserver start

 

# service as-alertmanager start ; service as-analyzer start ; service as-transmission start ; service as-collector start ; sh /opt/SYMCnbappgui/bin/appwebadmin.sh start

 

Put the cron related files back:

# cp -p /tmp/as-* /etc/cron.d

# cp -p /tmp/cronjob_soa /etc/cron.d

 

Validation

View contents of the keystore:

# keytool -v -list -keystore /opt/apache-tomcat/security/keystore | less

 

View contents of the pem file:

# openssl x509 -in /etc/vxos-ssl/servers/certs/{hostname}-self.keycert.pem -inform pem -noout -text | less

# openssl x509 -in /etc/vxos-ssl/servers/certs/{hostname}-self.cert.pem -inform pem -noout -text | less

 

View contents of the Certificate Signing Request (CSR) contents:

# openssl req -noout -text -in certreq.csr

- view the cert chain:

# openssl s_client -CAfile /etc/vxos-ssl/servers/certs/nb5240-02-self.cert.pem -connect localhost:8446

 

Perform test connection to the Web Server services.

This is the web UI dedupe summary widget. This will report a SSL error with mongod if it fails indicating a problem with the cert chain in the /etc/vxos-ssl/servers/certs/{hostname}-self.cert.pem file. 

# /opt/NBUAppliance/bin/perl -I /opt/NBUAppliance/scripts/ /opt/NBUAppliance/scripts/landing_report.pl --getDedupeRatio --show

 

Using "curl" command to connect to the Web URL.

Using "openssl" with "s_client -connect" to test the SSL certificates. Press "Ctrl-D" key to terminate the connection, or wait for 300 sec (default time-out) for connection to close.

Use keytool with -list option to view the tomcat alias info stored in the keystore.

Test connectivity to the Appliance Web Console.  The HTTPS connection will be “trusted” in the browser, which is represented as a padlock icon in most browsers.  Check the certificate in the browser by using the browser’s functions to "view a certificate" to further confirm it is the expected certificate.

 

Examples:

nb5240-01:/home/maintenance # curl --tlsv1.2 -k -i -X POST -d '{"username":"admin","password":"P@ssw0rd","clientId":"webgui"}' -H "Content-Type:application/json" https://localhost:8446/appliance/authservice/api/v1/auth/login

 

HTTP/1.1 200 OK

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Pragma: no-cache

Expires: 0

Strict-Transport-Security: max-age=31536000 ; includeSubDomains

X-Frame-Options: DENY

Content-Type: application/json;charset=UTF-8

Transfer-Encoding: chunked

Date: Fri, 20 Apr 2018 05:38:31 GMT

Server:

 

{"tokenType":"bearer","accessToken":"29ae340b-5616-48ed-adfb-e432511ae3db","accessTokenExpTime":1799,"refreshToken":"b99c500d-19ff-48c3-947f-cf4ad449d8f8","scope":"read write"}

 

 

nb5240-01:/home/maintenance # openssl s_client -connect localhost:443

CONNECTED(00000003)

depth=1 DC = com, DC = veritas, DC = labs, CN = labs-ROS-BL-AD-CA-1

verify error:num=19:self signed certificate in certificate chain

---

Certificate chain

0 s:/C=au/ST=NSW/L=Sydney/O=veritas/OU=sydlab/CN=KK

   i:/DC=com/DC=veritas/DC=labs/CN=labs-ROS-BL-AD-CA-1

1 s:/DC=com/DC=veritas/DC=labs/CN=labs-ROS-BL-AD-CA-1

   i:/DC=com/DC=veritas/DC=labs/CN=labs-ROS-BL-AD-CA-1

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIF2jCCBMKgAwIBAgITQQAAAFWZsO5GcEr2FAAAAAAAVTANBgkqhkiG9w0BAQsF

 

... {SNIP}

 

F0jdjKtbxrx/9NmDRqO2i3WiU7GWbrXs1FL+1kS0/uZbFl+5nDvJUuyGpHoyYyov

+OWwpK7TLfOj+a3M0lo=

-----END CERTIFICATE-----

subject=/C=au/ST=NSW/L=Sydney/O=veritas/OU=sydlab/CN=KK

issuer=/DC=com/DC=veritas/DC=labs/CN=labs-ROS-BL-AD-CA-1

---

No client certificate CA names sent

Peer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 3135 bytes and written 415 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES128-GCM-SHA256

    Session-ID: 66EF8E1F4A85002C37C87AE5C648E7EDFCB1D8D869F1239BB6A97E3AEC3A2DC8

    Session-ID-ctx:

    Master-Key: A38484C428983C51A65B9ECEF90AA9EE4BB54C09437E37AD2BB00A6E5EFFCE2CAEFC384BE17102E9F6E8B7258538819B

    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    TLS session ticket lifetime hint: 300 (seconds)

    TLS session ticket:

    0000 - a4 fa 0b 7d 16 52 5d 35-98 be 84 4b 89 0a 6f ba   ...}.R]5...K..o.

