12 Replies Latest reply on Jul 24, 2012 8:10 PM by njiang

    generating https certificates

    jjakub

      Hallo

      I use 4.4.1-fuse-06-03 , with cxf https via etc\pax.web...

       

      I have problem in generating server https cert

      I create ca certificate as written here:

      http://fusesource.com/docs/framework/2.4/security/i305191.html

      and then create server cert as written here:

      http://fusesource.com/docs/framework/2.4/security/i382664.html

       

      but firefox see this certificate as self signed cert, issuead by localhost for localhost,

      it cannot see it as signed by my own ca,

       

      I think it is not problem of smx or cxf but of openssl or keytool,

      I suppose there could be some change in openssl and keytool since this tutorial was written and now they might work different,

       

      could somebody try to use this tutorial exactly as written in above links and check if it works ?

       

      if it work, please include Your commands as script, here is what I have done:

       

      (when there are many similar wersions I did all of them):

       

      del server.chain

      del caJsi.jks

      del server.pem

      del serverKeystore*

      del server_csr.pem

       

      del X509CA\ca\new*

      1. del X509CA\certs\*

      del X509CA\newcerts\0*

      1. del X509CA\crl\*

      rmdir X509CA\ca

      rmdir X509CA\certs

      rmdir X509CA\newcerts

      rmdir X509CA\crl

      del X509CA\index*

      del X509CA\serial*

      dir

      dir X509CA\

       

      mkdir X509CA

      mkdir X509CA\ca

      mkdir X509CA\certs

      mkdir X509CA\newcerts

      mkdir X509CA\crl

       

      cd X509CA

      echo 01 > serial

       

      1. click Yes, and close Notepad.

      notepad index.txt

       

      cd ..

       

      -


      password password

       

      Create a self-signed CA certificate and private key

      Create a new self-signed CA certificate and private key with the following command:

       

      openssl req -x509 -new -config X509CA\openssl.cfg -days 365 -out X509CA\ca\new_ca.pem -keyout X509CA\ca\new_ca_pk.pem

       

      =====================

      Generate a certificate and private key pair

      Open a command prompt and change directory to the directory where you store your keystore files, KeystoreDir. Enter the following command:

       

      keytool -genkeypair -dname "CN=localhost, OU=testOU, O=testO, ST=Warsaw, C=PL" -validity 365 -v -alias serverAlias -keypass serverPassword -keystore serverKeystore.jks -storepass serverPassword

       

      keytool -importcert -alias cacertAlias -file X509CA\ca\new_ca.pem -trustcacerts -keystore serverKeystore.jks -storepass serverPassword

       

      keytool -importcert                    -file X509CA\ca\new_ca.pem -trustcacerts -keystore serverKeystore.jks -storepass serverPassword

       

       

       

      -


      Create a certificate signing request

      Create a new certificate signing request (CSR) for the serverKeystore.jks certificate, as follows:

       

      keytool -certreq -alias serverAlias -file server_csr.pem -keypass serverPassword -keystore serverKeystore.jks -storepass serverPassword

       

      -


      Sign the CSR

       

      Sign the CSR using your CA, as follows:

       

      openssl ca -config X509CA\openssl.cfg -days 365 -in server_csr.pem -out server.pem

       

      -


      Convert to PEM format

      Convert the signed certificate, server.pem, to PEM only format, as follows:

       

      openssl x509 -in server.pem -out server.pem -outform PEM

       

      -


      Concatenate the files

      Concatenate the CA certificate file and server.pem certificate file, as follows:

       

      copy server.pem + X509CA\ca\new_ca.pem server.chain

       

      -


      Update keystore with the full certificate chain

      Update the keystore, serverKeystore.jks, by importing the full certificate chain for the certificate, as follows:

       

      keytool -importcert -file server.chain -alias serverAlias -keypass serverPassword -keystore serverKeystore.jks -storepass serverPassword

       

      keytool -importcert -file server.chain                    -keypass serverPassword -keystore serverKeystore.jks -storepass serverPassword

       

      keytool -importcert -file server.chain  -keypass serverPassword -keystore serverKeystore2.jks -storepass serverPassword

       

      keytool -importcert -file server.chain -alias serverAlias -keypass serverPassword -keystore serverKeystoreAlias.jks -storepass serverPassword

       

      -


      copy serverKeystore.jks C:\opt\apache-servicemix-4.4.1-fuse-06-03\etc\

       

      thx and regards

      camel

        • 1. Re: generating https certificates
          ffang

          Hi,

           

          Just a quick notes, there's a gencerts.sh shell script in Fuse Services Framework kit samples/wsdl_first_https/bin which can generate all necessary certs automatically for you, you may need take a look.

