Forum Home » Fuse Distributions » Fuse Services Framework

Thread: generating https certificates

 
This question is answered. Helpful answers available: 2. Correct answers available: 1.


Permlink Replies: 12 - Last Post: Jul 25, 2012 12:10 AM Last Post By: njiang Threads: [ Previous | Next ]
camel

Posts: 43
Registered: 02/02/12
generating https certificates
Posted: Jul 22, 2012 10:41 PM
 
  Click to reply to this thread Reply
Hallo
I use 4.4.1-fuse-06-03 , with cxf https via etc\pax.web...

I have problem in generating server https cert
I create ca certificate as written here:
http://fusesource.com/docs/framework/2.4/security/i305191.html
and then create server cert as written here:
http://fusesource.com/docs/framework/2.4/security/i382664.html

but firefox see this certificate as self signed cert, issuead by localhost for localhost,
it cannot see it as signed by my own ca,

I think it is not problem of smx or cxf but of openssl or keytool,
I suppose there could be some change in openssl and keytool since this tutorial was written and now they might work different,

could somebody try to use this tutorial exactly as written in above links and check if it works ?

if it work, please include Your commands as script, here is what I have done:

(when there are many similar wersions I did all of them):

del server.chain
del caJsi.jks
del server.pem
del serverKeystore*
del server_csr.pem

del X509CA\ca\new*
  1. del X509CA\certs\*
del X509CA\newcerts\0*
  1. del X509CA\crl\*
rmdir X509CA\ca
rmdir X509CA\certs
rmdir X509CA\newcerts
rmdir X509CA\crl
del X509CA\index*
del X509CA\serial*
dir
dir X509CA\

mkdir X509CA
mkdir X509CA\ca
mkdir X509CA\certs
mkdir X509CA\newcerts
mkdir X509CA\crl

cd X509CA
echo 01 > serial

  1. click Yes, and close Notepad.
notepad index.txt

cd ..


password password

Create a self-signed CA certificate and private key
Create a new self-signed CA certificate and private key with the following command:

openssl req -x509 -new -config X509CA\openssl.cfg -days 365 -out X509CA\ca\new_ca.pem -keyout X509CA\ca\new_ca_pk.pem

=====================
Generate a certificate and private key pair
Open a command prompt and change directory to the directory where you store your keystore files, KeystoreDir. Enter the following command:

keytool -genkeypair -dname "CN=localhost, OU=testOU, O=testO, ST=Warsaw, C=PL" -validity 365 -v -alias serverAlias -keypass serverPassword -keystore serverKeystore.jks -storepass serverPassword

keytool -importcert -alias cacertAlias -file X509CA\ca\new_ca.pem -trustcacerts -keystore serverKeystore.jks -storepass serverPassword

keytool -importcert -file X509CA\ca\new_ca.pem -trustcacerts -keystore serverKeystore.jks -storepass serverPassword



Create a certificate signing request
Create a new certificate signing request (CSR) for the serverKeystore.jks certificate, as follows:

keytool -certreq -alias serverAlias -file server_csr.pem -keypass serverPassword -keystore serverKeystore.jks -storepass serverPassword


Sign the CSR

Sign the CSR using your CA, as follows:

openssl ca -config X509CA\openssl.cfg -days 365 -in server_csr.pem -out server.pem


Convert to PEM format
Convert the signed certificate, server.pem, to PEM only format, as follows:

openssl x509 -in server.pem -out server.pem -outform PEM


Concatenate the files
Concatenate the CA certificate file and server.pem certificate file, as follows:

copy server.pem + X509CA\ca\new_ca.pem server.chain


Update keystore with the full certificate chain
Update the keystore, serverKeystore.jks, by importing the full certificate chain for the certificate, as follows:

keytool -importcert -file server.chain -alias serverAlias -keypass serverPassword -keystore serverKeystore.jks -storepass serverPassword

keytool -importcert -file server.chain -keypass serverPassword -keystore serverKeystore.jks -storepass serverPassword

keytool -importcert -file server.chain -keypass serverPassword -keystore serverKeystore2.jks -storepass serverPassword

keytool -importcert -file server.chain -alias serverAlias -keypass serverPassword -keystore serverKeystoreAlias.jks -storepass serverPassword
copy serverKeystore.jks C:\opt\apache-servicemix-4.4.1-fuse-06-03\etc\

thx and regards
camel
ffang

Posts: 1,320
Registered: 12/24/07
Re: generating https certificates
Posted: Jul 22, 2012 11:40 PM   in response to: camel in response to: camel
 
  Click to reply to this thread Reply
Hi,

Just a quick notes, there's a gencerts.sh shell script in Fuse Services Framework kit samples/wsdl_first_https/bin which can generate all necessary certs automatically for you, you may need take a look.

