Search code examples
sslcertificatewso2cawso2-identity-server

Import CA signed certificates to JKS


I got 4 .crt files from a CA as follows,

AddTrustExternalCARoot.crt
COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt
demo_site_domain.crt

second and third are intermediate certificates. I want to import .crt file(s) to wso2carbon.jks store and replace it with the existing jks of a wso2 server as documented here. My problem is, document wants wso2carbon as the alias, but I can import only one certificate using that alias, therefore which .crt file should I import? Or should I import a composite .crt file which is created from above four crt files (is it possible?) I tried with AddTrustExternalCARoot.crt and demo_site_domain.crt but after I set up the .jks file in the wso2 server, server url gives the following error,

Secure Connection Failed

The connection to ip:port was interrupted while the page was loading.

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

What am I doing wrong here?

The wso2 server that I am using is WSO2 UES and I have to place the password in following four files to overcome the Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect error.

repository/conf/security/cipher-text.properties
repository/conf/identity.xml
repository/conf/carbon.xml
repository/conf/tomcat/catalina-server.xml

UPDATE:

I followed the answer given, but last command doesn't give the installed in keystore instead it is Certificate was added to keystore following are my comands and repsponses ,

keytool -importcert -keystore wso2carbon.jks -file AddTrustExternalCARoot.crt -alias commoroot -trustcacerts

Enter keystore password:
Re-enter new password: Certificate already exists in system-wide CA keystore under alias Do you still want to add it to your own keystore? [no]: yes Certificate was added to keystore

keytool -importcert -keystore wso2carbon.jks -file COMODORSAAddTrustCA.crt -alias commointermediate1

Enter keystore password:
Certificate was added to keystore

keytool -importcert -keystore wso2carbon.jks -file COMODORSADomainValidationSecureServerCA.crt -alias commointermediate2

Enter keystore password:
Certificate was added to keystore

keytool -importcert -keystore wso2carbon.jks -file demo_site_domain.crt -alias wso2carbon

Enter keystore password:
Certificate was added to keystore


Solution

  • (Meta: I'm pretty sure this is a duplicate, but I can't find a good one. Answering anyway.)

    That page seems to be missing all of the dashes required on keytool commandline options and in PEM file formats; assuming you already corrected for that:

    In item 3 it says "you might have to import any intermediate certificates ... before you can import your [CA-]signed certificate". In fact, you do. There are two ways to do this:

    1: Import each cert other than your server (or other End Entity) cert, from the top down, to separate entries in the keystore; for your case:

    keytool -importcert -keystore wso2carbon.jks -file AddTrustExternalCARoot -alias somealias1 -trustcacerts
    keytool -importcert -keystore wso2carbon.jks -file COMODORSAAddTrustCA.crt -alias somealias2 
    keytool -importcert -keystore wso2carbon.jks -file COMODORSADomainValidationSecureServerCA.crt -alias somealias3 
    

    where somealias{1,2,3} are aliases different from each other and different from any alias already in the keystore especially wso2carbon. (edit) (figured out how to get the code lines formatted correctly)

    Then import your server cert to the (edit) same alias in the same keystore file where the -genkeypair and -certreq were previously done (or alternatively to an alias which is a copy in this keystore of the PrivateKey entry that was earlier created by -genkeypair and -certreq): keytool -importcert -keystore wso2carbon.jks -file demo_site_domain.crt -alias wso2carbon This (last) step should say Certificate reply was installed in keystore NOT Certificate was added to keystore. Otherwise it actually failed, even though it didn't give an error message.

    2: concatenate all the certs in one file, with the server (EE) cert first, and import that combined file to (edit) the same alias in the same keystore file used earlier (or to a copy of that privateKey entry):

    # assuming any kind of Unix
    cat demo_site_domain.crt COMODORSADomainValidationSecureServerCA.crt \
      COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >combinedfile
    # if Windows use copy a+b+etc or (for PEM) cut&paste in a plaintext editor like Notepad 
    keytool -importcert -keystore wso2carbon.jks -file combinedfile -alias wso2carbon -trustcacerts
    

    The order of the certs other than first doesn't actually matter here, but they will be stored in the keystore and used in the SSL/TLS protocol in "upward" order, so I use that order in the cat for consistency and clarity.

    (edit) If there is at any time any doubt what entries you have or don't have in a given keystore file, you can list them with keytool -list -v -keystore filename. Any entry you generate with -genkeypair is a PrivateKey entry, and will contain either a self-signed cert automatically generated by keytool or a certificate with chain you have obtained from a CA. The display format is rather straggly and can be confusing, but look for the lines like Certificate[1]: Certificate[2]: etc. followed immediately by lines for Owner: (which means Subject in standard terminology) and Issuer:. On the other hand each CA root or intermediate cert you import separately will be a trustedCert entry containing only that one cert.

    Also the page says you need to import your "signed certificate" into client-truststore.jks. I believe that's wrong. You DO usually need to put a self-signed cert in any client truststore(s), but you should NOT need to do this for a cert signed by a well-known CA, which Comodo/Addtrust is. However, it doesn't hurt to add an unnecessary but valid cert to the truststore.