           

          Freeman

          • 2. Re: generating https certificates
            jjakub

            here are logs of executing 3 commands

            gencerts.sh (in cygwin under windows)

            c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https>mvn -Pserver

            c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https>mvn -Psecure.client

             

            $ ../bin/gencerts.sh

            Using configuration from C:\opt\OpenSSL-Win64\bin\openssl.cfg

            Generating a 1024 bit RSA private key

            ..................++++++

            ....++++++

            writing new private key to 'caprivkey.pem'

            -


            Using configuration from C:\opt\OpenSSL-Win64\bin\openssl.cfg

            Generating a 1024 bit RSA private key

            .....++++++

            ...............++++++

            writing new private key to 'raprivkey.pem'

            -


            Using configuration from C:\opt\OpenSSL-Win64\bin\openssl.cfg

            Check that the request matches the signature

            Signature ok

            Certificate Details:

                    Serial Number: 4933 (0x1345)

                    Validity

                        Not Before: Jul 23 07:09:01 2012 GMT

                        Not After : Jul 18 07:09:01 2032 GMT

                    Subject:

                        countryName               = US

                        stateOrProvinceName       = NY

                        organizationName          = Apache

                        organizationalUnitName    = NOT FOR PRODUCTION

                        commonName                = TheRA

                    X509v3 extensions:

                        X509v3 Basic Constraints:

                            CA:TRUE

            Certificate is to be certified until Jul 18 07:09:01 2032 GMT (7300 days)

             

            Write out database with 1 new entries

            Data Base Updated

            Using configuration from C:\opt\OpenSSL-Win64\bin\openssl.cfg

            Check that the request matches the signature

            Signature ok

            The stateOrProvinceName field needed to be the same in the

            CA certificate (NY) and the request (NY)

            Using configuration from C:\opt\OpenSSL-Win64\bin\openssl.cfg

            Check that the request matches the signature

            Signature ok

            The stateOrProvinceName field needed to be the same in the

            CA certificate (NY) and the request (NY)

            unable to load certificate

            2674688:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE

            unable to load certificate

            2674688:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE

            keytool error: java.lang.Exception: Certificate reply does not contain public key for

            Using configuration from C:\opt\OpenSSL-Win64\bin\openssl.cfg

            V       320718070901Z           1345    unknown /C=US/ST=NY/O=Apache/OU=NOT FOR PRODUCTION/CN=TheRA

            1 entries loaded from the database

            generating index

            Revoking Certificate 1345.

            Data Base Updated

            Using configuration from C:\opt\OpenSSL-Win64\bin\openssl.cfg

            R       320718070901Z   120723070903Z,keyCompromise     1345    unknown /C=US/ST=NY/O=Apache/OU=NOT FOR PRODUCTION/CN=TheRA

            1 entries loaded from the database

            generating index

            ./demoCA/crlnumber: No such file or directory

            error while loading CRL number

            2674688:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('./demoCA/crlnumber','rb')

            2674688:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:

            Certificate was added to keystore

             

            Keystore type: JKS

            Keystore provider: SUN

             

            Your keystore contains 1 entry

             

            Alias name: mykey

            Creation date: 2012-07-23

            Entry type: PrivateKeyEntry

            Certificate chain length: 1

            Certificate[1]:

            Owner: CN=Wibble, OU=NOT FOR PRODUCTION, O=Apache, ST=NY, C=US

            Issuer: CN=Wibble, OU=NOT FOR PRODUCTION, O=Apache, ST=NY, C=US

            Serial number: 500cf88e

            Valid from: Mon Jul 23 09:09:02 CEST 2012 until: Sun Oct 21 09:09:02 CEST 2012

            Certificate fingerprints:

                     MD5:  E6:44:52:CC:8F:C3:1B:28:71:02:F2:44:38:98:00:F6

                     SHA1: 1E:98:A3:CF:5A:E6:4A:24:32:E9:C4:BE:CD:3A:CE:0F:B3:91:AE:FF

                     Signature algorithm name: SHA1withDSA

                     Version: 3

             

             

            *******************************************

            *******************************************

             