Freeman
camel

Posts: 43
Registered: 02/02/12
Re: generating https certificates
Posted: Jul 23, 2012 7:33 AM   in response to: ffang in response to: ffang
 
  Click to reply to this thread Reply
here are logs of executing 3 commands
gencerts.sh (in cygwin under windows)
c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https>mvn -Pserver
c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https>mvn -Psecure.client

$ ../bin/gencerts.sh
Using configuration from C:\opt\OpenSSL-Win64\bin\openssl.cfg
Generating a 1024 bit RSA private key
..................++++++
....++++++
writing new private key to 'caprivkey.pem'

Using configuration from C:\opt\OpenSSL-Win64\bin\openssl.cfg
Generating a 1024 bit RSA private key
.....++++++
...............++++++
writing new private key to 'raprivkey.pem'

Using configuration from C:\opt\OpenSSL-Win64\bin\openssl.cfg
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4933 (0x1345)
Validity
Not Before: Jul 23 07:09:01 2012 GMT
Not After : Jul 18 07:09:01 2032 GMT
Subject:
countryName = US
stateOrProvinceName = NY
organizationName = Apache
organizationalUnitName = NOT FOR PRODUCTION
commonName = TheRA
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Jul 18 07:09:01 2032 GMT (7300 days)

Write out database with 1 new entries
Data Base Updated
Using configuration from C:\opt\OpenSSL-Win64\bin\openssl.cfg
Check that the request matches the signature
Signature ok
The stateOrProvinceName field needed to be the same in the
CA certificate (NY) and the request (NY)
Using configuration from C:\opt\OpenSSL-Win64\bin\openssl.cfg
Check that the request matches the signature
Signature ok
The stateOrProvinceName field needed to be the same in the
CA certificate (NY) and the request (NY)
unable to load certificate
2674688:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
unable to load certificate
2674688:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
keytool error: java.lang.Exception: Certificate reply does not contain public key for <mykey>
keytool error: java.lang.Exception: Certificate reply does not contain public key for <mykey>
Using configuration from C:\opt\OpenSSL-Win64\bin\openssl.cfg
V 320718070901Z 1345 unknown /C=US/ST=NY/O=Apache/OU=NOT FOR PRODUCTION/CN=TheRA
1 entries loaded from the database
generating index
Revoking Certificate 1345.
Data Base Updated
Using configuration from C:\opt\OpenSSL-Win64\bin\openssl.cfg
R 320718070901Z 120723070903Z,keyCompromise 1345 unknown /C=US/ST=NY/O=Apache/OU=NOT FOR PRODUCTION/CN=TheRA
1 entries loaded from the database
generating index
./demoCA/crlnumber: No such file or directory
error while loading CRL number
2674688:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('./demoCA/crlnumber','rb')
2674688:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
Certificate was added to keystore

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: mykey
Creation date: 2012-07-23
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Wibble, OU=NOT FOR PRODUCTION, O=Apache, ST=NY, C=US
Issuer: CN=Wibble, OU=NOT FOR PRODUCTION, O=Apache, ST=NY, C=US
Serial number: 500cf88e
Valid from: Mon Jul 23 09:09:02 CEST 2012 until: Sun Oct 21 09:09:02 CEST 2012
Certificate fingerprints:
MD5: E6:44:52:CC:8F:C3:1B:28:71:02:F2:44:38:98:00:F6
SHA1: 1E:98:A3:CF:5A:E6:4A:24:32:E9:C4:BE:CD:3A:CE:0F:B3:91:AE:FF
Signature algorithm name: SHA1withDSA
Version: 3

