Using Openssl, I generated my own CertificateAuthority (CA) and using this CA I generated self signed server certificate and key. This server certificate and key was used to configure Apache HTTPD proxy and Tomcat server which starts successfully and I am able to load application UI and work as expected (All functionality is fine)
Now since it is a self signed server certificate, the browser URL pane shows Certificate error / Not secure everytime. I try to import this certificate into my windows Trusted Root Certification Authorities store using chrome or IE. The certificate import is successful.
Looking at certificate in the Windows Certificate Manager (certmgr.msc) Windows says it "does not have enough information to verify this certificate". When looking at the certificate path, the only certificate that is shown is the certificate itself (with a yellow exclamation mark), and the Certificate status indicates: "The issuer of this certificate could not be found" and checking the certificate name I find that instead of the CA certificate the server certificate is imported. While I can see the certificate on certmgr.msc , but on the browser the imported certificate does not even show under Trusted Root Certification Authorities. The Common Name (CN), SubjectAlternativeName (SAN) etc are all present as expected as I know they are important.
After I manually import the CA certificate (which I already have) separately from the browser, the UI loads with green padlock as expected.
I checked online for suggestions and I can see many threads exists like this0, this1, this2 this3, this4, this5 without much help. None of them have solved this import issue without any manual CA cert import.
What am I missing? With browser certificate import why is server certificate imported and not CA certificate?
What should I do to import the CA certificate directly reading from the server certificate? Should we install the CA certificate manually? If yes, then how to import this CA certificate on a remote machine when I try to access my application from outside the system (remote system browser)? kindly help.
Finally I was able to figure out how to solve this issue. Answering my own question here so that it might help anyone else facing the same issue.
Initially you generate your own CA and and server private key and then using that CA you sign the server certificate. We were using Apache Httpd proxy server and in the configuration along with SSLCertificateFile, SSLCACertificateFile needs to be set to the CA certificate. Upon loading the URL in the browser, "Certificate error" or "Not Secure" will be shown. While clicking on to importing the certificate, under Certificate details you will see CA certificate followed by server certificate. Click to save the CA certificate locally to Trusted Root Certification Authorities (save CA and NOT server certificate) so that you can install this CA (what we created) and once the CA certificate is imported successfully, the connection will be shown as secure with green padlock in the URL bar. This can be done from local or any remote machine accessing the URL.
All certificates that we newly generate and signed by this same CA will be inherently trusted thereafter.
Related
i have an SSL handshake issue on one of my servers. the certificate is CA signed and the server is still showing "not secure"
i got another server using the same root chain and it is secured.
root/intermediate certs and the CA itself are all uploaded on the machine and the browser
chain is 100% valid as it was identified via the Subject Key Identifier/Authority Key Identfier.
from pcap i see this for non-working
CSR was verified to match the cert
the server side is never pushing the Hell Server,Certificate message
it does look like a server side issue for me. not a client one
again the same chain is used for another server and the browser is considering it secure.
anyone can assist?
certs were uploaded on Trust-root authority for the browser
installed on the machine itself (local machine and current user)
cert itself was verified
certificate was verified in the server's DB as well as its chain
Any help or hint would be greatly appreciated it!!
I have windows 11 Pro.
I installed openshift.
I did "crc setup" and I did "crc start":
INFO Adding crc-admin and crc-developer contexts to kubeconfig...
ERRO Cannot update kubeconfig: x509: certificate has expired or is not yet valid: current time 2022-05-24T00:01:26-04:00 is after 2022-01-13T22:29:55Z
Started the OpenShift cluster.
The server is accessible via web console at:
https://console-openshift-console.apps-crc.testing
I get the following error when I tried to login:
C:\Users\Albert Lam>oc login -u developer https://api.crc.testing:6443
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): n
error: The server uses a certificate signed by unknown authority. You may need to use the --certificate-authority flag to provide the path to a certificate file for the certificate authority, or --insecure-skip-tls-verify to bypass the certificate check and use insecure connections.
C:\Users\Albert Lam>oc login -u developer https://api.crc.testing:6443
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y
I had the same problem and it was caused by an old certificate that was expired and had nothing to do (VMware one) with Openshift.
I've found the problem by viewing the certificate inside my chrome browser after navigating to https://console-openshift-console.apps-crc.testing.
The correct certificate should have *.apps-crc.testing as CN, but mine has another one.
I suggest you to find the wrong certificate and delete it if expired.
