Certificate Chain

kezuzu
2012-08-22
2013-02-18
  • kezuzu
    kezuzu
    2012-08-22

    Good day,

    Please assist me with the following:

    I have three servers, all servers have jboss and EJBCA installed.

    I have created a new RootCA1 and SubCA1 of RootCA1 on Sever1
    I have also created SubCAs of SubCA1 on Server2 and Server3.
    Server2 has SubCA11 and Server3 has SubCA12.

    How do I establish trust between SubCA11 and SubCA12?

    Thank you

     
  • kezuzu
    kezuzu
    2012-08-22

    Hi,

    Below is an error message I got when the web browser with certificate issued by SubCA11 connect to application/ web server with certificate issued by SubCA12:

    app1 uses an invalid security certificate.

    The certificate is not trusted because no issuer chain was provided.

    (Error code: sec_error_unknown_issuer)

    Thank you

     
  • Fully normal. You need to understand how your webserver handles trusted certificates. Install SubCA11 as a trusted CA in your webserver.

    Cheers,
    Tomas


    PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact info@primekey.se for more information.
    http://www.primekey.se/Services/Support/
    http://www.primekey.se/Services/Training/

     
  • kezuzu
    kezuzu
    2012-08-23

    Hi,

    Thank you for your response. How do I do that? How do I unsure that SubCA11 is part of certificate chain installed in the webserver?
    How do I ensure trust between SubCA11 and SubCA12, since they are both signed by SubCA1?

    Thank you.

     

  • Anonymous
    2012-08-23

    The configuration is web-server-specific.  In Tomcat you (usually) put all trusted CAs in a JKS-file referred to by "server.xml".   This is for example used by EJBCA since JBoss uses Tomcat.

    Cheers,
    Anders
    tech support

     
  • kezuzu
    kezuzu
    2012-08-23

    Hi,

    I will look into it, thank you. Where should I do the configuration? Is it on Server1(SubCA1)? Is there documentation that I can look into to get more understanding?

    Thank you,

     

  • Anonymous
    2012-08-23

    Since this is web-server-specific you should look into actual the web-server's guide for configuring SSL/TLS with client-certificate authentication.

    I would say that it is non-trivial.  If you use Tomcat looking into EJBCA/JBoss server.xml is also a possiblity.

     
  • kezuzu
    kezuzu
    2012-09-03

    Hi

    I have imported the certificates into the truststore file defined in server.xml and I still get trust issues. Do i also need to import the certificates into java cacerts file?

    Thank you

     

  • Anonymous
    2012-09-03

    The question is now: Do you get an EJBCA trust error or does it fail on TLS?
    You can test this by logging in to https://yourhost:8443/

    BTW, do you get the chance to select certificate?
    Try with Firefox, Chrome require a bit more work.

    Cheers,
    Anders

     
  • kezuzu
    kezuzu
    2012-09-12

    Hi,
    I think you do not understand my problem.

    I am trying make two external EJBCA subCA ( SubCA11 and SubCA12) to have trust. I don't have issues with accessing the admin web. This is the error message i get:

    <IP ADDRESS>  uses an invalid security certificate.

    The certificate is not trusted because no issuer chain was provided.

    (Error code: sec_error_unknown_issuer)

    I tried reading online, and try other ways to solve the certificate chain issue but its not working.

     

  • Anonymous
    2012-09-12

    Hi,
    It is true that I don't understand what your problem is :-)
    You can login to the admin web with a certificate, yes?

    So when do you get the error?  And what kind of access do you do then?  What client?  what server?

    Cheers,
    Anders

     
  • kezuzu
    kezuzu
    2012-09-12

    I have 3 servers, all severs with JBOSS/EJBCA installed. 

    Yes i can logon to the admin web in all servers and create certificates.

    Server1(CA1) - has signed server2(CA11) and server3(CA12) - which means that CA11 and CA12 are external subCAs of CA1.

    I need certificates created from CA11 and CA12 to trust each other. How do i do that?

    The error i posted i get it when use a webserver certificate created by server CA11 and a browser certificate created CA12 to establish a secure connection.

    So the browser its complaining because it cannot see CA12 in a certificate chain. How do i ensure that i have a correct chain?

    Thank you

     

  • Anonymous
    2012-09-12

    "I need certificates created from CA11 and CA12 to trust each other. How do i do that?"

    I think this is somewhat strangely expressed.  A server or client can be configured to trust one or more CAs.

    If you want a Relying Party (server or client) to trust both CAs you need to put the root cert into a truststore.
    The client must then contain the client-cert + its associated subCA cert.

    Since we are talking about 2-way-auth the opposite is also valid.  That is, if you create an TLS cert with CA11 the keystore must contain both CA11 + server-cert.

    keytool -v -list -keystore mykeystore.p12 -storetype pkcs12 -storepass yourpassword

    is very useful

    Cheers,
    Anders