DNS SSL/TLS certificate import #103
Comments
|
Hi Alexander,
I'm not sure I understand the question completely, but lets see if we
can get you on track by addressing different parts of your e-mail.
First, importing a TLS certificate for the Payara Server. Since you
mentioned the TLS certificate has a private key, I'm assuming this is
for the Payara server to present to applications when they're consuming
FIDO2 webservices?
If so, the method of import depends on how you have the private key -
the process differs depending on whether you have the private key as a
PKCS#8, PKCS#12, JKS or JCEKS keystore. It doesn't matter if the TLS
certificate file itself is PEM or DER encoded - you eventually have to
import it using the keytool command into the keystore.jks file in the
/usr/local/strongkey/payara41/glassfish/domains/domain1/config directory.
Can you specify how you generated the private-key for the TLS
certificate you're getting from the external source (cloudflare)?
Secondly, I just want to clarify that you're planning to use this only
within your internal network? Since the use of the 192.168.x.x IP
address will be inaccessible to anyone outside your "example.com" domain
and network. Is that your intent?
Once you've provided the answers, we can provide further guidance. In
the meantime, you may want to read up the manpage for keytool (it is
part of OpenJDK).
We are encouraged by your use of the FIDO2 server; thank you for that.
…On 4/18/21 11:21 AM, Alexander Featherson wrote:
How would one go about importing a SSL/TLS certificate to allow secure
connection between DNS provider and the server/VM?
I attempted using some of the methods provided by payara documentation,
however now I can't access it at vs connecting via external IP.
I am using a SRV record for allowing the use of a sub domain ex.
fido.example.com forwards to 192.168.56.1:8181.
Would the certificate have to specify fido.example.com for this to work?
What is the proper way to import ssl certificates that are in
pem/pcks7/der format with a normal private key?
Thank you for all the work that has been put into this!
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#103>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABWSVTQO3IE2RLXXMOL3PELTJMPJNANCNFSM43EPJS5A>.
|
|
So the TLS cert was made using openssl in pkcs12 mode following what was provided on this site here: https://docs.payara.fish/enterprise/docs/5.27.0/documentation/payara-server/server-configuration/ssl-certificates.html Then imported the srckeystore into the destkeystore with the alias of skfs and ran part of the installer that generates a key and imports it into the glassfish and java keystores. Except taking out the keygen portion. The IP is using the external ip of the cloud service I only used 192.168.x.x as an example. I have actually used the keytool already for the creation of the pkcs12 bundle and for certs in the past. Just not with glassfish/payara since those are new tools for me. The cloudflare TLS/SSL is for secure connection (Full encryption) between browser Cloudflare and the end server (Fido2 server), I would like to note that the TLS is for the Origin server communication to/from Cloudflare. Also is the choice of port 8181 for not having to use root with the glassfishd? |
|
If all you're doing is getting a digital certificate for the SKFS,
issued by Cloudflare, my suggestion is to let the SKFS script generate
your self-signed certificate based on the FQDN you gave your FIDO server
during installation.
Once the script is done, go over to the
/usr/local/strongkey/payara41/glassfish/domains/domain1/config directory
and use the following command to generate a new certificate request
(PKCS#10):
keytool -certreq -keystore keystore.jks -storepass changeit -alias s1as
This will print out a PEM-encoded certificate request which you can use
to get a TLS certificate from your service provider. Once you get the
PEM/DER encoded certificate-chain, you can import it using the:
keytool -importcert -alias s1as -keystore keystore.jks -storepass
changeit -file <filename-of-your-new-cert>
When this works successfully, you can view the contents of your new
certificate with:
keytool -list -keystore keystore.jks -storepass changeit -alias s1as -v
to see if the certificate you're expecting matches up with what you
received from the service provider. It should have the chain in there too.
Simply restart Payara at this point for the new certificate to go into
effect with the private-key that was generated for SKFS during the
execution of the install script.
Note that you do NOT need to put the port number in your FQDN for the
certificate request or digital certificate - you only need it when your
browser/application is trying to connect to the SKFS.
Hope that helps.
