Add Wildcard Certificate to Java Keystore

[Kelly Rusk <Ke...@rackspace.com>]

Hi all,

I have imported a Wildcard Certificate to my Java Keystore and it displays, but when I pull up Internet Explorer and browse to my Solr site, it fails to load and presents TLS errors.

Has anyone run into this, what commands do you run to import a Public CA into Solr?

Regards,

Kelly

RE: Add Wildcard Certificate to Java Keystore

[Kelly Rusk <Ke...@rackspace.com>]

Hi Chris,

Thanks for the assistance. It is from a real CA. I was sent the .p12 Wildcard certificate and I need to use that to HTTPS my Solr address.

Kelly 


-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net> 
Sent: Monday, August 13, 2018 12:59 PM
To: solr-user@lucene.apache.org
Subject: Re: Add Wildcard Certificate to Java Keystore

Kelly,

On 8/13/18 12:37 PM, Kelly Rusk wrote:
> All I have is the .p12 and password so it has already gone through the 
> CSR process. How do I import this file into the keystore?
Java's keytool won't merge keystores. You'll have to export the certificates from the PKCS12 file you got from your CA and import each of them separately into your own keystore.

> On the Windows side, does it need to reside in the Personal Store or 
> Trusted Root Store?
Umm... is this for a server certificate? If so, you definitely don't want to import any of those certificates into any system-wide or user-wide certificate trust stores.

Is this certificate signed by a real CA, or are you building your own, internal, private CA who is signing these certficates?

-chris

> -----Original Message----- From: Christopher Schultz 
> <ch...@christopherschultz.net> Sent: Monday, August 13, 2018 12:00 PM 
> To: solr-user@lucene.apache.org Subject: Re: Add Wildcard Certificate 
> to Java Keystore
> 
> Kelly,
> 
> On 8/13/18 11:55 AM, Kelly Rusk wrote:
>> I have imported a Wildcard Certificate to my Java Keystore and it 
>> displays, but when I pull up Internet Explorer and browse to my Solr 
>> site, it fails to load and presents TLS errors.
> 
> What do you mean "it displays"?
> 
> How did you import your signed certificate into your keystore? What 
> was in the keystore before you performed the import?
> 
>> Has anyone run into this, what commands do you run to import a Public 
>> CA into Solr?
> 
> Generally, you want to generate a key+cert/CSR and send the CSR to a 
> CA. The CA signs it and returns it, typically with one or more 
> intermediate certificates to build a chain of trust between the CA's 
> root cert (present in browser trust stores) and your server's 
> certificate (which was signed by a subordinate certificate, not 
> directly by the CA's root cert).
> 
> Import them into your keystore in this order:
> 
> 1. Highest (closest to the root) CA cert 2. [any other intermediate 
> certs from the CA, in order] 3. Your server's cert
> 
> Most server software needs a bounce to reload the keystore.
> 
> -chris
> 

Re: Add Wildcard Certificate to Java Keystore

[Christopher Schultz <ch...@christopherschultz.net>]

Kelly,

On 8/13/18 12:37 PM, Kelly Rusk wrote:
> All I have is the .p12 and password so it has already gone through 
> the CSR process. How do I import this file into the keystore?
Java's keytool won't merge keystores. You'll have to export the
certificates from the PKCS12 file you got from your CA and import each
of them separately into your own keystore.

> On the Windows side, does it need to reside in the Personal Store or
> Trusted Root Store?
Umm... is this for a server certificate? If so, you definitely don't
want to import any of those certificates into any system-wide or
user-wide certificate trust stores.

Is this certificate signed by a real CA, or are you building your own,
internal, private CA who is signing these certficates?

-chris

> -----Original Message----- From: Christopher Schultz
> <ch...@christopherschultz.net> Sent: Monday, August 13, 2018 12:00
> PM To: solr-user@lucene.apache.org Subject: Re: Add Wildcard
> Certificate to Java Keystore
> 
> Kelly,
> 
> On 8/13/18 11:55 AM, Kelly Rusk wrote:
>> I have imported a Wildcard Certificate to my Java Keystore and it 
>> displays, but when I pull up Internet Explorer and browse to my
>> Solr site, it fails to load and presents TLS errors.
> 
> What do you mean "it displays"?
> 
> How did you import your signed certificate into your keystore? What
> was in the keystore before you performed the import?
> 
>> Has anyone run into this, what commands do you run to import a
>> Public CA into Solr?
> 
> Generally, you want to generate a key+cert/CSR and send the CSR to a
> CA. The CA signs it and returns it, typically with one or more
> intermediate certificates to build a chain of trust between the CA's
> root cert (present in browser trust stores) and your server's
> certificate (which was signed by a subordinate certificate, not
> directly by the CA's root cert).
> 
> Import them into your keystore in this order:
> 
> 1. Highest (closest to the root) CA cert 2. [any other intermediate
> certs from the CA, in order] 3. Your server's cert
> 
> Most server software needs a bounce to reload the keystore.
> 
> -chris
> 

RE: Add Wildcard Certificate to Java Keystore

[Kelly Rusk <Ke...@rackspace.com>]

I have solved the issue. We found out that the certificate we were provided had a special character in it. The keystore did not like the special character. Once I imported the .p12 to the Windows Server, I exported a pfx from it with a password that had no special characters.

