AnsweredAssumed Answered

How to enable an additional certificate ?

Question asked by ymoisan on Oct 30, 2013
Latest reply on Nov 4, 2013 by ymoisan
Hi,

We are running a vulnerability testing appliance and we have the following vulnerabilities associated with port 8443/tcp over SSL (Alfresco Tomcat) :

SSL Certificate - Self-Signed Certificate
SSL Certificate - Subject Common Name Does Not Match Server FQDN
SSL Certificate - Signature Verification Failed Vulnerability

I know what this means so I set out to generate a certificate from a trusted issuer.

The original keystore had :

keytool.exe -list -keystore …\alf_data\keystore\ssl.keystore -storetype JCEKS -storepass TheGoodPW

Keystore type: JCEKS
Keystore provider: SunJCE

Your keystore contains 2 entries

ssl.repo, Aug 10, 2012, PrivateKeyEntry,
Certificate fingerprint (SHA1): C7:50:C4:95:03:90:F7:5E:45:58:58:89:08:5F:D7:4F:1B:8C:C2:32
ssl.alfresco.ca, Aug 10, 2012, trustedCertEntry,
Certificate fingerprint (SHA1): F4:28:0B:38:FC:28:C6:53:18:CF:53:28:2A:F5:2F:40:78:15:0B:FF

I generated a certificate the Issuer of which is trusted by our vulnerability testing appliance :

$ openssl x509 -inform DER -in …/alf_data/keystore/cert-MyCert.cer -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            …
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=MyFQDN-NoProblem

Importing it into the keystore :

keytool -v -importcert -alias MyAlias -file …\Alfresco\alf_data\keystore\MyCert.cer -storepass GoodPW -keystore D…\Alfresco\alf_data\keystore\ssl.keystore -storetype JCEKS

And listing its content :

keytool.exe -list -keystore …\alf_data\keystore\ssl.keystore -storetype JCEKS -storepass TheGoodPW

Your keystore contains 4 entries

ssl.repo, Aug 10, 2012, PrivateKeyEntry,
Certificate fingerprint (SHA1): C7:50:C4:95:03:90:F7:5E:45:58:58:89:08:5F:D7:4F:1B:8C:C2:32
MyCert1, Oct 29, 2013, trustedCertEntry,
Certificate fingerprint (SHA1): ….
ssl.alfresco.ca, Aug 10, 2012, trustedCertEntry,
Certificate fingerprint (SHA1): F4:28:0B:38:FC:28:C6:53:18:CF:53:28:2A:F5:2F:40:78:15:0B:FF
MyCert2, Oct 29, 2013, trustedCertEntry,
Certificate fingerprint (SHA1): …

Now, if I hit port 8443 to see what comes :

$ openssl s_client -connect localhost:8443
CONNECTED(00000003)
depth=1 C = GB, ST = UK, L = Maidenhead, O = Alfresco Software Ltd., CN = Alfresco CA
verify error:num=19:self signed certificate in certificate chain
verify return:0

Certificate chain
0 s:/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco Repository
   i:/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./CN=Alfresco CA
1 s:/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./CN=Alfresco CA
   i:/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./CN=Alfresco CA

I get only the two original certificates.  How can I get Alfresco's Tomcat to present my new certs too ?  I'm pretty sure if I can get the chain with the trusted Issuer certificate I will clear all those vulnerabilities.  What do I need to do ?

TIA,

YvesM

Outcomes