1 Reply Latest reply on Jan 16, 2020 11:03 AM by Farah Juma

    Unable to determine if the certificate is trusted.

    Carla Crispi Newbie

      Hi all,

      I'd like to automate the installation of mutual SSL for HTTP using security enable-ssl-http-server command in the CLI:

       

      security enable-ssl-http-server --key-store-path=server.keystore --key-store-password=secret --trusted-certificate-path=client.crt --trust-store-file-password=secret
      Server reloaded.
      
      ERROR, security changes have not been applied.
      Failed action: Importing certificate /home/jboss/wildfly-18.0.1.Final/bin/public.cert in trust-store trust-store-18da8404-7935-4907-826f-db3905e3b017
      Cause: WFLYELY01040: Unable to determine if the certificate is trusted. Inspect the certificate carefully and if it is valid, execute import-certificate again with validate set to false.

       

      is it a misconfiguration of the command security enable-ssl-http-server? Have I missed any parameter therefore validation fails?

      I've created the file client.crt as follows:

       

      keytool -genkey -keystore client.keystore -storepass secret -validity 365 -keyalg RSA -keysize 2048 -storetype pkcs12 -dname "cn=Desktop user,o=Acme,c=GB"
      keytool -exportcert -keystore client.keystore  -storetype pkcs12 -storepass secret -keypass secret -file client.crt

       

      Any idea?

      Thanks

       

      EDIT: the following error is displayed in the logs:

      Caused by: javax.net.ssl.SSLHandshakeException: null cert chain
      at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
      at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1647)
      at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
      at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:306)
      at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1939)
      at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:232)
      at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
      at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
      at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
      at java.security.AccessController.doPrivileged(Native Method)
      at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
      at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1072)
      at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
      at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
      at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
      at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
      at java.lang.Thread.run(Thread.java:748)
        • 1. Re: Unable to determine if the certificate is trusted.
          Farah Juma Expert

          By default, the enable-ssl-http-server command will try to validate that the client certificate being imported is really trusted. It does this by attempting to build a chain of trust from the certificate to a self-signed certificate belonging to a root CA. Since the certificate being used here was not issued by a trusted certificate authority, validation fails. If you want to use this certificate anyway, the no-trusted-certificate-validation option can be passed to the enable-ssl-http-server command to disable validation.