A customer is attempting to use a wildcard certificate as a server certificate. This was not generated in the fashion that is documented in our installation guide, therefore there is no key for the certificate on the server. If this is supported, how can we fix this so that the certificate can be used?
This is more of an app server issue than IMG as the app server is responsible for establishing the initial SSL handshake between client and browser. Always ensure that the Certificate of Authority is known,or import your own CA for the new server certificate to the truststore first. The truststore is a browser setting of Certificates and Certificates of Authority that are treated as valid.
We don't support wildcard certificates for AFX or Remote Agent communication. Also be advised that while technically ok there are some security concerns around using these types of certificates. See
Since this is app server to browser communication all that is needed is to have a certificate within the server keystore that is aliased as 'server' and then have a client(browser) that trusts the downloaded certificate. The certificate added to the keystore contains the public key needed by the client for secure communications. In this case the wildcard certificate contains a public key as part of it's structure. With the certificate set on the server side and the client enabled to accept that certificate as valid an SSL channel for all sub domains relevant to the wildcard will be established..
It is a one way communication in this case with the app server sending a certificate the browser for verification. The server doesn't really care about using a private key to handle the client's response since the browser will accept or not accept with no reply. Some app servers however require a private key as they may overload the usage of the server keystore to handle two way authentication. I've detailed how to set a private key for WebSphere and WebLogic below.
Remember - always backup your keystore prior to modification
JBossor Wildfly:
You can import into the keystore the alias associated with the certificate for which a certificate
signing request was generated. This replaces the unsigned server certificate of that alias with the
signed certificate.
To import the certificate:
1. Run the following command:
keytool -import -v -noprompt -trustcacerts -alias <server-cert-alias> -file
<Server_cert_file> -storepass <Keystore Password> -keystore <Keystore File>
For example:
cd /home/oracle/jboss-4.2.2.GA/server/default/conf/keystore
keytool -import -v -noprompt -trustcacerts -alias server -file myWildcardServerCert
-storepass Av3k5a15num83r0n3 -keystore aveksa.keystore
or
cd /home/oracle/wildfly/standalone/configuration/keystore
keytool -import -v -noprompt -trustcacerts -alias server -file myWildcardServerCert
-storepass Av3k5a15num83r0n3 -keystore server.keystore
WebSphere :
See chapter 3 of our document Installation on WebSphere.
2. Copy your private key from your own keystore to the server.keystore:
keytool -importkeystore -srcalias private-key-alias -srckeypass
private-key-key-password -srckeystore private-key-keystore -srcstorepass
private-key-store-password -srcstoretype pkcs12 -destalias httpsdefault
-destkeypass Av3k5a15num83r0n3 -destkeystore server.keystore -deststorepass
Av3k5a15num83r0n3 -srcstorepass private-key-store-password -srcstoretype pkcs12 -destalias httpsdefault
-destkeypass Av3k5a15num83r0n3 -destkeystore server.keystore -deststorepass
Av3k5a15num83r0n3
You should have received a private key or public/private keypair along with the wildcard certificate (.crt, .pem, etc..). It needs to be added to a keystore and then imported as private-key-keystore using the above command. Here's a link on how to do that.
Import PKCS12 private keys into JKS keystores using Java Keytool | Harvesting web technologies
Below is a good resource of the steps overall for replacing the WAS SSL certificate. The server administrator should know what's relevant here.
step 4: keystore password is Av3k5a15num83r0n3
step 6 and 13: use 'server' for the alias
WebLogic : follow the same keytool steps as WebSphere above. Reference our document 'Installation on WebLogic Guide' on how to reset the server.keystore after populating it with the wildcard certificate.
on Aug 25, 2015
This is more of an app server issue than IMG as the app server is responsible for establishing the initial SSL handshake between client and browser. Always ensure that the Certificate of Authority is known,or import your own CA for the new server certificate to the truststore first. The truststore is a browser setting of Certificates and Certificates of Authority that are treated as valid.
We don't support wildcard certificates for AFX or Remote Agent communication. Also be advised that while technically ok there are some security concerns around using these types of certificates. See
RFC 6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infra…
Since this is app server to browser communication all that is needed is to have a certificate within the server keystore that is aliased as 'server' and then have a client(browser) that trusts the downloaded certificate. The certificate added to the keystore contains the public key needed by the client for secure communications. In this case the wildcard certificate contains a public key as part of it's structure. With the certificate set on the server side and the client enabled to accept that certificate as valid an SSL channel for all sub domains relevant to the wildcard will be established..
It is a one way communication in this case with the app server sending a certificate the browser for verification. The server doesn't really care about using a private key to handle the client's response since the browser will accept or not accept with no reply. Some app servers however require a private key as they may overload the usage of the server keystore to handle two way authentication. I've detailed how to set a private key for WebSphere and WebLogic below.
Remember - always backup your keystore prior to modification
JBossor Wildfly:
You can import into the keystore the alias associated with the certificate for which a certificate
signing request was generated. This replaces the unsigned server certificate of that alias with the
signed certificate.
To import the certificate:
1. Run the following command:
keytool -import -v -noprompt -trustcacerts -alias <server-cert-alias> -file
<Server_cert_file> -storepass <Keystore Password> -keystore <Keystore File>
For example:
cd /home/oracle/jboss-4.2.2.GA/server/default/conf/keystore
keytool -import -v -noprompt -trustcacerts -alias server -file myWildcardServerCert
-storepass Av3k5a15num83r0n3 -keystore aveksa.keystore
or
cd /home/oracle/wildfly/standalone/configuration/keystore
keytool -import -v -noprompt -trustcacerts -alias server -file myWildcardServerCert
-storepass Av3k5a15num83r0n3 -keystore server.keystore
WebSphere :
See chapter 3 of our document Installation on WebSphere.
2. Copy your private key from your own keystore to the server.keystore:
keytool -importkeystore -srcalias private-key-alias -srckeypass
private-key-key-password -srckeystore private-key-keystore -srcstorepass
private-key-store-password -srcstoretype pkcs12 -destalias httpsdefault
-destkeypass Av3k5a15num83r0n3 -destkeystore server.keystore -deststorepass
Av3k5a15num83r0n3 -srcstorepass private-key-store-password -srcstoretype pkcs12 -destalias httpsdefault
-destkeypass Av3k5a15num83r0n3 -destkeystore server.keystore -deststorepass
Av3k5a15num83r0n3
You should have received a private key or public/private keypair along with the wildcard certificate (.crt, .pem, etc..). It needs to be added to a keystore and then imported as private-key-keystore using the above command. Here's a link on how to do that.
Import PKCS12 private keys into JKS keystores using Java Keytool | Harvesting web technologies
Below is a good resource of the steps overall for replacing the WAS SSL certificate. The server administrator should know what's relevant here.
http://www-01.ibm.com/support/knowledgecenter/SSJJ9R_5.0.2/com.ibm.rational.rrdi.admin.doc/topics/t_replace_was_cert.html?cp=SSJJ9R_5.0.2
step 4: keystore password is Av3k5a15num83r0n3
step 6 and 13: use 'server' for the alias
WebLogic : follow the same keytool steps as WebSphere above. Reference our document 'Installation on WebLogic Guide' on how to reset the server.keystore after populating it with the wildcard certificate.