*******************************************
*******************************************


Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: mykey
Creation date: 2012-07-23
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Cherry, OU=NOT FOR PRODUCTION, O=Apache, ST=NY, C=US
Issuer: CN=Cherry, OU=NOT FOR PRODUCTION, O=Apache, ST=NY, C=US
Serial number: 500cf88e
Valid from: Mon Jul 23 09:09:02 CEST 2012 until: Sun Oct 21 09:09:02 CEST 2012
Certificate fingerprints:
MD5: 9A:85:40:61:1A:A0:BC:7D:F0:66:57:10:72:52:66:01
SHA1: AF:77:F5:4D:14:36:B9:83:6D:7C:D6:EA:27:EB:F4:DC:4F:1B:F7:71
Signature algorithm name: SHA1withDSA
Version: 3

*******************************************
*******************************************


Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: theca
Creation date: 2012-07-23
Entry type: trustedCertEntry

Owner: C=US, ST=NY, O=Apache, OU=NOT FOR PRODUCTION, CN=TheCA
Issuer: C=US, ST=NY, O=Apache, OU=NOT FOR PRODUCTION, CN=TheCA
Serial number: 4d2
Valid from: Mon Jul 23 09:09:01 CEST 2012 until: Sun Jul 18 09:09:01 CEST 2032
Certificate fingerprints:
MD5: DF:BC:B5:95:5A:9E:4C:F8:03:7A:01:F6:70:35:F8:46
SHA1: 12:1E:D1:2C:E6:34:D9:D5:99:66:29:B0:51:3D:EF:C9:1F:B6:AC:D2
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 66 34 E2 81 F5 61 EF D6 36 79 52 5F 7E 01 7B 7A f4...a..6yR_...z
0010: F3 26 D3 2D .&.-
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 66 34 E2 81 F5 61 EF D6 36 79 52 5F 7E 01 7B 7A f4...a..6yR_...z
0010: F3 26 D3 2D .&.-
]

]


*******************************************
*******************************************

unable to load CRL
2674688:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: X509 CRL

foobar@stk_101-TOSH /cygdrive/c/opt/apache-cxf-2.4.3-fuse-01-02/samples/wsdl_first_https/certs

server log
c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https>mvn -Pserver
INFO Scanning for projects...
INFO
INFO


INFO Building WSDL first demo using HTTPS 2.4.3-fuse-01-02
INFO
INFO
INFO --- cxf-codegen-plugin:2.4.3-fuse-01-02:wsdl2java (generate-sources) @ wsdl_first_https ---
INFO Using proxy server configured in maven.
INFO
INFO --- maven-antrun-plugin:1.4:run (copyxmlfiles) @ wsdl_first_https ---
project.artifactId
INFO Executing tasks
INFO Executed tasks
INFO
INFO --- maven-resources-plugin:2.5:resources (default-resources) @ wsdl_first_https ---
debug execute contextualize
INFO Using 'UTF-8' encoding to copy filtered resources.
INFO skip non existing resourceDirectory c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https\src\main\resources
INFO
INFO --- maven-compiler-plugin:2.3.1:compile (default-compile) @ wsdl_first_https ---
INFO Nothing to compile - all classes are up to date
INFO
INFO --- maven-resources-plugin:2.5:testResources (default-testResources) @ wsdl_first_https ---
debug execute contextualize
INFO Using 'UTF-8' encoding to copy filtered resources.
INFO skip non existing resourceDirectory c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https\src\test\resources
INFO
INFO --- maven-compiler-plugin:2.3.1:testCompile (default-testCompile) @ wsdl_first_https ---
INFO No sources to compile
INFO
INFO --- maven-surefire-plugin:2.10:test (default-test) @ wsdl_first_https ---
INFO No tests to run.
INFO Surefire report directory: c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https\target\surefire-reports


T E S T S


Results :

Tests run: 0, Failures: 0, Errors: 0, Skipped: 0

INFO
INFO --- exec-maven-plugin:1.2:exec (default) @ wsdl_first_https ---
The server's security configuration will be taken from server.xml using the bean name : "{http://apache.org/hello_world_soap_http}GreeterImplPort.http-destination".

