Hi,
We are running a vulnerability testing appliance and we have the following vulnerabilities associated with port 8443/tcp over SSL (Alfresco Tomcat) :
SSL Certificate - Self-Signed Certificate
SSL Certificate - Subject Common Name Does Not Match Server FQDN
SSL Certificate - Signature Verification Failed Vulnerability
I know what this means so I set out to generate a certificate from a trusted issuer.
The original keystore had :
keytool.exe -list -keystore …\alf_data\keystore\ssl.keystore -storetype JCEKS -storepass TheGoodPW
Keystore type: JCEKS
Keystore provider: SunJCE
Your keystore contains 2 entries
ssl.repo, Aug 10, 2012, PrivateKeyEntry,
Certificate fingerprint (SHA1): C7:50:C4:95:03:90:F7:5E:45:58:58:89:08:5F
7:4F:1B:8C:C2:32
ssl.alfresco.ca, Aug 10, 2012, trustedCertEntry,
Certificate fingerprint (SHA1): F4:28:0B:38:FC:28:C6:53:18:CF:53:28:2A:F5:2F:40:78:15:0B:FF
I generated a certificate the Issuer of which is trusted by our vulnerability testing appliance :
$ openssl x509 -inform DER -in …/alf_data/keystore/cert-MyCert.cer -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
…
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=MyFQDN-NoProblem
Importing it into the keystore :
keytool -v -importcert -alias MyAlias -file …\Alfresco\alf_data\keystore\MyCert.cer -storepass GoodPW -keystore D…\Alfresco\alf_data\keystore\ssl.keystore -storetype JCEKS
And listing its content :
keytool.exe -list -keystore …\alf_data\keystore\ssl.keystore -storetype JCEKS -storepass TheGoodPW
Your keystore contains 4 entries
ssl.repo, Aug 10, 2012, PrivateKeyEntry,
Certificate fingerprint (SHA1): C7:50:C4:95:03:90:F7:5E:45:58:58:89:08:5F7:4F:1B:8C:C2:32
MyCert1, Oct 29, 2013, trustedCertEntry,
Certificate fingerprint (SHA1): ….
ssl.alfresco.ca, Aug 10, 2012, trustedCertEntry,
Certificate fingerprint (SHA1): F4:28:0B:38:FC:28:C6:53:18:CF:53:28:2A:F5:2F:40:78:15:0B:FF
MyCert2, Oct 29, 2013, trustedCertEntry,
Certificate fingerprint (SHA1): …
Now, if I hit port 8443 to see what comes :
$ openssl s_client -connect localhost:8443
CONNECTED(00000003)
depth=1 C = GB, ST = UK, L = Maidenhead, O = Alfresco Software Ltd., CN = Alfresco CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
—
Certificate chain
0 s:/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco Repository
i:/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./CN=Alfresco CA
1 s:/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./CN=Alfresco CA
i:/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./CN=Alfresco CA
I get only the two original certificates. How can I get Alfresco's Tomcat to present my new certs too ? I'm pretty sure if I can get the chain with the trusted Issuer certificate I will clear all those vulnerabilities. What do I need to do ?
TIA,
YvesM
We are running a vulnerability testing appliance and we have the following vulnerabilities associated with port 8443/tcp over SSL (Alfresco Tomcat) :
SSL Certificate - Self-Signed Certificate
SSL Certificate - Subject Common Name Does Not Match Server FQDN
SSL Certificate - Signature Verification Failed Vulnerability
I know what this means so I set out to generate a certificate from a trusted issuer.
The original keystore had :
keytool.exe -list -keystore …\alf_data\keystore\ssl.keystore -storetype JCEKS -storepass TheGoodPW
Keystore type: JCEKS
Keystore provider: SunJCE
Your keystore contains 2 entries
ssl.repo, Aug 10, 2012, PrivateKeyEntry,
Certificate fingerprint (SHA1): C7:50:C4:95:03:90:F7:5E:45:58:58:89:08:5F
7:4F:1B:8C:C2:32ssl.alfresco.ca, Aug 10, 2012, trustedCertEntry,
Certificate fingerprint (SHA1): F4:28:0B:38:FC:28:C6:53:18:CF:53:28:2A:F5:2F:40:78:15:0B:FF
I generated a certificate the Issuer of which is trusted by our vulnerability testing appliance :
$ openssl x509 -inform DER -in …/alf_data/keystore/cert-MyCert.cer -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
…
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=MyFQDN-NoProblem
Importing it into the keystore :
keytool -v -importcert -alias MyAlias -file …\Alfresco\alf_data\keystore\MyCert.cer -storepass GoodPW -keystore D…\Alfresco\alf_data\keystore\ssl.keystore -storetype JCEKS
And listing its content :
keytool.exe -list -keystore …\alf_data\keystore\ssl.keystore -storetype JCEKS -storepass TheGoodPW
Your keystore contains 4 entries
ssl.repo, Aug 10, 2012, PrivateKeyEntry,
Certificate fingerprint (SHA1): C7:50:C4:95:03:90:F7:5E:45:58:58:89:08:5F
7:4F:1B:8C:C2:32MyCert1, Oct 29, 2013, trustedCertEntry,
Certificate fingerprint (SHA1): ….
ssl.alfresco.ca, Aug 10, 2012, trustedCertEntry,
Certificate fingerprint (SHA1): F4:28:0B:38:FC:28:C6:53:18:CF:53:28:2A:F5:2F:40:78:15:0B:FF
MyCert2, Oct 29, 2013, trustedCertEntry,
Certificate fingerprint (SHA1): …
Now, if I hit port 8443 to see what comes :
$ openssl s_client -connect localhost:8443
CONNECTED(00000003)
depth=1 C = GB, ST = UK, L = Maidenhead, O = Alfresco Software Ltd., CN = Alfresco CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
—
Certificate chain
0 s:/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco Repository
i:/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./CN=Alfresco CA
1 s:/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./CN=Alfresco CA
i:/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./CN=Alfresco CA
I get only the two original certificates. How can I get Alfresco's Tomcat to present my new certs too ? I'm pretty sure if I can get the chain with the trusted Issuer certificate I will clear all those vulnerabilities. What do I need to do ?
TIA,
YvesM
