Debugging the SSL Issues in Linux

First of all the JVM Needs to start in the Debug mode as many servers report the errors vaguely. It is better to start in Debug mode

Add the JVM parameter

-Djavax.net.debug=all

After that before Even trying to run the transaction try to connect the server with the
certificate using openssl

openssl s_client -showcerts -connect 10.24.256.69:443

If the certificate is present it shows the last statement as

Verify return code: 0 (ok)

 Check the link below for a more detailed tutorial.

http://www.cyberciti.biz/faq/test-ssl-certificates-diagnosis-ssl-certificate/


If for some reason is receiving an error

OpenSSL: socket: Connection refused connect:errno=111

It means that the PORT might be wrong in the connection. So we need to find the right port on which https is running. This can be done using nmap

So what u do is

nmap -sS 10.24.256.69

 sample output for above command 

 Host is up (0.0051s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE

443/tcp open  https

 and we can identify the port as 443.

 Try the first command again with right port.


Once you have the certificate listed, you can check the expiration date with this command

$ echo | openssl s_client -connect 10.24.256.69:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Jun 19 12:44:04 2013 GMT
notAfter=Oct 31 23:59:59 2013 GMT

Check this link for more details

http://www.shellhacks.com/en/HowTo-Check-SSL-Certificate-Expiration-Date-from-the-Linux-Shell

or do this to extract all the information

$ echo | openssl s_client -connect 10.24.256.69:443 2>/dev/null | openssl x509 -noout -text


So if you get any other error which means you have to import the certificate, here is the easy way to do it

Information  On Certificates and Formats

NOTE: Only way to tell the difference between PEM .cer and DER .cer is to open the file in a Text editor and look for the BEGIN/END statements.
PEM Format
It is the most common format that Certificate Authorities issue certificates in. It contains the ‘—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements.
Several PEM certificates and even the Private key can be included in one file, one below the other. But most platforms(eg:- Apache) expects the certificates and Private key to be in separate files.
> They are Base64 encoded ACII files
> They have extensions such as .pem, .crt, .cer, .key
> Apache and similar servers uses PEM format certificates
DER Format
It is a Binary form of ASCII PEM format certificate. All types of Certificates & Private Keys can be encoded in DER format
> They are Binary format files
> They have extensions .cer & .der
> DER is typically used in Java platform
P7B/PKCS#7
They contain “—–BEGIN PKCS—–” & “—–END PKCS7—–” statements. It can contain only Certificates & Chain certificates but not the Private key.
> They are Base64 encoded ASCII files
> They have extensions .p7b, .p7c
> Several platforms supports it. eg:- Windows OS, Java Tomcat
PFX/PKCS#12
They are used for storing the Server certificate, any Intermediate certificates & Private key in one encryptable file.
> They are Binary format files
> They have extensions .pfx, .p12
> Typically used on Windows OS to import and export certificates and Private keys

Check this link for more Details

https://myonlineusb.wordpress.com/2011/06/19/how-to-convert-certificates-between-pem-der-p7bpkcs7-pfxpkcs12/

Importing a Certificate

openssl s_client -showcerts -connect 10.24.256.69:443 | openssl x509 -outform PEM > mycertfile.pem

You have the pem file in the same location

Convert it to der to import to JKS

openssl x509 -outform der -in certificate.pem -out certificate.der

Edit the below command with your specific values to import .der  to JKS keystore

keytool -import -alias your-alias -keystore cacerts -file certificate.der


copied from link

https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them

DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them

Certificates and Encodings

At its core an X.509 certificate is a digital document that has been encoded and/or digitally signed according to RFC 5280.
In fact, the term X.509 certificate usually refers to the IETF’s PKIX Certificate and CRL Profile of the X.509 v3 certificate standard, as specified in RFC 5280, commonly referred to as PKIX for Public Key Infrastructure (X.509).

X509 File Extensions

The first thing we have to understand is what each type of file extension is.   There is a lot of confusion about what DER, PEM, CRT, and CER are and many have incorrectly said that they are all interchangeable.  While in certain cases some can be interchanged the best practice is to identify how your certificate is encoded and then label it correctly.  Correctly labeled certificates will be much easier to manipulat

Encodings (also used as extensions)

  • .DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension.   Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
  • .PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.

Common Extensions

  • .CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous.  Most common among *nix systems
  • CER = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer)  The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
  • .KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.
The only time CRT and CER can safely be interchanged is when the encoding type can be identical.  (ie  PEM encoded CRT = PEM encoded CER)

Comments

Post a Comment

Popular posts from this blog

'jasypt.encryptor.password' or one of ['jasypt.encryptor.privateKeyString', 'jasypt.encryptor.privateKeyLocation'] must be provided for Password-based or Asymmetric encryption

Image
      Intellij spring boot build failing not seeing the jasypt password. The same is working fine with the normal startup and is also working with mvn command.     Caused by: org.springframework.boot.context.properties.ConfigurationPropertiesBindException: Error creating bean with name 'spring.security-org.springframework.boot.autoconfigure.security.SecurityProperties': Could not bind properties to 'SecurityProperties' : prefix=spring.security, ignoreInvalidFields=false, ignoreUnknownFields=true; nested exception is org.springframework.boot.context.properties.bind.BindException: Failed to bind properties under 'spring.security.user.password' to java.lang.String Caused by: org.springframework.boot.context.properties.bind.BindException: Failed to bind properties under 'spring.security.user.password' to java.lang.String Caused by: org.springframework.cache.Cache$ValueRetrievalException: Value for key 'spring.security.user.password' could not be load
Read more

Field or property 'jobParameters' cannot be found on object of type 'org.springframework.beans.factory.config.BeanExpressionContext' - Spring Batch

This Error happens when you are trying to retrieve a Job Execution parameter and inject it into a Bean. The bean can be anything a Task let, or a StatmentSetter the error can happen. E.g Implementation <bean id = "flatFileItemReader" scope="step" class="org.springframework.batch.item.file.FlatFileItemReader"> <property name = "resource" value = "#{jobParameters[input.file.name]}" /> </bean> The error is because of the Scope parameter missing Using a scope of  Step  is required in order to use late binding since the bean cannot actually be instantiated until the  Step  starts, which allows the attributes to be found. Because it is not part of the Spring container by default, the scope must be added explicitly. Check out the Documentation here ..  http://docs.spring.io/spring-batch/reference/html/configureStep.html#step-scope
Read more

java.security.spec.InvalidKeySpecException: Only RSAPrivate(Crt)KeySpec and PKCS8EncodedKeySpec supported for RSA private keys

public PrivateKey getPrivateKey(String fileName) throws IOException, InvalidKeySpecException, NoSuchAlgorithmException { byte[] keyFileBytes = readKeyFile(fileName); X509EncodedKeySpec spec = new X509EncodedKeySpec(keyFileBytes); KeyFactory kf = KeyFactory.getInstance("RSA"); return kf.generatePrivate(spec); } The reason is this line, This is used to read public key spec and not private key. The private key is read via PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec ( keyBytes ); So as the error says it needs to be in PKCS8 spec format for java to understand.
Read more