Wednesday, 17 April 2013

Creating and working with a SSL Certificate Authority in IBM HTTP Server

With thanks to Mike Whale and his excellent blog post here: -


from which I have ripped stolen reused this content.

This article describes how to create a SSL Certificate Authority using IBM HTTP Server 8.0.0.5, and then generate and use certificates signed by this CA. Alternatively, an organisation would go to a public CA such as Verisign, or they'd have their own internal CA.

Create a CA keystore

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -keydb -create -db CA.jks -type jks

Create a CA

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -create -db CA.jks -label myca -dn "cn=test,o=IBM" -ca true

Create a client keystore

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -keydb -create -db client.jks -type jks

Create a CSR

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -certreq -create -db client.jks -label clientcert -file /tmp/certreq.arm -dn "cn=clienttest,o=IBM"

Sign the CSR using the CA

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -sign -db CA.jks -label myca -file /tmp/certreq.arm 

Import the signed certificate into the client keystore

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -receive -db client.jks -file cert.arm 

Extract the root CA certificate from the CA keystore

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -extract -db CA.jks -label myca -target test.cer -type jks

Import the root CA certificate into the client keystore

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -add -db client.jks -label myca -file test.cer 

Convert the client keystore into KDB ( PKCS12 ) format in order to allow password to be stashed ( required for IHS to use keystore )

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -keydb -convert -db client.jks -pw passw0rd -target client.kdb -new_pw passw0rd -old_format jks -new_format kdb -stash

Note: The only reason that I chose to create the keystore in JKS format was to follow Mike's instructions - I could've simplified things by creating the keystore in KDB format from the outset.

Start IHS

/opt/IBM/HTTPServer/bin/apachectl -k restart -f /opt/IBM/HTTPServer/confext/httpd.conf

NOTE: -

If you see: -

Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.

in Chrome or: -

Cannot communicate securely with peer: no common encryption algorithm(s).

(Error code: ssl_error_no_cypher_overlap)

in Firefox, and see: -

[Tue Apr 16 12:52:31 2013] [error] [client 192.168.8.1] [7fcd6c0028d0] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60917 -> 192.168.8.162:8443] [12:52:31.320280]
[Tue Apr 16 12:52:31 2013] [error] [client 192.168.8.1] [7fcd700028d0] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60919 -> 192.168.8.162:8443] [12:52:31.434908]
[Tue Apr 16 12:52:53 2013] [error] [client 192.168.8.1] [1d8fd90] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60940 -> 192.168.8.162:8443] [12:52:53.449571]
[Tue Apr 16 12:52:59 2013] [error] [client 192.168.8.1] [7fcd600093c0] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60944 -> 192.168.8.162:8443] [12:52:59.432844]
[Tue Apr 16 12:52:59 2013] [error] [client 192.168.8.1] [7fcd600093c0] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60943 -> 192.168.8.162:8443] [12:52:59.433801]
[Tue Apr 16 12:54:31 2013] [error] [client 192.168.8.1] [7fcd740128b0] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60961 -> 192.168.8.162:8443] [12:54:31.636000]

etc.

in IHS error.log, then you don't have a default certificate set: -

Listing certificates to confirm what is default / trusted

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db client.kdb 

Certificates found
* default, - personal, ! trusted
! myca
- clientcert


Set the clientcert certificate as default

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -setdefault -label clientcert -db client.kdb 

Listing certificates to confirm what is default / trusted

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db client.kdb 

Certificates found
* default, - personal, ! trusted
! myca
*- clientcert

Inspecting certificates

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -details -db client.kdb -label clientcert

Label : myca
Key Size : 1024
Version : X509 V3
Serial : 516d3a0f
Issuer : CN=test,OU=test,O=IBM
Subject : CN=test,OU=test,O=IBM
Not Before : 16 April 2013 12:46:23 GMT+01:00
Not After : 16 April 2014 12:46:23 GMT+01:00
Public Key
    30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01
    05 00 03 81 8D 00 30 81 89 02 81 81 00 96 23 34
    A0 D0 FF 7A C3 EE 5C 06 FB EF AF D2 1A DB 5F F8
    4A E3 6A 8F 00 BC 95 67 4E 97 D4 B1 51 3B 68 F5
    85 72 4B A8 19 72 E0 82 86 6F 08 5D F5 F0 1B 34
    D2 7F F0 64 09 F8 87 B8 49 EB CF 18 D9 35 CD DE
    F4 1F FE 9F 7C 32 D7 2B 9F B0 4F 42 72 FF 02 14
    44 97 10 96 EC E0 34 B1 41 29 DF B8 E9 26 96 4F
    0A D3 FF CB 79 61 F1 E3 E0 81 45 3A 9F 88 E6 5A
    27 F8 99 A6 9C D6 3D 74 7C A8 3F 82 BB 02 03 01
    00 01
Public Key Type : RSA (1.2.840.113549.1.1.1)
Fingerprint : SHA1 : 
    F6 9A C2 43 57 D8 90 07 B1 C2 5F CC 02 9F CB D6
    15 C0 5E 6C
Fingerprint : MD5 : 
    A6 81 9C 1E 61 7C 52 17 3D B1 D0 90 C5 84 1D 78
Fingerprint : SHA256 : 
    21 F0 B8 4B A9 9A C9 B4 40 E3 C3 39 1E C5 95 F0
    5B D0 79 70 65 67 D1 50 C5 1C E6 9E 96 1E 5B F5
Extensions
    basicConstraints
        ca = true
        pathLen = 2147483647
        critical
Signature Algorithm : SHA1WithRSASignature (1.2.840.113549.1.1.5)
Value
    73 1B 8A 4A FD 05 40 BE 2D 7C 3B 67 66 5D D1 7A
    4F F4 4D 60 95 ED 88 81 6D 98 92 5F E4 A5 FF F0
    87 D0 B5 89 F9 A6 44 78 D1 44 94 B5 7F 57 D5 C4
    3B E1 6E 9B AC FE CD C9 0A 2C A8 C8 4C 13 83 B3
    7C 06 B9 3E 66 94 2F ED FB 9A 9B F7 8E 6F CB FD
    E9 24 2D FE 7C 6C EA CA E9 76 58 37 51 B6 7E D9
    6D 59 70 2E E0 01 37 D6 E9 3B A1 C3 D3 4D 16 C9
    B4 68 99 45 85 DE 03 9A 9C D7 F4 0C 1E FC 4D C8
Trust Status : Enabled

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -details -db client.kdb -label myca

Label : clientcert
Key Size : 1024
Version : X509 V3
Serial : 516d3a27
Issuer : CN=test,OU=test,O=IBM
Subject : CN=clienttest,OU=test,O=IBM
Not Before : 16 April 2013 12:46:47 GMT+01:00
Not After : 16 April 2014 12:46:47 GMT+01:00
Public Key
    30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01
    05 00 03 81 8D 00 30 81 89 02 81 81 00 83 C5 3E
    52 CF 2E 78 76 50 88 A7 5E D6 1E 7D 2A 96 F2 11
    0E 4D 1F 1E D2 A0 E9 30 56 8E 69 79 BF C3 D0 8F
    94 8E 0B 66 62 0A 64 46 E4 60 87 D7 E8 BF 8F 54
    F2 EB 36 D0 71 18 FC 2B 72 97 B2 49 F0 12 12 4A
    4A B3 F2 1F 99 50 38 BB 40 8F 41 D2 F8 FB 8E 9B
    FC 0F BC 80 21 57 87 EA 05 F3 D4 DF BB D1 59 D7
    4D 91 68 FF B7 BC 52 BC 12 D2 F1 C6 52 63 1D B1
    49 CC 58 88 A5 E5 86 31 9B CE F3 E6 C3 02 03 01
    00 01
Public Key Type : RSA (1.2.840.113549.1.1.1)
Fingerprint : SHA1 : 
    1B 33 B7 0A 1D 33 29 F2 6E 56 81 55 92 CB 48 DC
    D3 2F 16 90
Fingerprint : MD5 : 
    C4 64 E5 08 AA F0 AE 65 5A 7A 12 12 21 55 7C 19
Fingerprint : SHA256 : 
    54 A4 41 37 25 65 8F 28 FE 4B 97 37 DE 3A 4D 97
    80 F4 FF C0 8D BA 92 D2 51 F8 4D 4B 69 BD BA 69
Signature Algorithm : SHA1WithRSASignature (1.2.840.113549.1.1.5)
Value
    25 14 7A 6F D9 F2 CC E3 93 5C 8E 1C 4F 3C DC 57
    C8 D3 B4 D5 51 0D C9 C7 DE 00 C8 B0 2D D8 C2 F6
    50 34 97 1E 24 C8 22 D6 01 F4 DA B9 0E 1C 67 E3
    EF 73 77 F6 21 32 0D 92 B3 9B 0B C1 3A 28 71 70
    7D 3A 7E 7F 8F C3 BE 23 B0 74 F5 E7 20 5E 3D 01
    6B 57 AC 0A 5E F6 3B 93 B6 A3 E1 6A 2E E9 29 00
    4E 81 E3 D3 20 E7 86 96 C0 91 02 5D E9 86 7D 38
    08 02 B1 76 3B D4 A4 C4 41 2E 91 C0 49 84 3B 81
Trust Status : Enabled

Additional Notes

For the record, here's a similar set of instructions, but using KDB ( PKCS12 ) instead of JKS from the outset, avoiding the need for conversion: -

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -keydb -create -db CA.kdb -stash

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -create -db CA.kdb  -label myca -dn "cn=test,o=IBM" -ca true

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -keydb -create -db client.kdb -stash

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -certreq -create -db client.kdb  -label clientcert -file /tmp/certreq.arm -dn "cn=clienttest,o=IBM"

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -sign -db CA.kdb  -label myca -file /tmp/certreq.arm 

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -receive -db client.kdb  -file cert. arm 

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -extract -db CA.kdb  -label myca -target test.cer

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -add -db client.kdb -label myca -file test.cer 

/opt/IBM/HTTPServer/bin/apachectl -k restart -f /opt/IBM/HTTPServer/confext/httpd.conf

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -setdefault -label clientcert -db client.kdb 





No comments:

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...