…On 4/19/21 3:22 AM, Alexander Featherson wrote:
So the TLS cert was made using openssl in pkcs12 mode following what was
provided on this site here:
https://docs.payara.fish/enterprise/docs/5.27.0/documentation/payara-server/server-configuration/ssl-certificates.html
<https://docs.payara.fish/enterprise/docs/5.27.0/documentation/payara-server/server-configuration/ssl-certificates.html>
Then imported the srckeystore into the destkeystore with the alias of
skfs and ran part of the installer that generates a key and imports it
into the glassfish and java keystores. Except taking out the keygen portion.
The IP is using the external ip of the cloud service I only used
192.168.x.x as an example.
I have actually used the keytool already for the creation of the pkcs12
bundle and for certs in the past. Just not with glassfish/payara since
those are new tools for me.
The cloudflare TLS/SSL is for secure connection (Full encryption)
between browser Cloudflare and the end server (Fido2 server), I would
like to note that the TLS is for the Origin server communication to/from
Cloudflare.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#103 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ALLPGO2YJ67ARGDBUKEEKYDTJP75LANCNFSM43EPJS5A>.
|
|
Thank you! I forgot about being able to have the cert signed. Still a bit of a SSL/TLS newb |
|
So it is loading the cert. Now it is down to getting Cloudflare to properly send a request to the server. SRV record was made for it seems it doesn't want to use it though. |
|
Not sure I understand the process Cloudflare is using, Alexander. Would
you please send a link to the process they are using for what you're
trying to do? Thanks.
…On 4/20/21 8:21 AM, Alexander Featherson wrote:
So it is loading the cert. Now it is down to getting Cloudflare to
properly send a request to the server. SRV record was made for it seems
it doesn't want to use it though.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#103 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABWSVTXEASTX75DOQY76E33TJWLXVANCNFSM43EPJS5A>.
|
|
So I am trying to reach the Fido server via SRV record https://www.cloudflare.com/learning/dns/dns-records/dns-srv-record/ The issue I am having is that it will not work between Cloudflare and Fido server. Would it be wise to use the dns handler provided by my domain provider? |
|
Alexander,
There's no reason to use an SRV record for this - a simple A record for
just the FQDN is sufficient for FIDO to work (unless you're planning to
redirect the user from a different port to the destination port).
If you're still testing this, you can just set the FQDN in /etc/hosts or
your internal DNS server with an A record, and have your test
applications access FIDO server on the default Payara port (8181).
If you're putting this into production and you want it on port 443, then
there are a number of different ways to address that (in the order of
increasing complexity):
- Modify your application to connect to port 8181 instead of 443;
- Modify the firewall on the SKFS instance to redirect from 443 to 8181;
- Modify Payara configuration to listen on 443 instead of 8181;
- Use HAProxy as a load-balancer to redirect to port 8181 between an
SKFS cluster;
- ...
…On 4/20/21 1:51 PM, Alexander Featherson wrote:
So I am trying to reach the Fido server via SRV record
https://www.cloudflare.com/learning/dns/dns-records/dns-srv-record/
<https://www.cloudflare.com/learning/dns/dns-records/dns-srv-record/>
The issue I am having is that it will not work between Cloudflare and
Fido server. Would it be wise to use the dns handler provided by my
domain provider?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#103 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ALLPGOYF6F2E3UEFXWQOFX3TJXSODANCNFSM43EPJS5A>.
|
|
possibly will go the firewall route it seems to be a bit easier to do and less hassel. |
|
Or I will just make a web client in python or nodejs as a frontend for it. Then just have it work as normal if the user is registered and authed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
How would one go about importing a SSL/TLS certificate to allow secure connection between DNS provider and the server/VM?
I attempted using some of the methods provided by payara documentation, however now I can't access it at vs connecting via external IP.
I am using a SRV record for allowing the use of a sub domain ex. fido.example.com forwards to 192.168.56.1:8181.
Would the certificate have to specify fido.example.com for this to work? What is the proper way to import ssl certificates that are in pem/pcks7/der format with a normal private key?
Thank you for all the work that has been put into this!
The text was updated successfully, but these errors were encountered: