0

I want to establish SSL connectivity between 2 servers, and I understood that I need to install the SSL certificate of server A into server B's Java keystore and vice-versa. So, that server A can call HTTPS URL of server B and vice-versa.

But below are questions for which I couldn't find answers:

  • If server A wants to call HTTPS URL of server B, then is it necessary to install the SSL certificate of server B or if server B's certificate's signing CA certificate is present in my Java keystore then no need to install server B's certificate? I think finally signing CA's certificate is checked if it is present in my keystore then all well.
  • I have infastructure configuration like this - LB -> Apache -> WL. Now, suppose SSL termination is happening at Apache, and then Apache is reverse proxy'ing to Weblogic, now it is calling HTTPS URL of WL. I know that I can specify Apache's SSL certificate using SSLCertificateFile directive but how would SSL certificate of WL will be validated at Apache's end because Apache doesn't have any keystore like Java keystore.
hagrawal7777
  • 123
  • 1
  • 3
  • 12

1 Answers1

2

If server A calls server B, then server B's certificate should be either

  • in A's keystore
  • signed by a CA certificate that is in A's keystore
  • signed by an intermediate certificate that is signed by a CA certificate that is in A's keystore. If you do this then server B must also provide the intermediate certificate during negotiation.
  • as above with more and more intermediate certificates.

I assume we are talking about communication between your own machines, and not client browsers you don't control.

If you have hundreds of machines you may find some advantages to using an intermediate certificate, if not just distribute your own CA certificate to your keystores. This lets you change certificates without having to modify the keystores on all the clients.

As for your second question, if you really want to use ssl between your reverse proxy and your WL back-end, look at Apache ProxyPassReverse and https for general syntax and https://httpd.apache.org/docs/current/mod/mod_ssl.html#SSLProxyCACertificateFile for specifying the CAs that the proxy will consider from its upstream.

Law29
  • 3,557
  • 1
  • 16
  • 28
  • Thanks for your inputs. For bulllet 1 - If server B's certificate is in A's keystore then it means its own certificate and all signing CA certificate will be present in A's keystore, right? For bullet 3 - so let's say server B's certificate is signed by CA XYZ, and CA XYZ's certificate is signed by CA PQR, and CA PQR's certificate is signed by CA DigiCert. So, if DigiCert's certificate is present in server A's keystore then will certificate authentication step will be successful? If you are saying yes for this answer then could you please provide me some online reference which says so? – hagrawal7777 Mar 07 '16 at 22:24
  • For your inputs on my 2nd question - that link doesn't provide an answer, I want to know how Apache will verify the SSL certificate returned by Weblogic .. – hagrawal7777 Mar 07 '16 at 22:26
  • Buddy, I got another doubt - refer the scenario I mentioned in "*For bullet 3*" of my first comment. Suppose PQR's certificate is present in my keystore but DigiCert's certificate is NOT present, then will SSL negotiation be successful or not? If you are saying yes then does it mean that once a signed certificate is found in server A's keystore then it will not check further up in certificate hierarchy? Then does it also mean that server B's certificate itself is present then there will be no check for server B's signing CA certificate? Please provide me some online reference for the same. – hagrawal7777 Mar 07 '16 at 22:53
  • Normally only the root self-signed certificate is present in the client's keystore. The server provides all certificates that are not in the client's keystore: its own and any intermediates (called the "chain"). The client verifies the chain searching for a root that is in its keystore. I have good reason to believe that if a certificate in the keystore permits a shortcut then that shortcut will be used, but I haven't actually checked that against the online reference which would be RFC 5280 section 6. – Law29 Mar 08 '16 at 06:20
  • Thanks. By shortcut you mean finding the server B's own certificate or any intermediate CA certificate in the keystore ?? You get something for my Apache question ?? Link you had provided earlier doesn't answer .. – hagrawal7777 Mar 08 '16 at 10:26
  • For the shortcut, yes. For Apache, I believe you are looking for https://httpd.apache.org/docs/current/mod/mod_ssl.html#SSLProxyCACertificateFile (SSLProxyCACertificateFile), and I also believe that if you do not set it Apache will use the system CA collection (I installed my CA in the system CA collection and that worked, didn't try SSLProxyCACertificateFile). – Law29 Mar 08 '16 at 22:04
  • Oh yes, that was the directive was looking for. Could you please add this in your answer. I am accepting your answer anyways. Thanks for your time and inputs. – hagrawal7777 Mar 08 '16 at 22:25