stackoom
  简体   繁体   中英

How to install X509 certificate chain without the private key

 原文  2020-02-05 10:04:31       spring/ spring-boot/ ssl/ ssl-certificate/ x509

Question

I have been given three certificates by my client:

DigiCert Global Root CA.cer - (Root certificate) GeoTrust RSA CA 2018.cer - (Intermediate certificate) krapiuat_sharekhan_com.cer - (SSL certificate for my domain)

I am expected to install all the three certificates on my Spring Boot server to enable SSL on the same.

I am using this with the embedded Tomcat server in my Spring Application and am unable to start the SSL enabled service due to errors.

My attempts are as stated below:

Attempt 1

I tried to combine all three .cer files into a single file and add it to the keystore

`cat krapiuat_sharekhan_com.cer  GeoTrust\ RSA\ CA\ 2018.cer  DigiCert\ Global\ Root\ CA.cer> combined_cert.cer

keytool -importcert -keystore krKeyStore.jks -file combined_cert.cer -alias krRiskRatingUAT -trustcacerts`

Note: The final jks file showed just one entry as trustedCertEntry

Then I added the file krKeyStore.jks in the /resource folder of my Spring app and added the following lines in my application.properties file:

`server.port=8443
server.ssl.key-store-type=JKS
server.ssl.key-store=classpath:krKeyStore.jks
server.ssl.key-store-password=mypassword
server.ssl.key-alias=krRiskRatingUAT`

The service failed to start with the exception java.io.IOException: jsse.alias_no_key_entry

Attempt 2

I tried to individually add the three certificates to my keystore

`keytool -import -trustcacerts -alias root -file DigiCert\ Global\ Root\ CA.cer -keystore krKeyStore20.jks
keytool -import -trustcacerts -alias intermediate -file GeoTrust\ RSA\ CA\ 2018.cer -keystore krKeyStore20.jks
keytool -import -trustcacerts -alias krRiskRatingUAT20 -file krapiuat_sharekhan_com.cer -keystore krKeyStore20.jks`

Note: The final jks file now showed three entries all as trustedCertEntry

Then I added the file krKeyStore20.jks in the /resource folder of my Spring app and added the following lines in my application.properties file:

`server.port=8443
server.ssl.key-store-type=JKS
server.ssl.key-store=classpath:krKeyStore20.jks
server.ssl.key-store-password=mypassword
server.ssl.key-alias=krRiskRatingUAT20`

But the error still persists - java.io.IOException: jsse.alias_no_key_entry

Is it always mandatory to have the key? My client is not ready to give me the private key and wants me to install the certificates without a key. Any help will be duly appreciated.

1 answers

solution1
 0 ACCPTED  2020-02-05 10:21:56

You simply cannot create a SSL server without having the private key for the server certificate. The private key is needed to proof to the client that you are the owner of the certificate, otherwise anybody who gets access to the certificate (which is every client connecting to the server) could claim to be owner of the certificate, ie everybody could claim to be google.com or similar.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to get the certificate into the X509 filter (Spring Security)? X509 Certificate in a POST method Trying to use spring security with optional x509 client certificate Cannot retrieve the principal from the client x509 certificate Select client certificate dialog for x509 authentication How to organize X509 authentication in web application with Java and Spring? How to write a x509 custom trust manager for validating the client How to require x509 Authentication for Spring OAuth Endpoints Spring Boot/Security - can I use X509 Certificate as an extra layer in authentication? Spring Boot - Reading x509 client certificate from HTTP request
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM