Thursday, July 23, 2015

How to import a server certificate to WSO2 key stores

Recently I was testing Nginx's load balancing capability with a WSO2 Application Server cluster which was consisted of one manager and two worker nodes fronted by an Nginx load balancer. I managed to successfully test the dep sync functionality by directly calling the manager/worker nodes of my cluster.

How ever when I tried to send HTTPS requests through the load balancer I encountered ssl certificate errors. Reason being the certificate setup for Nginx when setting up the cluster being not available inside our WSO2 key stores.

As a solution I imported the server.crt certificate file to WSO2 key stores and carry out my intended operations as expected without any certificate trouble. Here is how to do it.

1. Issue the following command which will give you basic certificate details and prompt a question. (It is assumed that both server.crt and wso2carbon.jks is in same folder; or else give the path accordingly)

> keytool -import -file server.crt -alias nginx -keystore wso2carbon.jks -storepass wso2carbon

Owner: EMAILADDRESS=sameera@wso2.com, CN=Sameera, OU=Carbon, O=WSO2, L=Colombo, ST=Western, C=SL
Issuer: EMAILADDRESS=sameera@wso2.com, CN=Sameera, OU=Carbon, O=WSO2, L=Colombo, ST=Western, C=SL
Serial number: 8b1edfc651beb3a3
Valid from: Tue Jun 16 19:40:22 IST 2015 until: Wed Jun 15 19:40:22 IST 2016
Certificate fingerprints:
  MD5:  1C:50:BB:9A:A1:01:49:D9:19:D2:BC:60:8F:6A:9A:11
  SHA1: 75:5D:B8:1B:F7:9F:05:46:BC:07:BA:C2:0E:7D:B1:B4:58:17:26:27
  SHA256: 17:C3:73:0E:D7:24:28:E5:FB:FE:A5:C4:C8:D9:A4:07:55:59:BA:55:37:1B:E8:14:12:64:7F:16:7A:A6:C3:C9
  Signature algorithm name: SHA256withRSA
  Version: 1


Question being asked is,

Trust this certificate? [no]:  yes

2. Type yes as shown above and press enter. You will get a response as follows.


Certificate was added to keystore


That's it. :)


> keytool -list -alias nginx -keystore client-truststore.jks -storepass wso2carbon -v
> keytool -list -alias nginx -keystore wso2carbon.jks -storepass wso2carbon -v

Sample output:

Alias name: nginx
Creation date: Aug 21, 2015
Entry type: trustedCertEntry

Owner: EMAILADDRESS=user@comp.com, CN=user, OU=Carbon, O=COMP, L=Colombo, ST=Western, C=SL
Issuer: EMAILADDRESS=user@comp.com, CN=user, OU=Carbon, O=COMP, L=Colombo, ST=Western, C=SL
Serial number: 8b1edfc651beb3a3
Valid from: Tue Jun 16 14:10:22 UTC 2015 until: Wed Jun 15 14:10:22 UTC 2016
Certificate fingerprints:
  MD5:  1C:50:BB:9A:A1:01:49:D9:19:D4:BC:60:8F:6A:9A:11
  SHA1: 75:5D:B8:1B:F7:9F:05:46:BC:27:BA:C2:0E:7D:B1:B4:58:17:26:27
  SHA256: 17:C3:73:0E:D7:24:28:E5:FB:FE:A5:C4:C4:D9:A4:07:55:59:BA:55:37:1B:E8:14:12:64:7F:16:7A:A6:C3:C9
  Signature algorithm name: SHA256withRSA
  Version: 1