 

... {SNIP}

 

    Start Time: 1524202988

    Timeout   : 300 (sec)

    Verify return code: 19 (self signed certificate in certificate chain)

---

DONE

 

 

nb5240-01:/home/maintenance # openssl s_client -connect localhost:8446

CONNECTED(00000003)

depth=1 DC = com, DC = veritas, DC = labs, CN = labs-ROS-BL-AD-CA-1

verify error:num=19:self signed certificate in certificate chain

---

Certificate chain

0 s:/C=au/ST=NSW/L=Sydney/O=veritas/OU=sydlab/CN=KK

   i:/DC=com/DC=veritas/DC=labs/CN=labs-ROS-BL-AD-CA-1

1 s:/DC=com/DC=veritas/DC=labs/CN=labs-ROS-BL-AD-CA-1

   i:/DC=com/DC=veritas/DC=labs/CN=labs-ROS-BL-AD-CA-1

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIF2jCCBMKgAwIBAgITQQAAAFWZsO5GcEr2FAAAAAAAVTANBgkqhkiG9w0BAQsF

 

... {SNIP}

 

F0jdjKtbxrx/9NmDRqO2i3WiU7GWbrXs1FL+1kS0/uZbFl+5nDvJUuyGpHoyYyov

+OWwpK7TLfOj+a3M0lo=

-----END CERTIFICATE-----

subject=/C=au/ST=NSW/L=Sydney/O=veritas/OU=sydlab/CN=KK

issuer=/DC=com/DC=veritas/DC=labs/CN=labs-ROS-BL-AD-CA-1

---

No client certificate CA names sent

Peer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 2944 bytes and written 415 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES128-GCM-SHA256

    Session-ID: 5AD97F10293B13E8CC67C71FFB6D712E524906A76F8D782E696CF80DFF5C1C7D

    Session-ID-ctx:

    Master-Key: 785700C83685C8957689461CA97120556313B181DE311BF6FA2CAE2CCB602ADE26C0F17FBF7540F720CE277241520275

    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    Start Time: 1524203280

    Timeout   : 300 (sec)

    Verify return code: 19 (self signed certificate in certificate c

hain)

---

closed

 

 

nb5240-01:/home/maintenance # keytool -list -v -keystore /opt/apache-tomcat/security/keystore -storepass veritas2 | less

 

Keystore type: JKS

Keystore provider: SUN

 

Your keystore contains 105 entries

 

Alias name: verisignclass2g2ca [jdk]

Creation date: Apr 20, 2018

Entry type: trustedCertEntry

 

... {SNIP}

 

 

Alias name: tomcat

Creation date: Apr 19, 2018

Entry type: PrivateKeyEntry

Certificate chain length: 2

Certificate[1]:

Owner: CN=KK, OU=sydlab, O=veritas, L=Sydney, ST=NSW, C=au

Issuer: CN=labs-ROS-BL-AD-CA-1, DC=labs, DC=veritas, DC=com

Serial number: 410000005599b0ee46704af614000000000055

Valid from: Thu Apr 19 15:06:42 AEST 2018 until: Sat Apr 18 15:06:42 AEST 2020

Certificate fingerprints:

         MD5:  F8:3A:42:E1:7E:A8:F5:25:44:D5:EE:91:74:47:90:FF

         SHA1: 1B:5E:B4:E3:FF:FC:C1:64:07:77:77:93:34:F4:86:C7:C8:F4:D1:94

         SHA256: EE:5C:74:AB:8B:C9:E6:19:2C:AF:F9:24:EC:8F:D3:9C:94:77:97:AF:F2:F8:1C:A8:FF:1A:F6:B3:50:09:5E:05

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

 

 

... {SNIP}

References

For more information on keytool usage, refer to https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html.

For more information on openssl usage, refer to https://www.openssl.org/.For more information on PKCS#7, PKCS#12, refer to https://en.wikipedia.org/wiki/PKCS.

References

Etrack : 3943700

Was this content helpful?