Starting Server
2012-07-23 09:18:45 org.springframework.context.support.AbstractApplicationContext prepareRefresh
INFO: Refreshing org.apache.cxf.bus.spring.BusApplicationContext@80d3d6f: startup date Mon Jul 23 09:18:45 CEST 2012; root of context hierarchy
2012-07-23 09:18:46 org.apache.cxf.bus.spring.BusApplicationContext getConfigResources
INFO: Loaded configuration file file:/C:/opt/apache-cxf-2.4.3-fuse-01-02/samples/wsdl_first_https/target/classes/demo/hw_https/server/CherryServer.xml.
2012-07-23 09:18:46 org.springframework.beans.factory.xml.XmlBeanDefinitionReader loadBeanDefinitions
INFO: Loading XML bean definitions from class path resource http://META-INF/cxf/cxf.xml
2012-07-23 09:18:46 org.springframework.beans.factory.xml.XmlBeanDefinitionReader loadBeanDefinitions
INFO: Loading XML bean definitions from URL
2012-07-23 09:18:47 org.springframework.beans.factory.support.DefaultListableBeanFactory preInstantiateSingletons
INFO: Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@63a5ec6c: defining beans [cxf,org.apache.cxf.bus.spring.BusWiringBeanFactoryPo
stProcessor,org.apache.cxf.bus.spring.Jsr250BeanPostProcessor,org.apache.cxf.bus.spring.BusExtensionPostProcessor,{http://apache.org/hello_world_soap_http}GreeterPort.http-destination,o
rg.apache.cxf.transport.http_jetty.spring.JettySpringTypesFactory,org.apache.cxf.transport.http_jetty.JettyHTTPServerEngineFactory]; root of factory hierarchy
2012-07-23 09:18:47 org.apache.cxf.service.factory.ReflectionServiceFactoryBean buildServiceFromWSDL
INFO: Creating Service {http://apache.org/hello_world_soap_http}SOAPService from WSDL: file:./wsdl/hello_world.wsdl
2012-07-23 09:18:48 org.apache.cxf.frontend.AbstractWSDLBasedEndpointFactory createEndpoint
WARNING: Could not find endpoint/port for {http://apache.org/hello_world_soap_http}GreeterPort in wsdl. Using {http://apache.org/hello_world_soap_http}SoapPort.
2012-07-23 09:18:48 org.apache.cxf.endpoint.ServerImpl initDestination
INFO: Setting the server's publish address to be https://localhost:9001/SoapContext/SoapPort
2012-07-23 09:18:48 org.eclipse.jetty.util.log.Slf4jLog info
INFO: jetty-7.4.5.fuse20111017
2012-07-23 09:18:48 org.eclipse.jetty.util.log.Slf4jLog info
INFO: Started CXFJettySslSocketConnector@0.0.0.0:9001 STARTING
2012-07-23 09:18:48 org.eclipse.jetty.util.log.Slf4jLog info
INFO: started o.e.j.s.h.ContextHandler{/SoapContext,null}
Server ready...
2012-07-23 09:20:06 org.eclipse.jetty.util.log.Slf4jLog warn
WARNING: 127.0.0.1:60379 javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

client log

C:\Users\jsitek>cd c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https

c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https>mvn -Psecure.client
INFO Scanning for projects...
INFO
INFO
INFO Building WSDL first demo using HTTPS 2.4.3-fuse-01-02
INFO
INFO
INFO --- cxf-codegen-plugin:2.4.3-fuse-01-02:wsdl2java (generate-sources) @ wsdl_first_https ---
INFO Using proxy server configured in maven.
INFO
INFO --- maven-antrun-plugin:1.4:run (copyxmlfiles) @ wsdl_first_https ---
project.artifactId
INFO Executing tasks
INFO Executed tasks
INFO
INFO --- maven-resources-plugin:2.5:resources (default-resources) @ wsdl_first_https ---
debug execute contextualize
INFO Using 'UTF-8' encoding to copy filtered resources.
INFO skip non existing resourceDirectory c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https\src\main\resources
INFO
INFO --- maven-compiler-plugin:2.3.1:compile (default-compile) @ wsdl_first_https ---
INFO Nothing to compile - all classes are up to date
INFO
INFO --- maven-resources-plugin:2.5:testResources (default-testResources) @ wsdl_first_https ---
debug execute contextualize
INFO Using 'UTF-8' encoding to copy filtered resources.
INFO skip non existing resourceDirectory c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https\src\test\resources
INFO
INFO --- maven-compiler-plugin:2.3.1:testCompile (default-testCompile) @ wsdl_first_https ---
INFO No sources to compile
INFO
INFO --- maven-surefire-plugin:2.10:test (default-test) @ wsdl_first_https ---
INFO No tests to run.
INFO Surefire report directory: c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https\target\surefire-reports


T E S T S


Results :