             

             

            Keystore type: JKS

            Keystore provider: SUN

             

            Your keystore contains 1 entry

             

            Alias name: mykey

            Creation date: 2012-07-23

            Entry type: PrivateKeyEntry

            Certificate chain length: 1

            Certificate[1]:

            Owner: CN=Cherry, OU=NOT FOR PRODUCTION, O=Apache, ST=NY, C=US

            Issuer: CN=Cherry, OU=NOT FOR PRODUCTION, O=Apache, ST=NY, C=US

            Serial number: 500cf88e

            Valid from: Mon Jul 23 09:09:02 CEST 2012 until: Sun Oct 21 09:09:02 CEST 2012

            Certificate fingerprints:

                     MD5:  9A:85:40:61:1A:A0:BC:7D:F0:66:57:10:72:52:66:01

                     SHA1: AF:77:F5:4D:14:36:B9:83:6D:7C:D6:EA:27:EB:F4:DC:4F:1B:F7:71

                     Signature algorithm name: SHA1withDSA

                     Version: 3

             

             

            *******************************************

            *******************************************

             

             

             

            Keystore type: JKS

            Keystore provider: SUN

             

            Your keystore contains 1 entry

             

            Alias name: theca

            Creation date: 2012-07-23

            Entry type: trustedCertEntry

             

            Owner: C=US, ST=NY, O=Apache, OU=NOT FOR PRODUCTION, CN=TheCA

            Issuer: C=US, ST=NY, O=Apache, OU=NOT FOR PRODUCTION, CN=TheCA

            Serial number: 4d2

            Valid from: Mon Jul 23 09:09:01 CEST 2012 until: Sun Jul 18 09:09:01 CEST 2032

            Certificate fingerprints:

                     MD5:  DF:BC:B5:95:5A:9E:4C:F8:03:7A:01:F6:70:35:F8:46

                     SHA1: 12:1E:D1:2C:E6:34:D9:D5:99:66:29:B0:51:3D:EF:C9:1F:B6:AC:D2

                     Signature algorithm name: SHA1withRSA

                     Version: 3

             

            Extensions:

             

            #1: ObjectId: 2.5.29.14 Criticality=false

            SubjectKeyIdentifier [

            KeyIdentifier [

            0000: 66 34 E2 81 F5 61 EF D6   36 79 52 5F 7E 01 7B 7A  f4...a..6yR_...z

            0010: F3 26 D3 2D                                        .&.-

            ]

            ]

             

            #2: ObjectId: 2.5.29.19 Criticality=false

            BasicConstraints:[

              CA:true

              PathLen:2147483647

            ]

             

             

            #3: ObjectId: 2.5.29.35 Criticality=false

            AuthorityKeyIdentifier [

            KeyIdentifier [

            0000: 66 34 E2 81 F5 61 EF D6   36 79 52 5F 7E 01 7B 7A  f4...a..6yR_...z

            0010: F3 26 D3 2D                                        .&.-

            ]

             

            ]

             

             

             

            *******************************************

            *******************************************

             

             

            unable to load CRL

            2674688:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: X509 CRL

             

            foobar@stk_101-TOSH /cygdrive/c/opt/apache-cxf-2.4.3-fuse-01-02/samples/wsdl_first_https/certs

             

             

            server log

            c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https>mvn -Pserver

            Scanning for projects...

            -


            Building WSDL first demo using HTTPS 2.4.3-fuse-01-02

            -


            --- cxf-codegen-plugin:2.4.3-fuse-01-02:wsdl2java (generate-sources) @ wsdl_first_https ---

            Using proxy server configured in maven.

            --- maven-antrun-plugin:1.4:run (copyxmlfiles) @ wsdl_first_https ---

            project.artifactId

            Executing tasks

            Executed tasks

            --- maven-resources-plugin:2.5:resources (default-resources) @ wsdl_first_https ---

            execute contextualize

            Using 'UTF-8' encoding to copy filtered resources.

            skip non existing resourceDirectory c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https\src\main\resources

            --- maven-compiler-plugin:2.3.1:compile (default-compile) @ wsdl_first_https ---

            Nothing to compile - all classes are up to date

            --- maven-resources-plugin:2.5:testResources (default-testResources) @ wsdl_first_https ---

            execute contextualize

            Using 'UTF-8' encoding to copy filtered resources.

            skip non existing resourceDirectory c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https\src\test\resources

            --- maven-compiler-plugin:2.3.1:testCompile (default-testCompile) @ wsdl_first_https ---

            No sources to compile

            --- maven-surefire-plugin:2.10:test (default-test) @ wsdl_first_https ---

            No tests to run.

            Surefire report directory: c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https\target\surefire-reports

             

            -


            T E S T S

            -


             

            Results :

             

            Tests run: 0, Failures: 0, Errors: 0, Skipped: 0

             

            --- exec-maven-plugin:1.2:exec (default) @ wsdl_first_https ---

            The server's security configuration will be taken from server.xml using the bean name : "GreeterImplPort.http-destination".

             

            Starting Server

            2012-07-23 09:18:45 org.springframework.context.support.AbstractApplicationContext prepareRefresh

            INFO: Refreshing org.apache.cxf.bus.spring.BusApplicationContext@80d3d6f: startup date ; root of context hierarchy

            2012-07-23 09:18:46 org.apache.cxf.bus.spring.BusApplicationContext getConfigResources

            INFO: Loaded configuration file file:/C:/opt/apache-cxf-2.4.3-fuse-01-02/samples/wsdl_first_https/target/classes/demo/hw_https/server/CherryServer.xml.

            2012-07-23 09:18:46 org.springframework.beans.factory.xml.XmlBeanDefinitionReader loadBeanDefinitions

            INFO: Loading XML bean definitions from class path resource

            2012-07-23 09:18:46 org.springframework.beans.factory.xml.XmlBeanDefinitionReader loadBeanDefinitions

            INFO: Loading XML bean definitions from URL file:/C:/opt/apache-cxf-2.4.3-fuse-01-02/samples/wsdl_first_https/target/classes/demo/hw_https/server/CherryServer.xml

            2012-07-23 09:18:47 org.springframework.beans.factory.support.DefaultListableBeanFactory preInstantiateSingletons

            INFO: Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@63a5ec6c: defining beans [cxf,org.apache.cxf.bus.spring.BusWiringBeanFactoryPo

            stProcessor,org.apache.cxf.bus.spring.Jsr250BeanPostProcessor,org.apache.cxf.bus.spring.BusExtensionPostProcessor,GreeterPort.http-destination,o

            rg.apache.cxf.transport.http_jetty.spring.JettySpringTypesFactory,org.apache.cxf.transport.http_jetty.JettyHTTPServerEngineFactory]; root of factory hierarchy

            2012-07-23 09:18:47 org.apache.cxf.service.factory.ReflectionServiceFactoryBean buildServiceFromWSDL

            INFO: Creating Service SOAPService from WSDL: file:./wsdl/hello_world.wsdl

            2012-07-23 09:18:48 org.apache.cxf.frontend.AbstractWSDLBasedEndpointFactory createEndpoint

            WARNING: Could not find endpoint/port for GreeterPort in wsdl. Using SoapPort.

            2012-07-23 09:18:48 org.apache.cxf.endpoint.ServerImpl initDestination

            INFO: Setting the server's publish address to be https://localhost:9001/SoapContext/SoapPort

            2012-07-23 09:18:48 org.eclipse.jetty.util.log.Slf4jLog info

            INFO: jetty-7.4.5.fuse20111017

            2012-07-23 09:18:48 org.eclipse.jetty.util.log.Slf4jLog info

            INFO: Started CXFJettySslSocketConnector@0.0.0.0:9001 STARTING

            2012-07-23 09:18:48 org.eclipse.jetty.util.log.Slf4jLog info

            INFO: started o.e.j.s.h.ContextHandler{/SoapContext,null}

            Server ready...

            2012-07-23 09:20:06 org.eclipse.jetty.util.log.Slf4jLog warn

            WARNING: 127.0.0.1:60379 javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

             

            client log

             

            C:\Users\jsitek>cd c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https

             

            c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https>mvn -Psecure.client

            Scanning for projects...

            -


            Building WSDL first demo using HTTPS 2.4.3-fuse-01-02

            -


            --- cxf-codegen-plugin:2.4.3-fuse-01-02:wsdl2java (generate-sources) @ wsdl_first_https ---

            Using proxy server configured in maven.

            --- maven-antrun-plugin:1.4:run (copyxmlfiles) @ wsdl_first_https ---

            project.artifactId

            Executing tasks

            Executed tasks

            --- maven-resources-plugin:2.5:resources (default-resources) @ wsdl_first_https ---

            execute contextualize

            Using 'UTF-8' encoding to copy filtered resources.

            skip non existing resourceDirectory c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https\src\main\resources

            --- maven-compiler-plugin:2.3.1:compile (default-compile) @ wsdl_first_https ---

            Nothing to compile - all classes are up to date

            --- maven-resources-plugin:2.5:testResources (default-testResources) @ wsdl_first_https ---

            execute contextualize

            Using 'UTF-8' encoding to copy filtered resources.

            skip non existing resourceDirectory c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https\src\test\resources

            --- maven-compiler-plugin:2.3.1:testCompile (default-testCompile) @ wsdl_first_https ---

            No sources to compile

            --- maven-surefire-plugin:2.10:test (default-test) @ wsdl_first_https ---

            No tests to run.

            Surefire report directory: c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https\target\surefire-reports

             

            -


            T E S T S

            -


             

            Results :

             

            Tests run: 0, Failures: 0, Errors: 0, Skipped: 0

             

            >>> exec-maven-plugin:1.2:java (default) @ wsdl_first_https >>>

            <<< exec-maven-plugin:1.2:java (default) @ wsdl_first_https <<<

            --- exec-maven-plugin:1.2:java (default) @ wsdl_first_https ---

            2012-07-23 09:20:04 org.springframework.context.support.AbstractApplicationContext prepareRefresh

            INFO: Refreshing org.apache.cxf.bus.spring.BusApplicationContext@77ed2061: startup date ; root of context hierarchy

            2012-07-23 09:20:04 org.apache.cxf.bus.spring.BusApplicationContext getConfigResources

            INFO: Loaded configuration file file:/c:/opt/apache-cxf-2.4.3-fuse-01-02/samples/wsdl_first_https/target/classes/demo/hw_https/client/WibbleClient.xml.

            2012-07-23 09:20:04 org.springframework.beans.factory.xml.XmlBeanDefinitionReader loadBeanDefinitions

            INFO: Loading XML bean definitions from class path resource

            2012-07-23 09:20:04 org.springframework.beans.factory.xml.XmlBeanDefinitionReader loadBeanDefinitions

            INFO: Loading XML bean definitions from URL [file:/c:/opt/apache-cxf-2.4.3-fuse-01-02/samples/wsdl_first_https/target/classes/demo/hw_https/client/WibbleClient

            2012-07-23 09:20:04 org.springframework.beans.factory.support.DefaultListableBeanFactory preInstantiateSingletons

            INFO: Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@6568f248: defining beans [cxf,org.apache.cxf.bus.spr

            stProcessor,org.apache.cxf.bus.spring.Jsr250BeanPostProcessor,org.apache.cxf.bus.spring.BusExtensionPostProcessor,Soap

            f factory hierarchy

            file:/c:/opt/apache-cxf-2.4.3-fuse-01-02/samples/wsdl_first_https/wsdl/hello_world.wsdl

            2012-07-23 09:20:05 org.apache.cxf.service.factory.ReflectionServiceFactoryBean buildServiceFromWSDL

            INFO: Creating Service SOAPService from WSDL: file:/c:/opt/apache-cxf-2.4.3-fuse-01-02/samples/wsdl_first_https/wsdl/h

            Invoking greetMe...

            2012-07-23 09:20:06 org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging

            WARNING: Interceptor for SOAPService#greetMe has thrown exception, unwinding

            org.apache.cxf.interceptor.Fault: Could not send Message.

                    at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)

                    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)

                    at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:531)

                    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:461)

                    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:364)

                    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:317)

                    at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)

                    at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)

                    at $Proxy37.greetMe(Unknown Source)

                    at demo.hw_https.client.Client.main(Client.java:77)

                    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

                    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

                    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

                    at java.lang.reflect.Method.invoke(Method.java:597)

                    at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:291)

                    at java.lang.Thread.run(Thread.java:662)

            Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://localhost:9001/SoapContext/SoapPort: sun.security.validator.ValidatorExc

            cate found

                    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

                    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)

                    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)

                    at java.lang.reflect.Constructor.newInstance(Constructor.java:513)

                    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1430)

                    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1415)

                    at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)

                    at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:648)

                    at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)

                    ... 15 more

            Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found

                    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)

                    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1731)

                    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)

                    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)

                    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)

                    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)

                    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)

                    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)

