Trying to understand How Tomcat uses Keystore for SSL

Don Flinn Mon, 13 Nov 2017 22:58:23 -0800

I've done some reading on SSL and understand the protocol is as follows;
Client/Browser sends ClientHello and server Tomcat replies with
ServerHello.  This establishes the protocol they will use.
The server then sends the certificate and the public key - in the clear
The browser encrypts a message containing the servers domain, all encrypted
with the server's public key to the CA which the browser trusts.  The
public key is in the certificate.
The CA de-crypts the message with the server's private key.  So the
server's name/ domain must be not encrypted. If the server can decrypt the
message it knows the server and it then sends a ack message back to the
browser encrypted with the client's private key.
The browser and Tomcat then establish a secret key to send messages back
and forth.


If I have the above correct, I must have keystore set up incorrectly, since
running my scenario I get an error in the Chrome debugger,which says

This page is not secure
"Valid certificate
The connection to this site is using a valid, trusted server certificate
issued by unknown name.
Secure resources
All resources on this page are served securely. "

Note the 'the certificate is valid and it is issued by unknown name"  Why
is the issuer unknown, since the issuer's name is in the certificate?

letsencrypt has an online web site from which one can download a ca_bundle,
a private key and a certificate for your domain
Oracle has an article on keytool which says that keytool  can not create a
pkcs12 keystore but can read it and to use openssl, which I did following
their instructions.  Concatenate the CA cert, the private key and the user
cert then put these in keystore. The result is shown below.  Tomcat isn't
able to use this keystore to communicate with the browser for some reason.
Why? What's missing or incorrect?

C:\Users\don\Security\letsenc>%keytool% -list -keystore MMcert.p12 -v
-storetype pkcs12
Enter keystore password:

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: tomcat
Creation date: Nov 13, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=info.finwoks.com
Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Serial number: 415913da3a6a956ef3efef2fb2eb4baff17
Valid from: Sat Nov 11 16:05:35 EST 2017 until: Fri Feb 09 16:05:35 EST 2018
Certificate fingerprints:
         MD5:  F5:FD:4F:8B:9A:A0:38:D1:B7:78:B6:36:38:AB:42:31
         SHA1: 7C:AB:5C:D3:A9:95:01:FD:43:CC:F5:D5:1D:24:64:1A:BF:4C:AE:66
         SHA256:
A9:85:5C:34:3D:DA:65:64:2F:C7:45:57:52:3F:EE:0F:D6:70:50:DE:AA:5C:2A:D1:16:F3:29:B9:CB:F3:B2:36
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.int-x3.letsencrypt.org
,
   accessMethod: caIssuers
   accessLocation: URIName: http://cert.int-x3.letsencrypt.org/
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A8 4A 6A 63 04 7D DD BA   E6 D1 39 B7 A6 45 65 EF  .Jjc......9..Ee.
0010: F3 A8 EC A1                                        ....
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
  [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1A 68 74 74 70 3A 2F   2F 63 70 73 2E 6C 65 74  ..
http://cps.let
0010: 73 65 6E 63 72 79 70 74   2E 6F 72 67              sencrypt.org

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 81 9E 0C 81 9B 54 68   69 73 20 43 65 72 74 69
0.....This Certi
0010: 66 69 63 61 74 65 20 6D   61 79 20 6F 6E 6C 79 20  ficate may only
0020: 62 65 20 72 65 6C 69 65   64 20 75 70 6F 6E 20 62  be relied upon b
0030: 79 20 52 65 6C 79 69 6E   67 20 50 61 72 74 69 65  y Relying Partie
0040: 73 20 61 6E 64 20 6F 6E   6C 79 20 69 6E 20 61 63  s and only in ac
0050: 63 6F 72 64 61 6E 63 65   20 77 69 74 68 20 74 68  cordance with th
0060: 65 20 43 65 72 74 69 66   69 63 61 74 65 20 50 6F  e Certificate Po
0070: 6C 69 63 79 20 66 6F 75   6E 64 20 61 74 20 68 74  licy found at ht
0080: 74 70 73 3A 2F 2F 6C 65   74 73 65 6E 63 72 79 70  tps://letsencryp
0090: 74 2E 6F 72 67 2F 72 65   70 6F 73 69 74 6F 72 79  t.org/repository
00A0: 2F                                                 /

]]  ]
]

#5: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: info.finwoks.com
]

#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 04 6B 27 5C F4 5E 85 21   24 38 A7 44 2D 7E 69 CA  .k'\.^.!$8.D-.i.
0010: CF 31 04 1C                                        .1..
]
]



*******************************************
*******************************************

Trying to understand How Tomcat uses Keystore for SSL

Reply via email to