12 Replies Latest reply on Jul 24, 2012 8:10 PM by njiang

generating https certificates

jjakub Jul 22, 2012 6:46 PM

Hallo

I use 4.4.1-fuse-06-03 , with cxf https via etc\pax.web...

I have problem in generating server https cert

I create ca certificate as written here:

http://fusesource.com/docs/framework/2.4/security/i305191.html

and then create server cert as written here:

http://fusesource.com/docs/framework/2.4/security/i382664.html

but firefox see this certificate as self signed cert, issuead by localhost for localhost,

it cannot see it as signed by my own ca,

I think it is not problem of smx or cxf but of openssl or keytool,

I suppose there could be some change in openssl and keytool since this tutorial was written and now they might work different,

could somebody try to use this tutorial exactly as written in above links and check if it works ?

if it work, please include Your commands as script, here is what I have done:

(when there are many similar wersions I did all of them):

del server.chain

del caJsi.jks

del server.pem

del serverKeystore*

del server_csr.pem

del X509CA\ca\new*

del X509CA\certs\*

del X509CA\newcerts\0*

del X509CA\crl\*

rmdir X509CA\ca

rmdir X509CA\certs

rmdir X509CA\newcerts

rmdir X509CA\crl

del X509CA\index*

del X509CA\serial*

dir

dir X509CA\

mkdir X509CA

mkdir X509CA\ca

mkdir X509CA\certs

mkdir X509CA\newcerts

mkdir X509CA\crl

cd X509CA

echo 01 > serial

click Yes, and close Notepad.

notepad index.txt

cd ..

password password

Create a self-signed CA certificate and private key

Create a new self-signed CA certificate and private key with the following command:

openssl req -x509 -new -config X509CA\openssl.cfg -days 365 -out X509CA\ca\new_ca.pem -keyout X509CA\ca\new_ca_pk.pem

=====================

Generate a certificate and private key pair

Open a command prompt and change directory to the directory where you store your keystore files, KeystoreDir. Enter the following command:

keytool -genkeypair -dname "CN=localhost, OU=testOU, O=testO, ST=Warsaw, C=PL" -validity 365 -v -alias serverAlias -keypass serverPassword -keystore serverKeystore.jks -storepass serverPassword

keytool -importcert -alias cacertAlias -file X509CA\ca\new_ca.pem -trustcacerts -keystore serverKeystore.jks -storepass serverPassword

keytool -importcert -file X509CA\ca\new_ca.pem -trustcacerts -keystore serverKeystore.jks -storepass serverPassword

Create a certificate signing request

Create a new certificate signing request (CSR) for the serverKeystore.jks certificate, as follows:

keytool -certreq -alias serverAlias -file server_csr.pem -keypass serverPassword -keystore serverKeystore.jks -storepass serverPassword

Sign the CSR

Sign the CSR using your CA, as follows:

openssl ca -config X509CA\openssl.cfg -days 365 -in server_csr.pem -out server.pem

Convert to PEM format

Convert the signed certificate, server.pem, to PEM only format, as follows:

openssl x509 -in server.pem -out server.pem -outform PEM

Concatenate the files

Concatenate the CA certificate file and server.pem certificate file, as follows:

copy server.pem + X509CA\ca\new_ca.pem server.chain

Update keystore with the full certificate chain

Update the keystore, serverKeystore.jks, by importing the full certificate chain for the certificate, as follows:

keytool -importcert -file server.chain -alias serverAlias -keypass serverPassword -keystore serverKeystore.jks -storepass serverPassword

keytool -importcert -file server.chain -keypass serverPassword -keystore serverKeystore.jks -storepass serverPassword

keytool -importcert -file server.chain -keypass serverPassword -keystore serverKeystore2.jks -storepass serverPassword

keytool -importcert -file server.chain -alias serverAlias -keypass serverPassword -keystore serverKeystoreAlias.jks -storepass serverPassword

copy serverKeystore.jks C:\opt\apache-servicemix-4.4.1-fuse-06-03\etc\

thx and regards

camel

1. Re: generating https certificates

ffang Jul 22, 2012 7:40 PM (in response to jjakub)

Hi,

Just a quick notes, there's a gencerts.sh shell script in Fuse Services Framework kit samples/wsdl_first_https/bin which can generate all necessary certs automatically for you, you may need take a look.

Freeman
Actions
2. Re: generating https certificates

jjakub Jul 23, 2012 4:02 AM (in response to ffang)

here are logs of executing 3 commands
gencerts.sh (in cygwin under windows)
c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https>mvn -Pserver
c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https>mvn -Psecure.client

$ ../bin/gencerts.sh
Using configuration from C:\opt\OpenSSL-Win64\bin\openssl.cfg
Generating a 1024 bit RSA private key
..................++++++
....++++++
writing new private key to 'caprivkey.pem'
-
Using configuration from C:\opt\OpenSSL-Win64\bin\openssl.cfg
Generating a 1024 bit RSA private key
.....++++++
...............++++++
writing new private key to 'raprivkey.pem'
-
Using configuration from C:\opt\OpenSSL-Win64\bin\openssl.cfg
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4933 (0x1345)
        Validity
            Not Before: Jul 23 07:09:01 2012 GMT
            Not After : Jul 18 07:09:01 2032 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = NY
            organizationName          = Apache
            organizationalUnitName    = NOT FOR PRODUCTION
            commonName                = TheRA
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Jul 18 07:09:01 2032 GMT (7300 days)

Write out database with 1 new entries
Data Base Updated
Using configuration from C:\opt\OpenSSL-Win64\bin\openssl.cfg
Check that the request matches the signature
Signature ok
The stateOrProvinceName field needed to be the same in the
CA certificate (NY) and the request (NY)
Using configuration from C:\opt\OpenSSL-Win64\bin\openssl.cfg
Check that the request matches the signature
Signature ok
The stateOrProvinceName field needed to be the same in the
CA certificate (NY) and the request (NY)
unable to load certificate
2674688:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
unable to load certificate
2674688:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
keytool error: java.lang.Exception: Certificate reply does not contain public key for
Using configuration from C:\opt\OpenSSL-Win64\bin\openssl.cfg
V       320718070901Z           1345    unknown /C=US/ST=NY/O=Apache/OU=NOT FOR PRODUCTION/CN=TheRA
1 entries loaded from the database
generating index
Revoking Certificate 1345.
Data Base Updated
Using configuration from C:\opt\OpenSSL-Win64\bin\openssl.cfg
R       320718070901Z   120723070903Z,keyCompromise     1345    unknown /C=US/ST=NY/O=Apache/OU=NOT FOR PRODUCTION/CN=TheRA
1 entries loaded from the database
generating index
./demoCA/crlnumber: No such file or directory
error while loading CRL number
2674688:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('./demoCA/crlnumber','rb')
2674688:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
Certificate was added to keystore

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: mykey
Creation date: 2012-07-23
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Wibble, OU=NOT FOR PRODUCTION, O=Apache, ST=NY, C=US
Issuer: CN=Wibble, OU=NOT FOR PRODUCTION, O=Apache, ST=NY, C=US
Serial number: 500cf88e
Valid from: Mon Jul 23 09:09:02 CEST 2012 until: Sun Oct 21 09:09:02 CEST 2012
Certificate fingerprints:
         MD5: E6:44:52:CC:8F:C3:1B:28:71:02:F2:44:38:98:00:F6
         SHA1: 1E:98:A3:CF:5A:E6:4A:24:32:E9:C4:BE:CD:3A:CE:0F:B3:91:AE:FF
         Signature algorithm name: SHA1withDSA
         Version: 3

*******************************************
*******************************************

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: mykey
Creation date: 2012-07-23
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Cherry, OU=NOT FOR PRODUCTION, O=Apache, ST=NY, C=US
Issuer: CN=Cherry, OU=NOT FOR PRODUCTION, O=Apache, ST=NY, C=US
Serial number: 500cf88e
Valid from: Mon Jul 23 09:09:02 CEST 2012 until: Sun Oct 21 09:09:02 CEST 2012
Certificate fingerprints:
         MD5: 9A:85:40:61:1A:A0:BC:7D:F0:66:57:10:72:52:66:01
         SHA1: AF:77:F5:4D:14:36:B9:83:6D:7C:D6:EA:27:EB:F4:DC:4F:1B:F7:71
         Signature algorithm name: SHA1withDSA
         Version: 3

*******************************************
*******************************************

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: theca
Creation date: 2012-07-23
Entry type: trustedCertEntry

Owner: C=US, ST=NY, O=Apache, OU=NOT FOR PRODUCTION, CN=TheCA
Issuer: C=US, ST=NY, O=Apache, OU=NOT FOR PRODUCTION, CN=TheCA
Serial number: 4d2
Valid from: Mon Jul 23 09:09:01 CEST 2012 until: Sun Jul 18 09:09:01 CEST 2032
Certificate fingerprints:
         MD5: DF:BC:B5:95:5A:9E:4C:F8:03:7A:01:F6:70:35:F8:46
         SHA1: 12:1E:D1:2C:E6:34:D9:D5:99:66:29:B0:51:3D:EF:C9:1F:B6:AC:D2
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 66 34 E2 81 F5 61 EF D6   36 79 52 5F 7E 01 7B 7A f4...a..6yR_...z
0010: F3 26 D3 2D                                        .&.-
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 66 34 E2 81 F5 61 EF D6   36 79 52 5F 7E 01 7B 7A f4...a..6yR_...z
0010: F3 26 D3 2D                                        .&.-
]

]

*******************************************
*******************************************

unable to load CRL
2674688:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: X509 CRL

foobar@stk_101-TOSH /cygdrive/c/opt/apache-cxf-2.4.3-fuse-01-02/samples/wsdl_first_https/certs

server log
c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https>mvn -Pserver
Scanning for projects...
-
Building WSDL first demo using HTTPS 2.4.3-fuse-01-02
-
--- cxf-codegen-plugin:2.4.3-fuse-01-02:wsdl2java (generate-sources) @ wsdl_first_https ---
Using proxy server configured in maven.
--- maven-antrun-plugin:1.4:run (copyxmlfiles) @ wsdl_first_https ---
project.artifactId
Executing tasks
Executed tasks
--- maven-resources-plugin:2.5:resources (default-resources) @ wsdl_first_https ---
execute contextualize
Using 'UTF-8' encoding to copy filtered resources.
skip non existing resourceDirectory c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https\src\main\resources
--- maven-compiler-plugin:2.3.1:compile (default-compile) @ wsdl_first_https ---
Nothing to compile - all classes are up to date
--- maven-resources-plugin:2.5:testResources (default-testResources) @ wsdl_first_https ---
execute contextualize
Using 'UTF-8' encoding to copy filtered resources.
skip non existing resourceDirectory c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https\src\test\resources
--- maven-compiler-plugin:2.3.1:testCompile (default-testCompile) @ wsdl_first_https ---
No sources to compile
--- maven-surefire-plugin:2.10:test (default-test) @ wsdl_first_https ---
No tests to run.
Surefire report directory: c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https\target\surefire-reports

-
T E S T S
-

Results :

Tests run: 0, Failures: 0, Errors: 0, Skipped: 0

--- exec-maven-plugin:1.2:exec (default) @ wsdl_first_https ---
The server's security configuration will be taken from server.xml using the bean name : "GreeterImplPort.http-destination".

Starting Server
2012-07-23 09:18:45 org.springframework.context.support.AbstractApplicationContext prepareRefresh
INFO: Refreshing org.apache.cxf.bus.spring.BusApplicationContext@80d3d6f: startup date ; root of context hierarchy
2012-07-23 09:18:46 org.apache.cxf.bus.spring.BusApplicationContext getConfigResources
INFO: Loaded configuration file file:/C:/opt/apache-cxf-2.4.3-fuse-01-02/samples/wsdl_first_https/target/classes/demo/hw_https/server/CherryServer.xml.
2012-07-23 09:18:46 org.springframework.beans.factory.xml.XmlBeanDefinitionReader loadBeanDefinitions
INFO: Loading XML bean definitions from class path resource
2012-07-23 09:18:46 org.springframework.beans.factory.xml.XmlBeanDefinitionReader loadBeanDefinitions
INFO: Loading XML bean definitions from URL file:/C:/opt/apache-cxf-2.4.3-fuse-01-02/samples/wsdl_first_https/target/classes/demo/hw_https/server/CherryServer.xml
2012-07-23 09:18:47 org.springframework.beans.factory.support.DefaultListableBeanFactory preInstantiateSingletons
INFO: Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@63a5ec6c: defining beans [cxf,org.apache.cxf.bus.spring.BusWiringBeanFactoryPo
stProcessor,org.apache.cxf.bus.spring.Jsr250BeanPostProcessor,org.apache.cxf.bus.spring.BusExtensionPostProcessor,GreeterPort.http-destination,o
rg.apache.cxf.transport.http_jetty.spring.JettySpringTypesFactory,org.apache.cxf.transport.http_jetty.JettyHTTPServerEngineFactory]; root of factory hierarchy
2012-07-23 09:18:47 org.apache.cxf.service.factory.ReflectionServiceFactoryBean buildServiceFromWSDL
INFO: Creating Service SOAPService from WSDL: file:./wsdl/hello_world.wsdl
2012-07-23 09:18:48 org.apache.cxf.frontend.AbstractWSDLBasedEndpointFactory createEndpoint
WARNING: Could not find endpoint/port for GreeterPort in wsdl. Using SoapPort.
2012-07-23 09:18:48 org.apache.cxf.endpoint.ServerImpl initDestination
INFO: Setting the server's publish address to be https://localhost:9001/SoapContext/SoapPort
2012-07-23 09:18:48 org.eclipse.jetty.util.log.Slf4jLog info
INFO: jetty-7.4.5.fuse20111017
2012-07-23 09:18:48 org.eclipse.jetty.util.log.Slf4jLog info
INFO: Started CXFJettySslSocketConnector@0.0.0.0:9001 STARTING
2012-07-23 09:18:48 org.eclipse.jetty.util.log.Slf4jLog info
INFO: started o.e.j.s.h.ContextHandler{/SoapContext,null}
Server ready...
2012-07-23 09:20:06 org.eclipse.jetty.util.log.Slf4jLog warn
WARNING: 127.0.0.1:60379 javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

client log

C:\Users\jsitek>cd c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https

c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https>mvn -Psecure.client
Scanning for projects...
-
Building WSDL first demo using HTTPS 2.4.3-fuse-01-02
-
--- cxf-codegen-plugin:2.4.3-fuse-01-02:wsdl2java (generate-sources) @ wsdl_first_https ---
Using proxy server configured in maven.
--- maven-antrun-plugin:1.4:run (copyxmlfiles) @ wsdl_first_https ---
project.artifactId
Executing tasks
Executed tasks
--- maven-resources-plugin:2.5:resources (default-resources) @ wsdl_first_https ---
execute contextualize
Using 'UTF-8' encoding to copy filtered resources.
skip non existing resourceDirectory c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https\src\main\resources
--- maven-compiler-plugin:2.3.1:compile (default-compile) @ wsdl_first_https ---
Nothing to compile - all classes are up to date
--- maven-resources-plugin:2.5:testResources (default-testResources) @ wsdl_first_https ---
execute contextualize
Using 'UTF-8' encoding to copy filtered resources.
skip non existing resourceDirectory c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https\src\test\resources
--- maven-compiler-plugin:2.3.1:testCompile (default-testCompile) @ wsdl_first_https ---
No sources to compile
--- maven-surefire-plugin:2.10:test (default-test) @ wsdl_first_https ---
No tests to run.
Surefire report directory: c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https\target\surefire-reports