                    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:925)

                    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)

                    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1197)

                    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1181)

                    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)

                    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)

                    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1014)

                    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)

                    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1367)

                    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1309)

                    at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)

                    at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)

                    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1387)

                    ... 18 more

            Caused by: sun.security.validator.ValidatorException: No trusted certificate found

                    at sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:330)

                    at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:110)

                    at sun.security.validator.Validator.validate(Validator.java:218)

                    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)

                    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)

                    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)

                    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)

                    ... 34 more

            Invocation failed with the following: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://localhost:9001/SoapContext/SoapPort: sun.secu

            ception: No trusted certificate found

             

            c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https>

            • 3. Re: generating https certificates
              jjakub

              please try to execute this 3 commands on Your computer:

               

              gencerts.sh

              c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https>mvn -Pserver

              c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https>mvn -Psecure.client

              • 4. Re: generating https certificates
                ffang

                Hi,

                 

                You need take a look at the README.txt of samples/wsdl_first_https to get more details how to run it.

                More specifically

                In separate windows:

                  mvn -Pserver (starts the server)

                  mvn -Pinsecure.client (runs the client in insecure mode, Scenario 1)

                  mvn -Psecure.client (runs the client in secure mode, Scenario 2)

                  mvn -Pinsecure.client.non.spring (runs the client in insecure mode without Spring configuration, Scenario 3)

                  mvn -Psecure.client.non.spring (runs the client in secure mode without Spring configuration, Scenario 4)

                  mvn clean (removes all generated and compiled classes)"

                There's no mvn -Pclient at all.

                Also you need in certs folder to run gencerts.sh, something like

                        cd certs

                        sh ../bin/gencerts.sh

                 

                Btw, I just tried the 2.4.3-fuse-01-02 kit, the wsdl_first_https/gencerts.sh works on my machine

                 

                Freeman

                • 5. Re: generating https certificates
                  jjakub

                  yes, I did it as written in readme,

                  cd certs

                  sh ../bin/gencerts.sh

                  In separate windows:

                  mvn -Pserver (starts the server)

                  mvn -Psecure.client (runs the client in secure mode, Scenario 2)

                   

                  If I run server and client against default certs they run ok,

                  but if I run them against my generated certs there is error,

                  when I look into https://localhost:9001/SoapContext/SoapPort in firefox I see that the cert is issued by cherry for cherry, not by ca,

                  have You also tried running server and secure client, or only gencerts.sh?

                  • 6. Re: generating https certificates
                    jjakub

                    here I enclose my generated certs

                    • 7. Re: generating https certificates
                      ffang

                      Hi,

                       

                      Yeah, I tried the server and secure client after regenerate certs using gencerts.sh , and it works for me.

                      I guess it's related to the cygwin you're using.

                      Could you run the script on a linux machine, and copy the certs folder back to your windows, to see if it can make any difference?

                       

                      Freeman

                      • 8. Re: generating https certificates
                        jjakub

                        here I enclose screen of how firefox see this cert

                        • 9. Re: generating https certificates
                          ffang

                          Hi,

                           

                          I saw some file/folder permission problem when extract certs.tgz, I think it's may relate to the problem you encounter.

                           

                          You need ensure all files/folders in certs folder is readable by yourself.

                           

                          Also you can try to generate certs on linux machine and copy back to your windows, if it works we know it's something wrong when use cygwin to run the script.

                           

                          Freeman

                          • 10. Re: generating https certificates
                            jjakub

                            yesterday I run gencerts.sh from the cxf distribution (not from fuse) on linux and I got the same error,

                            it seems to me, that konqueror could see that cert was issued by ca, but firefox under linux not, and the client was also failing, I will try it again on linux in about 13 hours, now I have no linux available

                             

                             

                            do You also get at end of script following error?

                             

                            *******************************************

                            *******************************************

                             

                             

                            unable to load CRL

                            2674688:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: X509 CRL

                             

                            as far as I remember I also get something similar under linux

                            • 11. Re: generating https certificates
                              jjakub

                              great thanks for help, under linux it works good both on cxf-2.6.1 and on cxf-2.4.3-fuse-01-02

                              • 12. Re: generating https certificates
                                njiang

                                As your cert is not signed by the CA which your browser trust by default, you will see the warning like that. If you want to get ride of the warning, you need to let your cert signed by those CA, and it will cost you some money.

                                 

                                Willem