Thursday, June 4, 2015

Debugging the SSL Issues in Linux

First of all the JVM Needs to start in the Debug mode as many servers report the errors vaguely. It is better to start in Debug mode

Add the JVM parameter

-Djavax.net.debug=all

After that before Even trying to run the transaction try to connect the server with the
certificate using openssl

openssl s_client -showcerts -connect 10.24.256.69:443

If the certificate is present it shows the last statement as

Verify return code: 0 (ok)

Check the link below for a more detailed tutorial.

http://www.cyberciti.biz/faq/test-ssl-certificates-diagnosis-ssl-certificate/


If for some reason is receiving an error

OpenSSL: socket: Connection refused connect:errno=111

It means that the PORT might be wrong in the connection. So we need to find the right port on which https is running. This can be done using nmap

So what u do is

nmap -sS 10.24.256.69

sample output for above command 

Host is up (0.0051s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE

443/tcp open  https

and we can identify the port as 443.

Try the first command again with right port.


Once you have the certificate listed, you can check the expiration date with this command

$ echo | openssl s_client -connect 10.24.256.69:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Jun 19 12:44:04 2013 GMT
notAfter=Oct 31 23:59:59 2013 GMT

Check this link for more details

http://www.shellhacks.com/en/HowTo-Check-SSL-Certificate-Expiration-Date-from-the-Linux-Shell

or do this to extract all the information

$ echo | openssl s_client -connect 10.24.256.69:443 2>/dev/null | openssl x509 -noout -text


So if you get any other error which means you have to import the certificate, here is the easy way to do it

Information  On Certificates and Formats

NOTE: Only way to tell the difference between PEM .cer and DER .cer is to open the file in a Text editor and look for the BEGIN/END statements.
PEM Format
It is the most common format that Certificate Authorities issue certificates in. It contains the ‘—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements.
Several PEM certificates and even the Private key can be included in one file, one below the other. But most platforms(eg:- Apache) expects the certificates and Private key to be in separate files.
> They are Base64 encoded ACII files
> They have extensions such as .pem, .crt, .cer, .key
> Apache and similar servers uses PEM format certificates
DER Format
It is a Binary form of ASCII PEM format certificate. All types of Certificates & Private Keys can be encoded in DER format
> They are Binary format files
> They have extensions .cer & .der
> DER is typically used in Java platform
P7B/PKCS#7
They contain “—–BEGIN PKCS—–” & “—–END PKCS7—–” statements. It can contain only Certificates & Chain certificates but not the Private key.
> They are Base64 encoded ASCII files
> They have extensions .p7b, .p7c
> Several platforms supports it. eg:- Windows OS, Java Tomcat
PFX/PKCS#12
They are used for storing the Server certificate, any Intermediate certificates & Private key in one encryptable file.
> They are Binary format files
> They have extensions .pfx, .p12
> Typically used on Windows OS to import and export certificates and Private keys

Check this link for more Details

https://myonlineusb.wordpress.com/2011/06/19/how-to-convert-certificates-between-pem-der-p7bpkcs7-pfxpkcs12/

Importing a Certificate

openssl s_client -showcerts -connect 10.24.256.69:443 | openssl x509 -outform PEM > mycertfile.pem

You have the pem file in the same location

Convert it to der to import to JKS

openssl x509 -outform der -in certificate.pem -out certificate.der

Edit the below command with your specific values to import .der  to JKS keystore

keytool -import -alias your-alias -keystore cacerts -file certificate.der


copied from link

https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them

DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them

Certificates and Encodings

At its core an X.509 certificate is a digital document that has been encoded and/or digitally signed according to RFC 5280.
In fact, the term X.509 certificate usually refers to the IETF’s PKIX Certificate and CRL Profile of the X.509 v3 certificate standard, as specified in RFC 5280, commonly referred to as PKIX for Public Key Infrastructure (X.509).

X509 File Extensions

The first thing we have to understand is what each type of file extension is.   There is a lot of confusion about what DER, PEM, CRT, and CER are and many have incorrectly said that they are all interchangeable.  While in certain cases some can be interchanged the best practice is to identify how your certificate is encoded and then label it correctly.  Correctly labeled certificates will be much easier to manipulat

Encodings (also used as extensions)

  • .DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension.   Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
  • .PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.

Common Extensions

  • .CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous.  Most common among *nix systems
  • CER = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer)  The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
  • .KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.
The only time CRT and CER can safely be interchanged is when the encoding type can be identical.  (ie  PEM encoded CRT = PEM encoded CER)

No comments:

Post a Comment