-
T E S T S
-

Results :

Tests run: 0, Failures: 0, Errors: 0, Skipped: 0

>>> exec-maven-plugin:1.2:java (default) @ wsdl_first_https >>>
<<< exec-maven-plugin:1.2:java (default) @ wsdl_first_https <<<
--- exec-maven-plugin:1.2:java (default) @ wsdl_first_https ---
2012-07-23 09:20:04 org.springframework.context.support.AbstractApplicationContext prepareRefresh
INFO: Refreshing org.apache.cxf.bus.spring.BusApplicationContext@77ed2061: startup date ; root of context hierarchy
2012-07-23 09:20:04 org.apache.cxf.bus.spring.BusApplicationContext getConfigResources
INFO: Loaded configuration file file:/c:/opt/apache-cxf-2.4.3-fuse-01-02/samples/wsdl_first_https/target/classes/demo/hw_https/client/WibbleClient.xml.
2012-07-23 09:20:04 org.springframework.beans.factory.xml.XmlBeanDefinitionReader loadBeanDefinitions
INFO: Loading XML bean definitions from class path resource
2012-07-23 09:20:04 org.springframework.beans.factory.xml.XmlBeanDefinitionReader loadBeanDefinitions
INFO: Loading XML bean definitions from URL [file:/c:/opt/apache-cxf-2.4.3-fuse-01-02/samples/wsdl_first_https/target/classes/demo/hw_https/client/WibbleClient
2012-07-23 09:20:04 org.springframework.beans.factory.support.DefaultListableBeanFactory preInstantiateSingletons
INFO: Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@6568f248: defining beans [cxf,org.apache.cxf.bus.spr
stProcessor,org.apache.cxf.bus.spring.Jsr250BeanPostProcessor,org.apache.cxf.bus.spring.BusExtensionPostProcessor,Soap
f factory hierarchy
file:/c:/opt/apache-cxf-2.4.3-fuse-01-02/samples/wsdl_first_https/wsdl/hello_world.wsdl
2012-07-23 09:20:05 org.apache.cxf.service.factory.ReflectionServiceFactoryBean buildServiceFromWSDL
INFO: Creating Service SOAPService from WSDL: file:/c:/opt/apache-cxf-2.4.3-fuse-01-02/samples/wsdl_first_https/wsdl/h
Invoking greetMe...
2012-07-23 09:20:06 org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging
WARNING: Interceptor for SOAPService#greetMe has thrown exception, unwinding
org.apache.cxf.interceptor.Fault: Could not send Message.
        at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
        at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:531)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:461)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:364)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:317)
        at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
        at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
        at $Proxy37.greetMe(Unknown Source)
        at demo.hw_https.client.Client.main(Client.java:77)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:291)
        at java.lang.Thread.run(Thread.java:662)
Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://localhost:9001/SoapContext/SoapPort: sun.security.validator.ValidatorExc
cate found
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
        at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1430)
        at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1415)
        at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
        at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:648)
        at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
        ... 15 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1731)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:925)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1197)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1181)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
        at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1014)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
        at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1367)
        at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1309)
        at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)
        at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
        at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1387)
        ... 18 more
Caused by: sun.security.validator.ValidatorException: No trusted certificate found
        at sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:330)
        at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:110)
        at sun.security.validator.Validator.validate(Validator.java:218)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
        ... 34 more
Invocation failed with the following: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://localhost:9001/SoapContext/SoapPort: sun.secu
ception: No trusted certificate found

c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https>
Actions
3. Re: generating https certificates

jjakub Jul 23, 2012 4:01 AM (in response to ffang)

please try to execute this 3 commands on Your computer:

gencerts.sh
c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https>mvn -Pserver
c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https>mvn -Psecure.client
Actions
4. Re: generating https certificates

ffang Jul 23, 2012 4:14 AM (in response to jjakub)

Hi,

You need take a look at the README.txt of samples/wsdl_first_https to get more details how to run it.
More specifically
In separate windows:
mvn -Pserver (starts the server)
mvn -Pinsecure.client (runs the client in insecure mode, Scenario 1)
mvn -Psecure.client (runs the client in secure mode, Scenario 2)
mvn -Pinsecure.client.non.spring (runs the client in insecure mode without Spring configuration, Scenario 3)
mvn -Psecure.client.non.spring (runs the client in secure mode without Spring configuration, Scenario 4)
mvn clean (removes all generated and compiled classes)"
There's no mvn -Pclient at all.
Also you need in certs folder to run gencerts.sh, something like
cd certs
sh ../bin/gencerts.sh

Btw, I just tried the 2.4.3-fuse-01-02 kit, the wsdl_first_https/gencerts.sh works on my machine

Freeman
Actions
5. Re: generating https certificates

jjakub Jul 23, 2012 4:39 AM (in response to ffang)

yes, I did it as written in readme,
cd certs
sh ../bin/gencerts.sh
In separate windows:
mvn -Pserver (starts the server)
mvn -Psecure.client (runs the client in secure mode, Scenario 2)

If I run server and client against default certs they run ok,
but if I run them against my generated certs there is error,
when I look into https://localhost:9001/SoapContext/SoapPort in firefox I see that the cert is issued by cherry for cherry, not by ca,
have You also tried running server and secure client, or only gencerts.sh?
Actions
6. Re: generating https certificates

jjakub Jul 23, 2012 4:43 AM (in response to ffang)
here I enclose my generated certs

certs.tgz 7.7 KB
Actions
7. Re: generating https certificates

ffang Jul 23, 2012 4:51 AM (in response to jjakub)

Hi,

Yeah, I tried the server and secure client after regenerate certs using gencerts.sh , and it works for me.
I guess it's related to the cygwin you're using.
Could you run the script on a linux machine, and copy the certs folder back to your windows, to see if it can make any difference?

Freeman
Actions
8. Re: generating https certificates

jjakub Jul 23, 2012 4:51 AM (in response to ffang)
here I enclose screen of how firefox see this cert

cert-bmp.jpg 453.3 KB
Actions
9. Re: generating https certificates

ffang Jul 23, 2012 4:57 AM (in response to jjakub)

Hi,

I saw some file/folder permission problem when extract certs.tgz, I think it's may relate to the problem you encounter.

You need ensure all files/folders in certs folder is readable by yourself.

Also you can try to generate certs on linux machine and copy back to your windows, if it works we know it's something wrong when use cygwin to run the script.

Freeman
Actions
10. Re: generating https certificates

jjakub Jul 23, 2012 4:59 AM (in response to ffang)

yesterday I run gencerts.sh from the cxf distribution (not from fuse) on linux and I got the same error,
it seems to me, that konqueror could see that cert was issued by ca, but firefox under linux not, and the client was also failing, I will try it again on linux in about 13 hours, now I have no linux available

do You also get at end of script following error?

*******************************************
*******************************************

unable to load CRL
2674688:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: X509 CRL

as far as I remember I also get something similar under linux
Actions
11. Re: generating https certificates

jjakub Jul 23, 2012 6:10 PM (in response to ffang)

great thanks for help, under linux it works good both on cxf-2.6.1 and on cxf-2.4.3-fuse-01-02
Actions
12. Re: generating https certificates

njiang Jul 24, 2012 8:10 PM (in response to jjakub)

As your cert is not signed by the CA which your browser trust by default, you will see the warning like that. If you want to get ride of the warning, you need to let your cert signed by those CA, and it will cost you some money.

Willem
Actions

Go to original post