Open pzygielo opened 2 years ago
This also occurs on a Payara server install.
There are several certificates which are 1024-bit RSA keys, which keytool warns are "are considered a security risk and the key size will be disabled in a future update". It would be sensible to remove those at the same time.
Hi @pzygielo,
Payara Micro does not come with certificates. If there is a mention of expired certificates, they are from the JVM itself. For the Payara server, they are removed when released. But when they expire after release, you can have this message. You should remove expired certificates from the Payara server's truststore by yourself if the message bothers you. Thanks
Hi @shub8968, thanks for checking.
Payara Micro does not come with certificates.
What that could be then?
$ wget https://repo.maven.apache.org/maven2/fish/payara/extras/payara-micro/5.2022.1/payara-micro-5.2022.1.jar
$ unzip -qd micro payara-micro-5.2022.1.jar
$ find micro -name *.jks
micro/MICRO-INF/domain/keystore.jks
micro/MICRO-INF/domain/cacerts.jks
If there is a mention of expired certificates, they are from the JVM itself.
No, there is no mykey
there. But there is one expired in micro's:
$ keytool -list -alias mykey -keystore micro/MICRO-INF/domain/cacerts.jks -storepass changeit
mykey, 26 Apr 2018, trustedCertEntry,
Certificate fingerprint (SHA-256): 73:1D:3D:9C:FA:A0:61:48:7A:1D:71:44:5A:42:F6:7D:F0:AF:CA:2A:6C:2D:2F:98:FF:7B:3C:E1:12:B1:F5:68
$ keytool -list -alias mykey -v -keystore micro/MICRO-INF/domain/cacerts.jks -storepass changeit | grep Valid
Valid from: Thu Oct 06 17:43:55 CEST 2016 until: Wed Oct 06 17:43:55 CEST 2021
and to check all reported originally
$ for a in cert_2_globalsign_root_ca___r22 \
globalsignrootca-r2 \
cert_91_pscprocert91 \
cert_14_quovadis_root_ca14 \
mykey \
dstrootcax3 \
cert_46_cybertrust_global_root46 \
soneraclass2ca \
globalsignr2ca \
soneraclass2rootca \
cert_18_sonera_class_2_root_ca18 \
soneraclass1ca \
thawteserverca \
quovadisrootca \
cert_30_dst_root_ca_x330 \
verisigntsaca \
cybertrustglobalroot \
thawtepremiumserverca \
thawtepersonalfreemailca
do
keytool -list -alias $a -v -keystore micro/MICRO-INF/domain/cacerts.jks -storepass changeit | grep Valid
done
Valid from: Fri Dec 15 09:00:00 CET 2006 until: Wed Dec 15 09:00:00 CET 2021
Valid from: Tue Dec 28 17:51:00 CET 2010 until: Sat Dec 26 00:59:59 CET 2020
Valid from: Mon Mar 19 19:33:33 CET 2001 until: Wed Mar 17 19:33:33 CET 2021
Valid from: Thu Oct 06 17:43:55 CEST 2016 until: Wed Oct 06 17:43:55 CEST 2021
Valid from: Fri Dec 15 09:00:00 CET 2006 until: Wed Dec 15 09:00:00 CET 2021
Valid from: Fri Apr 06 09:29:40 CEST 2001 until: Tue Apr 06 09:29:40 CEST 2021
Valid from: Fri Dec 15 09:00:00 CET 2006 until: Wed Dec 15 09:00:00 CET 2021
Valid from: Fri Apr 06 09:29:40 CEST 2001 until: Tue Apr 06 09:29:40 CEST 2021
Valid from: Fri Apr 06 12:49:13 CEST 2001 until: Tue Apr 06 12:49:13 CEST 2021
Valid from: Thu Aug 01 02:00:00 CEST 1996 until: Sat Jan 02 00:59:59 CET 2021
Warning:
The certificate uses a 1024-bit RSA key which is considered a security risk and is disabled.
Valid from: Mon Mar 19 19:33:33 CET 2001 until: Wed Mar 17 19:33:33 CET 2021
Valid from: Sat Sep 30 23:12:19 CEST 2000 until: Thu Sep 30 16:01:15 CEST 2021
Valid from: Wed Jan 01 01:00:00 CET 1997 until: Fri Jan 01 00:59:59 CET 2021
Warning:
The certificate uses a 1024-bit RSA key which is considered a security risk and is disabled.
Valid from: Thu Aug 01 02:00:00 CEST 1996 until: Sat Jan 02 00:59:59 CET 2021
Warning:
The certificate uses a 1024-bit RSA key which is considered a security risk and is disabled.
Valid from: Mon Jan 01 01:00:00 CET 1996 until: Sat Jan 02 00:59:59 CET 2021
Warning:
The certificate uses a 1024-bit RSA key which is considered a security risk and is disabled.
For the Payara server, they are removed when released.
Could this be also considered for payara micro? I can't remove them without repackaging jar.
Hi @pzygielo,
I have created an internal JIRA FISH-6107
in order to fix this anomalous behavior.
Thanks, Shubham
I don't know what is the status of FISH-6107, if this was automated or is handled manually - but payara-micro/5.2022.3 seems to be fine wrt this issue.
Feel free to close this one. Thanks.
Description
Please remove expired certificates from distribution
Expected Outcome
Payara Micro ran just after release should warn about minimal number of expired certificates, and not about certs that expired months earlier.
Current Outcome
15 warnings about expired bundled certificates.
Alternatives
Context
5592
4740
3082
5677
Please consider removing following certificates from below keystores:
Also - in few months following certs will also expire - cert_11_visa_ecommerce_root11, cert_8_geotrust_global_ca8, geotrustglobalca. Perhaps removal of them could also be considered.
I'd open PR with this but the modified binary would be harder to review than script to do it, I guess.