After importing to the keystore via this command, all worked:

keytool -importkeystore -srckeystore C:\rs-pkgs\my.pfx -srcstoretype pkcs12 -destkeystore S:\Solr\solr-6.6.2\server\etc\solr-ssl.keystore.jks -deststoretype JKS

Kelly



-----Original Message-----
From: Kelly Rusk <Ke...@rackspace.com> 
Sent: Monday, August 13, 2018 12:38 PM
To: solr-user@lucene.apache.org
Subject: RE: Add Wildcard Certificate to Java Keystore

Hi Chris,

All I have is the .p12 and password so it has already gone through the CSR process. How do I import this file into the keystore? On the Windows side, does it need to reside in the Personal Store or Trusted Root Store?

Kelly


-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Monday, August 13, 2018 12:00 PM
To: solr-user@lucene.apache.org
Subject: Re: Add Wildcard Certificate to Java Keystore

Kelly,

On 8/13/18 11:55 AM, Kelly Rusk wrote:
> I have imported a Wildcard Certificate to my Java Keystore and it 
> displays, but when I pull up Internet Explorer and browse to my Solr 
> site, it fails to load and presents TLS errors.

What do you mean "it displays"?

How did you import your signed certificate into your keystore? What was in the keystore before you performed the import?

> Has anyone run into this, what commands do you run to import a Public 
> CA into Solr?

Generally, you want to generate a key+cert/CSR and send the CSR to a CA.
The CA signs it and returns it, typically with one or more intermediate certificates to build a chain of trust between the CA's root cert (present in browser trust stores) and your server's certificate (which was signed by a subordinate certificate, not directly by the CA's root cert).

Import them into your keystore in this order:

1. Highest (closest to the root) CA cert 2. [any other intermediate certs from the CA, in order] 3. Your server's cert

Most server software needs a bounce to reload the keystore.

-chris

RE: Add Wildcard Certificate to Java Keystore

[Kelly Rusk <Ke...@rackspace.com>]

Hi Chris,

All I have is the .p12 and password so it has already gone through the CSR process. How do I import this file into the keystore? On the Windows side, does it need to reside in the Personal Store or Trusted Root Store?

Kelly


-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net> 
Sent: Monday, August 13, 2018 12:00 PM
To: solr-user@lucene.apache.org
Subject: Re: Add Wildcard Certificate to Java Keystore

Kelly,

On 8/13/18 11:55 AM, Kelly Rusk wrote:
> I have imported a Wildcard Certificate to my Java Keystore and it 
> displays, but when I pull up Internet Explorer and browse to my Solr 
> site, it fails to load and presents TLS errors.

What do you mean "it displays"?

How did you import your signed certificate into your keystore? What was in the keystore before you performed the import?

> Has anyone run into this, what commands do you run to import a Public 
> CA into Solr?

Generally, you want to generate a key+cert/CSR and send the CSR to a CA.
The CA signs it and returns it, typically with one or more intermediate certificates to build a chain of trust between the CA's root cert (present in browser trust stores) and your server's certificate (which was signed by a subordinate certificate, not directly by the CA's root cert).

Import them into your keystore in this order:

1. Highest (closest to the root) CA cert 2. [any other intermediate certs from the CA, in order] 3. Your server's cert

Most server software needs a bounce to reload the keystore.

-chris

Re: Add Wildcard Certificate to Java Keystore

[Christopher Schultz <ch...@christopherschultz.net>]

Kelly,

On 8/13/18 11:55 AM, Kelly Rusk wrote:
> I have imported a Wildcard Certificate to my Java Keystore and it
> displays, but when I pull up Internet Explorer and browse to my Solr
> site, it fails to load and presents TLS errors.

What do you mean "it displays"?

How did you import your signed certificate into your keystore? What was
in the keystore before you performed the import?

> Has anyone run into this, what commands do you run to import a Public
> CA into Solr?

Generally, you want to generate a key+cert/CSR and send the CSR to a CA.
The CA signs it and returns it, typically with one or more intermediate
certificates to build a chain of trust between the CA's root cert
(present in browser trust stores) and your server's certificate (which
was signed by a subordinate certificate, not directly by the CA's root
cert).

Import them into your keystore in this order:

1. Highest (closest to the root) CA cert
2. [any other intermediate certs from the CA, in order]
3. Your server's cert

Most server software needs a bounce to reload the keystore.

-chris