-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Steps to verify Keystore with Truststore on Jetty restart #12372
Comments
Did you set |
Hi Simon, We are using XML configuration for our Jetty setup, and we noticed that we do not set the validateCerts property in the configuration. Could you please guide us on how to configure certificate validation (validateCerts) within the XML configuration? Additionally, could you clarify whether Jetty validates the server certificate in the keystore against the CA certificate present in the truststore and what should be the expected behavior of jetty when the server certificate(keystore) is not signed by the CA in truststore. For your reference, below is our current Jetty configuration: <Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.sslContext.keyStorePath" deprecated="jetty.keystore" default="etc/keystore"/></Set>
<Set name="KeyStorePassword">password</Set>
<Set name="KeyStoreType"><Property name="jetty.sslContext.keyStoreType" default="JKS"/></Set>
<Set name="KeyStoreProvider"><Property name="jetty.sslContext.keyStoreProvider"/></Set>
<Set name="KeyManagerPassword">password</Set>
<Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.sslContext.trustStorePath" deprecated="jetty.truststore" default="etc/truststore"/></Set>
<Set name="TrustStorePassword">password</Set>
</Configure> Thank you for your help! |
You should not change the XML file. Please read: https://jetty.org/docs/jetty/12/operations-guide/arch/index.html. |
Ouch! I just discovered we have no property for We'll fix it. Please read the link above carefully anyway, so in the future you will just need to change Meanwhile, just add this to your XML: <Set name="ValidateCerts">true</Set> |
Hi Simon, Thank you for the quick response! I appreciate you looking into the issue with validateCerts. We added the following property to our jetty-ssl-context.xml file:
After doing so, we encountered the following error in the Jetty log file when attempting to access our application UI, which is now inaccessible: java.security.cert.CertificateException: Unable to validate certificate: unable to find valid certification path to requested target For context, we have imported the root and intermediate certificates into the truststore located at jetty/etc/truststore, and the host SSL certificate has been imported into the keystore at jetty/etc/keystore. We have attached both the keystore and truststore files for your reference. Could you please assist us in understanding why this validation error is occurring and what steps we should take to resolve it? |
@shrinivas-rudrawar sorry but we cannot debug this for you. Firstly, I cannot open your KeyStore as I do not know the password (but please don't send the password to a public issue tracker), and secondly, the verification may fail for many reasons. Please enable system property Jetty is out of the picture here, this is the JDK validating your certificates, so you have to set up your KeyStore correctly. |
Hi Simon, Thanks for your immediate response, I understand your concern regarding this issue. Can you please provide answers inline to below questions, it would be of great help to us. Q1. We used below steps for certificate verification. Does below steps seems fine to you or some other configuration needs to be done in respect of jetty Q2. If we import host certificate to keystore of jetty and CA cert to truststore of jetty, does jetty validate whether the certificate present in keystore is signed by CA cert present in truststore. If yes, what would be the behaviour of jetty if host cert is not signed by correct CA cert? |
You created a Java Keystore and Truststore.
The ValidateCerts setting just tells Java to validate the certs.
Don't forget the cacerts from Java too. As @sbordet pointed out, we cannot help you with your certificates / keystore. Consult java documentation about those files. |
Jetty Version: 12.0.12
Jetty Environment : EE 8
Java Version: 17
The root and intermediate certificates have been imported into the truststore located at jetty/etc/truststore, while the host SSL certificate has been imported into the keystore at jetty/etc/keystore.
We expect that the Jetty service should fail to start if the SSL certificate in the keystore cannot be validated against the certificates in the truststore. Could you please provide guidance on how to enforce this validation?
The jetty-ssl-context.xml file is used to configure the paths and passwords for both the keystore and truststore.
The text was updated successfully, but these errors were encountered: