-2

How can I configure a (java based) vert.x 3 server to serve https (in an ubuntu cloud server environment) given a working set of 1. a certificate.cer, 2. an intermediate.cer, and 3. a private key.

An apache2 httpd could successfully be configured using the same of these three files with the following configuration in ssl.conf (paths omitted):

<VirtualHost>
  ...

  SSLCertificateFile   certificate.cer
  SSLCertificateKeyFile   privatekey.key
  SSLCertificateChainFile   intermediate.cer

  ...
</VirtualHost>

Browsers accepted the https connection without complaint.

Then I switched to java ...

The java based vert.x 3 server needs at least a java keystore file and a password:

new HttpServerOptions()
.setSsl(true)
.setKeyStoreOptions( 
  new JksOptions()
  .setPath("keystore.jks")
  .setPassword("...")
  )
);

I say: ... it needs "at least" a keystore and a password, because it may need more than that ...

The browser tells me:

www.mydomain.com uses an invalid security certificate. 
The certificate is not trusted because the issuer certificate 
is unknown. The server might not be sending the appropriate 
intermediate certificates. 
An additional root certificate may need to be imported. 
Error code: SEC_ERROR_UNKNOWN_ISSUER

where www.mydomain.com is correct, an surprisingly all information that browsers show about the certificate is the same as when I used apache2 httpd like above.

Please show a complete procedure to transform the three given files above into a java keystore to solve the issue, i.e. please show a working script (using ubuntu / linux standard tools like java's keytool and openssl).

It would also be an even greater pleasure to learn how to test for correctnes the result using these tools.

This question is not a duplicate for several reasons - I give a hint:

First, here I am asking for the difference between the configuration of an apache2 httpd and a java based vertx 3 server.

Secondly, I am asking how to combine 3 components or more into a complete java keystore. Httpd has access to the necessary forth component and fetches it implicitly. The java server doesn't do that. The missing component has to be included in the keystore explicitly. So, the answer has to show how to find exactly the needed components (certificates) and include them.

Answers in that were given before in this forum do not address those central (and other less important) aspects of this question. Less important are versions, types of certificates and the test of the result. As a further hint, there may be no reliable way to test for security at all - this is really a pity but I can't help it.

An important feature of the question is that I am asking for an answer specific to that question - not anything else.

Michael
  • 636
  • 3
  • 12
  • Google for Java `keytool` (part of the JDK). I would prefer Portecle, it is an Open Source UI keystore editor. Just export the files to your desktop system, combine them and copy then back to the server. – Robert Sep 27 '16 at 12:41
  • 1
    The question is asking for the exact procedure - not for a link to google neither for personal preferences. – Michael Sep 27 '16 at 14:21
  • @Omikron and Robert: My question is not a duplicate of either. That's what you see if you read the question. – Michael Sep 27 '16 at 18:14
  • Maybe we know more about this topic than you do. Read the most up-voted answer (and the comments) carefully, it explains what you did wrong. – Omikron Sep 27 '16 at 21:03

1 Answers1

0

I don't know if this helps but you can use the tool KeyStore Explorer 5.2 and import/export/merge keys and stores as you would like in a more graphical way, it pretty much gives all the operations you need. If you want a script, well...just check the keytool "API".

viorel hojda
  • 29
  • 3
  • The question is asking for the exact procedure - not for the existence of a universal tool that offers a way to do anything - and by the way "import/export/merge keys and stores as you would like" [cited]. – Michael Sep 27 '16 at 14:25
  • 1
    As I said, "I don't know if it helps", I thought maybe you want to merge the keys for testing purposes for example; a simple "thanks, but that does't help me" would have been enough instead of 2 comments; good luck ! – viorel hojda Sep 28 '16 at 13:09