Sunday, November 7, 2010

Making a self-signed certificate trusted - within all domain computers

Have you ever seen - "This Connection is Untrusted" error while visiting a web site on a browser...

The error may vary depending on the browser you use - but the root cause is, you are trying to enter into a web site which is having an untrusted certificate..

This can be due to two reasons..

1. Certificate it self is invalid - that is CN in certificate doesn't match with URL [even though its signed by a trusted CA] - or the certificate being expired.

Try visiting http://amazon.com - you will see "This Connection is Untrusted" error - the reason is the CA certificate to Amazon is issued to www.amazon.com not for amazon.com - so, with the above url, it doesn't match with the CN in the certificate, which makes the browser to prompt the error.

2. Certificate is not signed by a trusted CA

Here - our certificate is not signed by a trusted CA.

Following are the steps to over come both - in your intranet with an Active Directory setup having self-signed certificates.

To over come [1] - we need to make the CN of our certificate is the same as our domain name [ say, esb.example.com - just an example]

To over come [2] - we need to make our domain trust our self signed certificate

All WSO2 products ship with a self signed certificate - inside wso2carbon.jks key store. Following explains, how to create your own certificate for your domain to use with WSO2 ESB and make that certificate trusted, with all the domain computers.

1. Let's do the the first one first - that is we are going to create our own certificate under our domain name...

Make sure you have JAVA_HOME\bin in under PATH system variable...

In any command prompt type the following..

:\> keytool -genkey -alias wso2carbon -keyalg RSA -keysize 1024 -dname "CN=esb.example.com,O=Example" -keypass wso2carbon -keystore wso2carbon.jks -storepass wso2carbon

The above will produce a file : wso2carbon.jks - copy it to ESB_HOME\resources\security

Note : If you have different values for -keypass and -storepass, you need to update ESB_HOME\repository\con\carbon.xml accordingly.

2. Now we need to export the public certificate from the key store we just created - go to the directory where you have wso2carbon.jks and type the following command in command prompt.

:\> keytool -export -alias wso2carbon -keystore wso2carbon.jks -storepass wso2carbon -file wso2carbon.cer

This will produce a file : wso2carbon.cer - which is our public certificate - keep it ready for the next step.

3. On a domain controller running Windows Server 2008 R2 or Windows Server 2008, click Start, point to Administrative Tools, and then click Group Policy Management.

In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

Right-click the Default Domain Policy GPO, and then click Edit.

In the Group Policy Management Console (GPMC), go to Computer Configuration [earlier it was user configuration], Windows Settings, Security Settings, and then click Public Key Policies.

Go to Trusted Root Certification Authorities and Import the public certificate you exported.
Done - [3] will be effective as soon as users re-logged in..

In our case with the ESB, you can access it through https://esb.example.com:9443/carbon without any errors..

0 comments: