DNS SSL/TLS certificate import

[F9Alejandro]

How would one go about importing a SSL/TLS certificate to allow secure connection between DNS provider and the server/VM?

I attempted using some of the methods provided by payara documentation, however now I can't access it at vs connecting via external IP.

I am using a SRV record for allowing the use of a sub domain ex. fido.example.com forwards to 192.168.56.1:8181.

Would the certificate have to specify fido.example.com for this to work? What is the proper way to import ssl certificates that are in pem/pcks7/der format with a normal private key?

Thank you for all the work that has been put into this!

[arshadnoor]

Hi Alexander,

I'm not sure I understand the question completely, but lets see if we can get you on track by addressing different parts of your e-mail.

First, importing a TLS certificate for the Payara Server. Since you mentioned the TLS certificate has a private key, I'm assuming this is for the Payara server to present to applications when they're consuming FIDO2 webservices?

If so, the method of import depends on how you have the private key - the process differs depending on whether you have the private key as a PKCS#8, PKCS#12, JKS or JCEKS keystore. It doesn't matter if the TLS certificate file itself is PEM or DER encoded - you eventually have to import it using the keytool command into the keystore.jks file in the /usr/local/strongkey/payara41/glassfish/domains/domain1/config directory.

Can you specify how you generated the private-key for the TLS certificate you're getting from the external source (cloudflare)?

Secondly, I just want to clarify that you're planning to use this only within your internal network? Since the use of the 192.168.x.x IP address will be inaccessible to anyone outside your "example.com" domain and network. Is that your intent?

Once you've provided the answers, we can provide further guidance. In the meantime, you may want to read up the manpage for keytool (it is part of OpenJDK).

We are encouraged by your use of the FIDO2 server; thank you for that.

On 4/18/21 11:21 AM, Alexander Featherson wrote:

How would one go about importing a SSL/TLS certificate to allow secure connection between DNS provider and the server/VM?

I attempted using some of the methods provided by payara documentation, however now I can't access it at vs connecting via external IP.

I am using a SRV record for allowing the use of a sub domain ex. fido.example.com forwards to 192.168.56.1:8181.

Would the certificate have to specify fido.example.com for this to work? What is the proper way to import ssl certificates that are in pem/pcks7/der format with a normal private key?

Thank you for all the work that has been put into this!

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/StrongKey/fido2/issues/103, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABWSVTQO3IE2RLXXMOL3PELTJMPJNANCNFSM43EPJS5A.

[F9Alejandro]

So the TLS cert was made using openssl in pkcs12 mode following what was provided on this site here: https://docs.payara.fish/enterprise/docs/5.27.0/documentation/payara-server/server-configuration/ssl-certificates.html

Then imported the srckeystore into the destkeystore with the alias of skfs and ran part of the installer that generates a key and imports it into the glassfish and java keystores. Except taking out the keygen portion.

The IP is using the external ip of the cloud service I only used 192.168.x.x as an example.

I have actually used the keytool already for the creation of the pkcs12 bundle and for certs in the past. Just not with glassfish/payara since those are new tools for me.

The cloudflare TLS/SSL is for secure connection (Full encryption) between browser Cloudflare and the end server (Fido2 server), I would like to note that the TLS is for the Origin server communication to/from Cloudflare.

Also is the choice of port 8181 for not having to use root with the glassfishd?

[max-smyth]

If all you're doing is getting a digital certificate for the SKFS, issued by Cloudflare, my suggestion is to let the SKFS script generate your self-signed certificate based on the FQDN you gave your FIDO server during installation.

Once the script is done, go over to the /usr/local/strongkey/payara41/glassfish/domains/domain1/config directory and use the following command to generate a new certificate request (PKCS#10):

keytool -certreq -keystore keystore.jks -storepass changeit -alias s1as

This will print out a PEM-encoded certificate request which you can use to get a TLS certificate from your service provider. Once you get the PEM/DER encoded certificate-chain, you can import it using the:

keytool -importcert -alias s1as -keystore keystore.jks -storepass changeit -file

When this works successfully, you can view the contents of your new certificate with:

keytool -list -keystore keystore.jks -storepass changeit -alias s1as -v

to see if the certificate you're expecting matches up with what you received from the service provider. It should have the chain in there too.

Simply restart Payara at this point for the new certificate to go into effect with the private-key that was generated for SKFS during the execution of the install script.

Note that you do NOT need to put the port number in your FQDN for the certificate request or digital certificate - you only need it when your browser/application is trying to connect to the SKFS.

Hope that helps.

On 4/19/21 3:22 AM, Alexander Featherson wrote:

So the TLS cert was made using openssl in pkcs12 mode following what was provided on this site here: https://docs.payara.fish/enterprise/docs/5.27.0/documentation/payara-server/server-configuration/ssl-certificates.html https://docs.payara.fish/enterprise/docs/5.27.0/documentation/payara-server/server-configuration/ssl-certificates.html

Then imported the srckeystore into the destkeystore with the alias of skfs and ran part of the installer that generates a key and imports it into the glassfish and java keystores. Except taking out the keygen portion.

The IP is using the external ip of the cloud service I only used 192.168.x.x as an example.

I have actually used the keytool already for the creation of the pkcs12 bundle and for certs in the past. Just not with glassfish/payara since those are new tools for me.

The cloudflare TLS/SSL is for secure connection (Full encryption) between browser Cloudflare and the end server (Fido2 server), I would like to note that the TLS is for the Origin server communication to/from Cloudflare.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/StrongKey/fido2/issues/103#issuecomment-822357818, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALLPGO2YJ67ARGDBUKEEKYDTJP75LANCNFSM43EPJS5A.

[F9Alejandro]

Thank you! I forgot about being able to have the cert signed. Still a bit of a SSL/TLS newb

[F9Alejandro]

So it is loading the cert. Now it is down to getting Cloudflare to properly send a request to the server. SRV record was made for it seems it doesn't want to use it though.

[arshadnoor]

Not sure I understand the process Cloudflare is using, Alexander. Would you please send a link to the process they are using for what you're trying to do? Thanks.

On 4/20/21 8:21 AM, Alexander Featherson wrote:

So it is loading the cert. Now it is down to getting Cloudflare to properly send a request to the server. SRV record was made for it seems it doesn't want to use it though.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/StrongKey/fido2/issues/103#issuecomment-823361948, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABWSVTXEASTX75DOQY76E33TJWLXVANCNFSM43EPJS5A.

[F9Alejandro]

So I am trying to reach the Fido server via SRV record https://www.cloudflare.com/learning/dns/dns-records/dns-srv-record/

The issue I am having is that it will not work between Cloudflare and Fido server. Would it be wise to use the dns handler provided by my domain provider?

[max-smyth]

Alexander,

There's no reason to use an SRV record for this - a simple A record for just the FQDN is sufficient for FIDO to work (unless you're planning to redirect the user from a different port to the destination port).

If you're still testing this, you can just set the FQDN in /etc/hosts or your internal DNS server with an A record, and have your test applications access FIDO server on the default Payara port (8181).

If you're putting this into production and you want it on port 443, then there are a number of different ways to address that (in the order of increasing complexity):

• Modify your application to connect to port 8181 instead of 443;
• Modify the firewall on the SKFS instance to redirect from 443 to 8181;
• Modify Payara configuration to listen on 443 instead of 8181;
• Use HAProxy as a load-balancer to redirect to port 8181 between an SKFS cluster;
• ...

On 4/20/21 1:51 PM, Alexander Featherson wrote:

So I am trying to reach the Fido server via SRV record https://www.cloudflare.com/learning/dns/dns-records/dns-srv-record/ https://www.cloudflare.com/learning/dns/dns-records/dns-srv-record/

The issue I am having is that it will not work between Cloudflare and Fido server. Would it be wise to use the dns handler provided by my domain provider?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/StrongKey/fido2/issues/103#issuecomment-823592631, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALLPGOYF6F2E3UEFXWQOFX3TJXSODANCNFSM43EPJS5A.

[F9Alejandro]

possibly will go the firewall route it seems to be a bit easier to do and less hassel.

[F9Alejandro]

Or I will just make a web client in python or nodejs as a frontend for it. Then just have it work as normal if the user is registered and authed.