https://connect.hyland.com/t5/alfresco-archive/how-to-enable-an-additional-certificate/m-p/302465#M255595 <HTML><HEAD></HEAD><BODY><SPAN>Hi,</SPAN><BR /><BR /><SPAN>We are running a vulnerability testing appliance and we have the following vulnerabilities associated with port 8443/tcp over SSL (Alfresco Tomcat) :</SPAN><BR /><BR /><SPAN>SSL Certificate - Self-Signed Certificate</SPAN><BR /><SPAN>SSL Certificate - Subject Common Name Does Not Match Server FQDN</SPAN><BR /><SPAN>SSL Certificate - Signature Verification Failed Vulnerability</SPAN><BR /><BR /><SPAN>I know what this means so I set out to generate a certificate from a trusted issuer.</SPAN><BR /><BR /><SPAN>The original keystore had :</SPAN><BR /><BR /><SPAN>keytool.exe -list -keystore …\alf_data\keystore\ssl.keystore -storetype JCEKS -storepass TheGoodPW</SPAN><BR /><BR /><SPAN>Keystore type: JCEKS</SPAN><BR /><SPAN>Keystore provider: SunJCE</SPAN><BR /><BR /><SPAN>Your keystore contains 2 entries</SPAN><BR /><BR /><SPAN>ssl.repo, Aug 10, 2012, PrivateKeyEntry,</SPAN><BR /><SPAN>Certificate fingerprint (SHA1): C7:50:C4:95:03:90:F7:5E:45:58:58:89:08:5F<img id="smileyvery-happy" class="emoticon emoticon-smileyvery-happy" src="https://connect.hyland.com/i/smilies/16x16_smiley-very-happy.png" alt="Smiley Very Happy" title="Smiley Very Happy" />7:4F:1B:8C:C2:32</SPAN><BR /><SPAN>ssl.alfresco.ca, Aug 10, 2012, trustedCertEntry,</SPAN><BR /><SPAN>Certificate fingerprint (SHA1): F4:28:0B:38:FC:28:C6:53:18:CF:53:28:2A:F5:2F:40:78:15:0B:FF</SPAN><BR /><BR /><SPAN>I generated a certificate the Issuer of which is trusted by our vulnerability testing appliance : </SPAN><BR /><BR /><SPAN>$ openssl x509 -inform DER -in …/alf_data/keystore/cert-MyCert.cer -text -noout</SPAN><BR /><SPAN>Certificate:</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; Data:</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Version: 3 (0x2)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Serial Number:</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; …</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; Signature Algorithm: sha1WithRSAEncryption</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Issuer: CN=MyFQDN-NoProblem</SPAN><BR /><BR /><SPAN>Importing it into the keystore : </SPAN><BR /><BR /><SPAN>keytool -v -importcert -alias MyAlias -file …\Alfresco\alf_data\keystore\MyCert.cer -storepass GoodPW -keystore D…\Alfresco\alf_data\keystore\ssl.keystore -storetype JCEKS</SPAN><BR /><BR /><SPAN>And listing its content :</SPAN><BR /><BR /><SPAN>keytool.exe -list -keystore …\alf_data\keystore\ssl.keystore -storetype JCEKS -storepass TheGoodPW</SPAN><BR /><BR /><SPAN>Your keystore contains 4 entries</SPAN><BR /><BR /><SPAN>ssl.repo, Aug 10, 2012, PrivateKeyEntry,</SPAN><BR /><SPAN>Certificate fingerprint (SHA1): C7:50:C4:95:03:90:F7:5E:45:58:58:89:08:5F<img id="smileyvery-happy" class="emoticon emoticon-smileyvery-happy" src="https://connect.hyland.com/i/smilies/16x16_smiley-very-happy.png" alt="Smiley Very Happy" title="Smiley Very Happy" />7:4F:1B:8C:C2:32</SPAN><BR /><SPAN>MyCert1, Oct 29, 2013, trustedCertEntry,</SPAN><BR /><SPAN>Certificate fingerprint (SHA1): ….