AnsweredAssumed Answered

third party cert help

Question asked by 102020 on Jul 3, 2014
Hey there,
this is what I've got done so far:

C:\Alfresco-4.2.e\java\bin>keytool -genkeypair -keyalg RSA -dname "cn=sandbox.children-first.ca, o=children-first, o=.ca" -validity 36525 -alias ssl.repo -keypass kT9X6oe68t -keystore "C:\Alfresco-4.2.e\alf_data\keystore\ssl.keystore" -storetype JCEKS -storepass kT9X6oe68t

C:\Alfresco-4.2.e\java\bin>keytool -certreq -alias ssl.repo -file "C:\Alfresco-4.2.e\alf_data\keystore\ssl.repo.csr" -keypass kT9X6oe68t -keystore "C:\Alfresco-4.2.e\alf_data\keystore\ssl.keystore" -storetype JCEKS -storepass kT9X6oe68t

>Copy contents of ssl.repo.csr, paste into startcom, generates crt, download crt, save as ssl.repo.crt

C:\Alfresco-4.2.e\java\bin>keytool -genkeypair -keyalg RSA -dname "cn=sandbox.children-first.ca, o=children-first, o=.ca" -validity 36525 -alias ssl.repo.client -keypass kT9X6oe68t -keystore "C:\Alfresco-4.2.e\alf_data\keystore\ssl.repo.client.keystore" -storetype JCEKS -storepass kT9X6oe68t

C:\Alfresco-4.2.e\java\bin>keytool -certreq -alias ssl.repo.client -file "C:\Alfresco-4.2.e\alf_data\keystore\ssl.repo.client.csr" -keypass kT9X6oe68t -keystore "C:\Alfresco-4.2.e\alf_data\keystore\ssl.repo.client.keystore" -storetype JCEKS -storepass kT9X6oe68t

>Copy contents of ssl.repo.client.csr, paste into startcom, generates crt, download crt, save as ssl.repo.client.crt

C:\Alfresco-4.2.e\java\bin>keytool -importcert -noprompt -alias ssl.repo.client-file "C:\Alfresco-4.2.e\alf_data\keystore\ssl.repo.client.crt" -keystore "C:\Alfresco-4.2.e\alf_data\keystore\ssl.truststore" -storetype JCEKS -storepass kT9X6oe68t

C:\Alfresco-4.2.e\java\bin>keytool -importcert -noprompt -alias ssl.repo -file "C:\Alfresco-4.2.e\alf_data\keystore\ssl.repo.crt" -keystore "C:\Alfresco-4.2.e\alf_data\keystore\ssl.truststore" -storetype JCEKS -storepass kT9X6oe68t

C:\Alfresco-4.2.e\java\bin>keytool -importcert -noprompt -alias ssl.repo -file "C:\Alfresco-4.2.e\alf_data\keystore\ssl.repo.crt" -keystore "C:\Alfresco-4.2.e\alf_data\keystore\ssl.repo.client.truststore" -storetype JCEKS -storepass kT9X6oe68t

C:\Alfresco-4.2.e\java\bin>keytool -importkeystore -srckeystore "C:\Alfresco-4.2.e\alf_data\keystore\ssl.keystore" -srcstorepass kT9X6oe68t -srcstoretype JCEKS-srcalias ssl.repo -srckeypass kT9X6oe68t -destkeystore "C:\Alfresco-4.2.e\alf_data\keystore\browser.p12" -deststoretype pkcs12 -deststorepass alfresco -destalias ssl.repo -destkeypass alfresco

C:\Alfresco-4.2.e\java\bin>keytool -import -trustcacerts -alias startcom.ca -file "C:\Alfresco-4.2.e\alf_data\keystore\ca.crt" -keystore "C:\Alfresco-4.2.e\java\jre\lib\security\cacerts"

>password is: changeit

C:\Alfresco-4.2.e\java\bin>keytool -import -trustcacerts -alias startcom.ca.sub-file "C:\Alfresco-4.2.e\alf_data\keystore\sub.class3.server.ca.crt" -keystore "C:\Alfresco-4.2.e\java\jre\lib\security\cacerts"

>password is: changeit



Problem is I think it's not using cacerts location, it's using ssl.truststore, am i right? problem is how do i get my CA root certs into there, keeps giving me invalid keystore type complaints. and in my log I have:


2014-07-03 10:43:13,245  ERROR [web.context.ContextLoader] [localhost-startStop-1] Context initialization failed
org.alfresco.error.AlfrescoRuntimeException: 06030000 Keystores are invalid
   at org.alfresco.encryption.EncryptionChecker$1.execute(EncryptionChecker.java:71)
   at org.alfresco.encryption.EncryptionChecker$1.execute(EncryptionChecker.java:61)
   at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:452)
   at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:323)
   at org.alfresco.encryption.EncryptionChecker.onBootstrap(EncryptionChecker.java:60)
   at org.springframework.extensions.surf.util.AbstractLifecycleBean.onApplicationEvent(AbstractLifecycleBean.java:56)
   at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEventInternal(SafeApplicationEventMulticaster.java:209)
   at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEvent(SafeApplicationEventMulticaster.java:180)
   at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:303)
   at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:911)
   at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:428)
   at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:276)
   at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:197)
   at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:47)
   at org.alfresco.web.app.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:63)
   at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4939)
   at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5434)
   at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
   at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
   at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
   at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:633)
   at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:976)
   at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1653)
   at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
   at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
   at java.util.concurrent.FutureTask.run(FutureTask.java:166)
   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
   at java.lang.Thread.run(Thread.java:724)
Caused by: org.alfresco.encryption.MissingKeyException: Key metadata is missing from keystore C:Alfresco-4.2.ealf_data/keystore/keystore
   at org.alfresco.encryption.AlfrescoKeyStoreImpl.validateKeys(AlfrescoKeyStoreImpl.java:885)
   at org.alfresco.encryption.AlfrescoKeyStoreImpl.validateKeys(AlfrescoKeyStoreImpl.java:187)
   at org.alfresco.encryption.KeyStoreChecker.validateKeyStores(KeyStoreChecker.java:47)
   at org.alfresco.encryption.EncryptionChecker$1.execute(EncryptionChecker.java:66)
   … 28 more




The part saying "key metadata is missing from keystore" is what raises my eyebrow.

Can you give some direction with this, or should I abandon my efforts and go with the reverse proxy like everyone else?


*EDIT*
I also tried (which did work), but still same error:
C:\Alfresco-4.2.e\java\bin>keytool -import -trustcacerts -alias startcom.ca -file "C:\Alfresco-4.2.e\alf_data\keystore\ca.crt" -keystore "C:\Alfresco-4.2.e\alf_data\keystore\ssl.truststore" -storetype JCEKS -storepass kT9X6oe68t
Certificate already exists in system-wide CA keystore under alias <startcom.ca>
Do you still want to add it to your own keystore? [no]:  yes
Certificate was added to keystore

C:\Alfresco-4.2.e\java\bin>keytool -import -trustcacerts -alias startcom.ca.sub-file "C:\Alfresco-4.2.e\alf_data\keystore\sub.class3.server.ca.crt" -keystore "C:\Alfresco-4.2.e\alf_data\keystore\ssl.truststore" -storetype JCEKS -storepass kT9X6oe68t
Certificate was added to keystore

Outcomes