On windows, for VMware you can find it inside C:\ProgramData\VMware\SSL.
On Windows you can look for certificates by using the "manage certificates" app.
I'm setting up certificate authentication for my project using Tomcat. It works ok for command line client such as cURL.
I have many client certificates installed in Chrome browser. Some are using to connect to my site, others are used for different purposes and not relate to my project.
Every time I connect to my site, Chrome presents a list of client certificates for choosing. These are exactly the certificates that I installed and not others. My questions are:
How Chrome knows which client certificates are for a site to present for choosing?
Tomcat stores those client certificates in its trust store. During
SSL hanshake, Tomcat will request for client certificate. Does it
request for some specific certificates that it knows in its trusted
store so that Chrome knows what to show?
The client certificate authentication is ruled in the handshake phase of the SSL/TLS protocol implemented by browsers.
If the server requires a client certificate authentication (it is
optional), send a message to client with the list of the accepted
certificate authorities (CA). Can be void if server accepts any
certificate.
The client select the certificates installed in client keystore which have been issued by any of these CA's, and present the list to user. In case of Chrome, the browser selects the certificates installed by user from the operating system's Key Store.
User choose a certificate, and the client performs a signature with the private key of the certificate over a known data interchanged during handshake.
Only certificates with private key can be selected during step 2. This is the reason by with the browser does not select the certificates of trusted CA's installed in your device. You do not own the private key
I am connecting to google geocode web service from .NET code. It works perfectly in my local machine and when deployed in windows 2003 std. server, I am getting the below error.
System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
Where can I get the certificate for Google web service? I tried downloading it from chrome by hitting the url and saved the certificate in a file and added to Trusted certificate store but still having same issue when the site is running.
Any suggestion will be greatly appreciated.
Mysql2::Error (SSL connection error: ASN: bad other signature confirmation):
I am making an administration site. The environment is Rails 4.2 and Ruby 2.2, connecting AWS RDS with Heroku server.
I don't know why getting this error. It suddenly appeared. I can't find any errors other than this. Although I passed my codes two days ago, I got this error this time.(I haven't touched this code while the two days.)
How can I solve this problem?
For me, this had to do with the RDS SSL Certificate Rotation that happened on April 3rd, 2015.
However, in my case, just using the root certificate did not work, and I had to use a intermediate certificate for my region as well. Details:
Go into the AWS rds console and reboot your RDS instance.
Download the new root certificate https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem. Put it into the config directory of your app.
Download the intermediate certificate for your database region
here. I had to use the US east one, but you will have to pick the one for your region.
This is the key step. You need to combine the intermediate certificate and the root certificate into one file so that the intermediate certificate is above the root certificate, forming a certificate chain. Open the intermediate certificate using a text editor, copy its contents, and paste them into config/rds-ca-2015-root.pem, on top, above the root certificate. So, after you are done, config/rds-ca-2015-root.pem should be the intermediate certificate followed by the root certificate, all in this file.
Get your current database url
heroku config
and then look for the DATABASE_URL property
Update your database URL to use the new certificate file. All you should have to change is the name of the certificate (since its now called
rds-ca-2015-root.pem)
heroku
config:add DATABASE_URL="mysql2://DB_NAME:DB_PASSWORD#DB_URL/DB_NAME?sslca=config/rds-ca-2015-root.pem"
Commit the changes and redeploy to Heroku.
Four years later (2019) and AWS are rotating CA certs again, as expected.
RDS users are recommended to switch from the 2015 cert to the 2019 cert by 2019-11-01, and "no later than" 2020-02-05. The 2015 certificates expire on 2020-03-05.
I used the following procedure, based on RDS' Rotating Your SSL/TLS Certificate guide.
Schedule downtime
Download new certificates, save in config
Only the root cert is needed: rds-ca-2019-root.pem
The instructions mention a 2015+2019 bundle, but I couldn't find it. This file is 2019 only.
Region-specific intermediate certs are not needed
Commit, but don't deploy yet
heroku maintenance:on
In RDS web console, modify server
In the Network & Security section, choose rds-ca-2019
Apply changes immediately
Scale dynos down to 0
heorku config:set DATABASE_URL=mysql2://myuser:mypassword#myhost.rds.amazonaws.com/mydb?sslca=config/rds-ca-2019-root.pem
Deploy
Scale dynos up, watch logs
heroku maintenance:off
There are many reasonable variations on this procedure, this is just what worked for me.