</SPAN><BR /><SPAN>ssl.alfresco.ca, Aug 10, 2012, trustedCertEntry,</SPAN><BR /><SPAN>Certificate fingerprint (SHA1): F4:28:0B:38:FC:28:C6:53:18:CF:53:28:2A:F5:2F:40:78:15:0B:FF</SPAN><BR /><SPAN>MyCert2, Oct 29, 2013, trustedCertEntry,</SPAN><BR /><SPAN>Certificate fingerprint (SHA1): …</SPAN><BR /><BR /><SPAN>Now, if I hit port 8443 to see what comes :</SPAN><BR /><BR /><SPAN>$ openssl s_client -connect localhost:8443</SPAN><BR /><SPAN>CONNECTED(00000003)</SPAN><BR /><SPAN>depth=1 C = GB, ST = UK, L = Maidenhead, O = Alfresco Software Ltd., CN = Alfresco CA</SPAN><BR /><SPAN>verify error:num=19:self signed certificate in certificate chain</SPAN><BR /><SPAN>verify return:0</SPAN><BR /><SPAN>—</SPAN><BR /><SPAN>Certificate chain</SPAN><BR /><SPAN> 0 s:/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco Repository</SPAN><BR /><SPAN>&nbsp;&nbsp; i:/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./CN=Alfresco CA</SPAN><BR /><SPAN> 1 s:/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./CN=Alfresco CA</SPAN><BR /><SPAN>&nbsp;&nbsp; i:/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./CN=Alfresco CA</SPAN><BR /><BR /><SPAN>I get only the two original certificates.&nbsp; How can I get Alfresco's Tomcat to present my new certs too ?&nbsp; I'm pretty sure if I can get the chain with the trusted Issuer certificate I will clear all those vulnerabilities.&nbsp; What do I need to do ?</SPAN><BR /><BR /><SPAN>TIA,</SPAN><BR /><BR /><SPAN>YvesM</SPAN></BODY></HTML> Wed, 30 Oct 2013 20:39:48 GMT ymoisan 2013-10-30T20:39:48Z https://connect.hyland.com/t5/alfresco-archive/how-to-enable-an-additional-certificate/m-p/302465#M255595 Hi,We are running a vulnerability testing appliance and we have the following vulnerabilities associated with port 8443/tcp over SSL (Alfresco Tomcat) <IMG id="smileyfrustrated" class="emoticon emoticon-smileyfrustrated" src="https://migration33.stage.lithium.com/i/smilies/16x16_smiley-frustrated.png" alt="Smiley Frustrated" title="Smiley Frustrated" />SL Certificate - Self-Signed CertificateSSL Certificate - Subject Common Name Does Not Match Server FQDNSSL Certificate - Signature Verification Fa Wed, 30 Oct 2013 20:39:48 GMT https://connect.hyland.com/t5/alfresco-archive/how-to-enable-an-additional-certificate/m-p/302465#M255595 ymoisan 2013-10-30T20:39:48Z https://connect.hyland.com/t5/alfresco-archive/how-to-enable-an-additional-certificate/m-p/302466#M255596 <HTML><HEAD></HEAD><BODY><SPAN>Ok now I understand the issue is between solr and Alfresco.&nbsp; I don't see instructions on how to create certificates other than self-signed (and with a longer keysize than the default of 1024 used with keytool -genkeypair) and I didn't find a way to have my non self-signed cert to show up in a ssl request, so I'll ask a different question.&nbsp; Since only ports 80 and 443 are open and everything else from the outsie is stopped by a firewall, can I safely dismiss the vulnerabilities found by saying it's internal communications within the Alfresco software stack that is not open to the web ?&nbsp; Our vulnerability testing appliance is in our internal network and that's why it finds port 8443.&nbsp; Am I missing something ?</SPAN><BR /><BR /><SPAN>TIA</SPAN></BODY></HTML> Thu, 31 Oct 2013 14:50:44 GMT https://connect.hyland.com/t5/alfresco-archive/how-to-enable-an-additional-certificate/m-p/302466#M255596 ymoisan 2013-10-31T14:50:44Z https://connect.hyland.com/t5/alfresco-archive/how-to-enable-an-additional-certificate/m-p/302467#M255597 <HTML><HEAD></HEAD><BODY><SPAN>Added address="127.0.0.1" in the &lt;Connector port="8443" …&gt; object and the vulnerability applicance can't hit the port anymore.</SPAN></BODY></HTML> Mon, 04 Nov 2013 16:44:19 GMT https://connect.hyland.com/t5/alfresco-archive/how-to-enable-an-additional-certificate/m-p/302467#M255597 ymoisan 2013-11-04T16:44:19Z