Certificate formats

  • PEM format - text-based format, identified by (BEGIN/END CERTIFICATE)
  • DER format - a binary format, e.g. as produced by Java keytool -export ...

Read a PEM certificate:

openssl x509 -in my_cert.pem -noout -text

Read a PEM file:

openssl x509 -in my_cert.der -inform DER -noout -text

Convert a CRT to a PEM, via DER intermediary format:

openssl x509 -in <filename>.crt -out <filename>.der -outform DER
openssl x509 -in <filename>.der -inform DER -out <filename>.pem -outform PEM

Certificate management on RHEL

To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system, copy it to /etc/pki/ca-trust/source/anchors/, then run:

update-ca-trust extract

SSL testing

Make a test request to a host using Server Name Identification (SNI):

openssl s_client -connect myhost.example.com:443 -servername myhost.example.com

Get the SHA1 fingerprint of a certificate (to be able to compare against keystore, etc.):

openssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin

SSL and TLS with Java

Java keystore/truststore properties

javax.net.ssl.keyStore
javax.net.ssl.keyStorePassword

Java SSL debug logging

Enable Java SSL debug logging:

JAVA_OPTS="$JAVA_OPTS -Djavax.net.debug=ssl,handshake"

And some other options/variations:

-Djava.security.debug=certpath,provider
-Djavax.net.debug=ssl,keymanager,trustmanager

Java keytool cookbook

Create self-signed certificates for a server and client, and add each certificate into the other party’s truststore:

keytool -genkey -alias server -keypass changeit -keyalg RSA -keystore server.ks -dname "CN=server,L=Gimmerton" -storepass changeit
keytool -genkey -alias client -keypass changeit -keyalg RSA -keystore client.ks -dname "CN=client,L=Gimmerton" -storepass changeit

keytool -export -alias server -keystore server.ks -file server_cert -storepass changeit
keytool -import -alias server -keystore client.ts -file server_cert -storepass changeit -noprompt

keytool -export -alias client -keystore client.ks -file client_cert -storepass changeit
keytool -import -alias client -keystore server.ts -file client_cert -storepass changeit -noprompt

Java SSL testing

Use the testing tool from UniconLabs:

git clone https://github.com/UniconLabs/java-keystore-ssl-test
cd java-keystore-ssl-test
mvn clean install
java -jar target/java-keystore-test-0.1.0.jar http://amq-interconnect-amqps-basic-demo.192.168.42.248.nip.io

Java SSL troubleshooting

Client authentication (mutual authentication/2-way SSL) isn’t working:

  • Ensure that the needsClientAuth flag is set to true
  • Ensure that the client’s certificate has been added into the server’s truststore.
  • The server first presents an acceptable list of certificates to the client; the client reads this list and tries to present an acceptable certificate, if it can. If the client presents no certificate (<Empty>), then it’s because the client couldn’t find any certificate to present which matched the client’s accepted list.
  • If “Warning: no suitable certificate found - continuing without client authentication” is seen in the Java handshake SSL debug logs, verify that the server is using the correct truststore.