2

I have two websites on different hosts protected by the same SSL certificate, one Apache2, one JBOSS.

My process:

  1. Created a private CA.
  2. Created a new certificate and signed it with the CA.
  3. Converted the certificate to PKCS12 format.
  4. Imported the PKCS12 certificate into a JKS (because that's what JBOSS likes).

I have installed the client certificate and the CA certificate to all browsers. (Installing the CA certificate isn't necessary but gets rid of the Red/Danger icon in the URL.)

Ubuntu 14.04

  • Firefox on lets me access both sites using the client cert.
  • Chrome lets me access the Apache2 site but gives an error on the JBOSS site: ERR_BAD_SSL_CLIENT_AUTH_CERT

Windows 7

Chrome, Firefox & IE all let me access the Apache2 site, none of them let me access the JBOSS site.

  • Firefox: ssl_error_bad_cert_alert
  • Chrome: ERR_BAD_SSL_CLIENT_AUTH_CERT
  • IE: This page can't be displayed

The certificate & root certs are both current, just can't be verified.

Anyone have a theory/solution?

Some redacted openssl command line output, in case it helps:

$ openssl s_client -connect jboss_host:8443 -cert client.pem -showcerts -CAfile private_ca.crt
CONNECTED(00000003)
depth=1 C = US, ST = California, L = Mendocino, O = My Company, CN = My Company CA, emailAddress = it@mycompany.com
verify return:1
depth=0 C = US, ST = California, L = Mendocino, O = My Company, OU = Systems, CN = OND, emailAddress = it@mycompany.com
verify return:1
139661545379488:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1262:SSL alert number 46
139661545379488:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
--- 
Certificate chain
 0 s:/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/emailAddress=it@mycompany.com
   i:/C=US/ST=California/L=Mendocino/O=My Company/CN=My Company CA/emailAddress=it@mycompany.com
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/emailAddress=it@mycompany.com
$ openssl s_client -connect jboss_host:8443 -cert client.pem -showcerts -CAfile private_ca.crt
CONNECTED(00000003)
depth=1 C = US, ST = California, L = Mendocino, O = My Company, CN = My Company CA, emailAddress = it@mycompany.com
verify return:1
depth=0 C = US, ST = California, L = Mendocino, O = My Company, OU = Systems, CN = OND, emailAddress = it@mycompany.com
verify return:1
139661545379488:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1262:SSL alert number 46
139661545379488:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
--- 
Certificate chain
 0 s:/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/emailAddress=it@mycompany.com
   i:/C=US/ST=California/L=Mendocino/O=My Company/CN=My Company CA/emailAddress=it@mycompany.com
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/emailAddress=it@mycompany.com
issuer=/C=US/ST=California/L=Mendocino/O=My Company/CN=My Company CA/emailAddress=it@mycompany.com
---
Acceptable client certificate CA names
/C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR/CN=MESA Certificate Factory/emailAddress=mesa@wuerl.wustl.edu
/C=US/ST=Illinois/L=Champaign/O=ACME Integrated Systems/OU=Research Division/CN=ACME Certificate Factory/emailAddress=certificates@acme.com
/C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR Production/CN=MESA Certificate Factory/emailAddress=mesa@wuerl.wustl.edu
/C=US/ST=Illinois/L=Champaign/O=ACME Integrated Systems/OU=Research Division/CN=ACME Certificate Factory/emailAddress=certificates@acme.com
/C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR Production/CN=MESA Certificate Factory/emailAddress=mesa@wuerl.wustl.edu
/C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR/CN=MESA Certificate Factory/emailAddress=mesa@wuerl.wustl.edu
---
SSL handshake has read 2028 bytes and written 2356 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
    Session-ID-ctx:
    Master-Key: 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1429133346
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
Community
  • 1
nortally
  • 381
  • 2
  • 11
  • Hi, do You have any error from apache2 error.log ? Is this server public access, that we can check it? – Widmo Apr 15 '15 at 20:23
  • Apache ssl_error.log is empty. JBOSS has no detail about connection attempts, will plunge into log4j.xml and see if I can induce verbosity. – nortally Apr 15 '15 at 21:24

0 Answers0