Tests run: 0, Failures: 0, Errors: 0, Skipped: 0

INFO
INFO >>> exec-maven-plugin:1.2:java (default) @ wsdl_first_https >>>
INFO
INFO <<< exec-maven-plugin:1.2:java (default) @ wsdl_first_https <<<
INFO
INFO --- exec-maven-plugin:1.2:java (default) @ wsdl_first_https ---
2012-07-23 09:20:04 org.springframework.context.support.AbstractApplicationContext prepareRefresh
INFO: Refreshing org.apache.cxf.bus.spring.BusApplicationContext@77ed2061: startup date Mon Jul 23 09:20:04 CEST 2012; root of context hierarchy
2012-07-23 09:20:04 org.apache.cxf.bus.spring.BusApplicationContext getConfigResources
INFO: Loaded configuration file file:/c:/opt/apache-cxf-2.4.3-fuse-01-02/samples/wsdl_first_https/target/classes/demo/hw_https/client/WibbleClient.xml.
2012-07-23 09:20:04 org.springframework.beans.factory.xml.XmlBeanDefinitionReader loadBeanDefinitions
INFO: Loading XML bean definitions from class path resource http://META-INF/cxf/cxf.xml
2012-07-23 09:20:04 org.springframework.beans.factory.xml.XmlBeanDefinitionReader loadBeanDefinitions
INFO: Loading XML bean definitions from URL [file:/c:/opt/apache-cxf-2.4.3-fuse-01-02/samples/wsdl_first_https/target/classes/demo/hw_https/client/WibbleClient
2012-07-23 09:20:04 org.springframework.beans.factory.support.DefaultListableBeanFactory preInstantiateSingletons
INFO: Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@6568f248: defining beans [cxf,org.apache.cxf.bus.spr
stProcessor,org.apache.cxf.bus.spring.Jsr250BeanPostProcessor,org.apache.cxf.bus.spring.BusExtensionPostProcessor,{http://apache.org/hello_world_soap_http}Soap
f factory hierarchy
file:/c:/opt/apache-cxf-2.4.3-fuse-01-02/samples/wsdl_first_https/wsdl/hello_world.wsdl
2012-07-23 09:20:05 org.apache.cxf.service.factory.ReflectionServiceFactoryBean buildServiceFromWSDL
INFO: Creating Service {http://apache.org/hello_world_soap_http}SOAPService from WSDL: file:/c:/opt/apache-cxf-2.4.3-fuse-01-02/samples/wsdl_first_https/wsdl/h
Invoking greetMe...
2012-07-23 09:20:06 org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging
WARNING: Interceptor for {http://apache.org/hello_world_soap_http}SOAPService#{http://apache.org/hello_world_soap_http}greetMe has thrown exception, unwinding
org.apache.cxf.interceptor.Fault: Could not send Message.
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:531)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:461)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:364)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:317)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
at $Proxy37.greetMe(Unknown Source)
at demo.hw_https.client.Client.main(Client.java:77)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:291)
at java.lang.Thread.run(Thread.java:662)
Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://localhost:9001/SoapContext/SoapPort: sun.security.validator.ValidatorExc
cate found
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1430)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1415)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:648)
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
... 15 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1731)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:925)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1197)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1181)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1014)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1367)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1309)
at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)
at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1387)
... 18 more
Caused by: sun.security.validator.ValidatorException: No trusted certificate found
at sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:330)
at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:110)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
... 34 more
Invocation failed with the following: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://localhost:9001/SoapContext/SoapPort: sun.secu
ception: No trusted certificate found

c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https>
camel

Posts: 43
Registered: 02/02/12
Re: generating https certificates
Posted: Jul 23, 2012 7:34 AM   in response to: ffang in response to: ffang
 
  Click to reply to this thread Reply
please try to execute this 3 commands on Your computer:

gencerts.sh
c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https>mvn -Pserver
c:\opt\apache-cxf-2.4.3-fuse-01-02\samples\wsdl_first_https>mvn -Psecure.client
ffang

Posts: 1,320
Registered: 12/24/07
Re: generating https certificates
Posted: Jul 23, 2012 8:14 AM   in response to: camel in response to: camel
 
  Click to reply to this thread Reply
Hi,

You need take a look at the README.txt of samples/wsdl_first_https to get more details how to run it.
More specifically
In separate windows:
mvn -Pserver (starts the server)
mvn -Pinsecure.client (runs the client in insecure mode, Scenario 1)
mvn -Psecure.client (runs the client in secure mode, Scenario 2)
mvn -Pinsecure.client.non.spring (runs the client in insecure mode without Spring configuration, Scenario 3)
mvn -Psecure.client.non.spring (runs the client in secure mode without Spring configuration, Scenario 4)
mvn clean (removes all generated and compiled classes)"
There's no mvn -Pclient at all.
Also you need in certs folder to run gencerts.sh, something like
cd certs
sh ../bin/gencerts.sh

Btw, I just tried the 2.4.3-fuse-01-02 kit, the wsdl_first_https/gencerts.sh works on my machine

Freeman
camel

Posts: 43
Registered: 02/02/12
Re: generating https certificates
Posted: Jul 23, 2012 8:39 AM   in response to: ffang in response to: ffang
 
  Click to reply to this thread Reply
yes, I did it as written in readme,
cd certs
sh ../bin/gencerts.sh
In separate windows:
mvn -Pserver (starts the server)
mvn -Psecure.client (runs the client in secure mode, Scenario 2)

If I run server and client against default certs they run ok,
but if I run them against my generated certs there is error,
when I look into https://localhost:9001/SoapContext/SoapPort in firefox I see that the cert is issued by cherry for cherry, not by ca,
have You also tried running server and secure client, or only gencerts.sh?
ffang

Posts: 1,320
Registered: 12/24/07
Re: generating https certificates
Posted: Jul 23, 2012 8:51 AM   in response to: camel in response to: camel
 
  Click to reply to this thread Reply
Hi,

Yeah, I tried the server and secure client after regenerate certs using gencerts.sh , and it works for me.
I guess it's related to the cygwin you're using.
Could you run the script on a linux machine, and copy the certs folder back to your windows, to see if it can make any difference?

Freeman
camel

Posts: 43
Registered: 02/02/12
Re: generating https certificates
Posted: Jul 23, 2012 8:59 AM   in response to: ffang in response to: ffang
 
  Click to reply to this thread Reply
yesterday I run gencerts.sh from the cxf distribution (not from fuse) on linux and I got the same error,
it seems to me, that konqueror could see that cert was issued by ca, but firefox under linux not, and the client was also failing, I will try it again on linux in about 13 hours, now I have no linux available

do You also get at end of script following error?

*******************************************
*******************************************

unable to load CRL
2674688:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: X509 CRL

as far as I remember I also get something similar under linux

camel

Posts: 43
Registered: 02/02/12
Re: generating https certificates
Posted: Jul 23, 2012 8:43 AM   in response to: ffang in response to: ffang
 
  Click to reply to this thread Reply
Attachment certs.tgz (7.7 KB)
here I enclose my generated certs
ffang

Posts: 1,320
Registered: 12/24/07
Re: generating https certificates
Posted: Jul 23, 2012 8:57 AM   in response to: camel in response to: camel
 
  Click to reply to this thread Reply
Hi,

I saw some file/folder permission problem when extract certs.tgz, I think it's may relate to the problem you encounter.

You need ensure all files/folders in certs folder is readable by yourself.

Also you can try to generate certs on linux machine and copy back to your windows, if it works we know it's something wrong when use cygwin to run the script.

Freeman
camel

Posts: 43
Registered: 02/02/12
Re: generating https certificates
Posted: Jul 23, 2012 10:10 PM   in response to: ffang in response to: ffang
 
  Click to reply to this thread Reply
great thanks for help, under linux it works good both on cxf-2.6.1 and on cxf-2.4.3-fuse-01-02
camel

Posts: 43
Registered: 02/02/12
Re: generating https certificates
Posted: Jul 23, 2012 8:51 AM   in response to: ffang in response to: ffang
 
  Click to reply to this thread Reply
Attachment cert-bmp.jpg (453.3 KB)
here I enclose screen of how firefox see this cert
njiang

Posts: 572
Registered: 09/17/07
Re: generating https certificates
Posted: Jul 25, 2012 12:10 AM   in response to: camel in response to: camel
 
  Click to reply to this thread Reply
As your cert is not signed by the CA which your browser trust by default, you will see the warning like that. If you want to get ride of the warning, you need to let your cert signed by those CA, and it will cost you some money.

Willem