Steps to verify Keystore with Truststore on Jetty restart

[shrinivas-rudrawar]

Jetty Version: 12.0.12
Jetty Environment : EE 8
Java Version: 17

The root and intermediate certificates have been imported into the truststore located at jetty/etc/truststore, while the host SSL certificate has been imported into the keystore at jetty/etc/keystore.

We expect that the Jetty service should fail to start if the SSL certificate in the keystore cannot be validated against the certificates in the truststore. Could you please provide guidance on how to enforce this validation?

The jetty-ssl-context.xml file is used to configure the paths and passwords for both the keystore and truststore.

[sbordet]

Did you set SslContextFactory.setValidateCerts(true)?

[shrinivas-rudrawar]

Hi Simon,

We are using XML configuration for our Jetty setup, and we noticed that we do not set the validateCerts property in the configuration. Could you please guide us on how to configure certificate validation (validateCerts) within the XML configuration?

Additionally, could you clarify whether Jetty validates the server certificate in the keystore against the CA certificate present in the truststore and what should be the expected behavior of jetty when the server certificate(keystore) is not signed by the CA in truststore.

For your reference, below is our current Jetty configuration:

<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
  <Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.sslContext.keyStorePath" deprecated="jetty.keystore" default="etc/keystore"/></Set>
  <Set name="KeyStorePassword">password</Set>
  <Set name="KeyStoreType"><Property name="jetty.sslContext.keyStoreType" default="JKS"/></Set>
  <Set name="KeyStoreProvider"><Property name="jetty.sslContext.keyStoreProvider"/></Set>
  <Set name="KeyManagerPassword">password</Set>
  <Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.sslContext.trustStorePath" deprecated="jetty.truststore" default="etc/truststore"/></Set>
  <Set name="TrustStorePassword">password</Set>
</Configure>

Thank you for your help!

[sbordet]

You should not change the XML file.

Please read: https://jetty.org/docs/jetty/12/operations-guide/arch/index.html.

[sbordet]

Ouch! I just discovered we have no property for validateCerts.

We'll fix it.

Please read the link above carefully anyway, so in the future you will just need to change *.ini files.

Meanwhile, just add this to your XML:

  <Set name="ValidateCerts">true</Set>

[shrinivas-rudrawar]

Hi Simon,

Thank you for the quick response! I appreciate you looking into the issue with validateCerts.

We added the following property to our jetty-ssl-context.xml file:

<Set name="ValidateCerts">true</Set>

After doing so, we encountered the following error in the Jetty log file when attempting to access our application UI, which is now inaccessible:

java.security.cert.CertificateException: Unable to validate certificate: unable to find valid certification path to requested target
at org.eclipse.jetty.util.security.CertificateValidator.validate(CertificateValidator.java:256)
at org.eclipse.jetty.util.security.CertificateValidator.validate(CertificateValidator.java:190)
at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:332)
at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:220)

For context, we have imported the root and intermediate certificates into the truststore located at jetty/etc/truststore, and the host SSL certificate has been imported into the keystore at jetty/etc/keystore.

We have attached both the keystore and truststore files for your reference. Could you please assist us in understanding why this validation error is occurring and what steps we should take to resolve it?
keystore.zip

[sbordet]

@shrinivas-rudrawar sorry but we cannot debug this for you.

Firstly, I cannot open your KeyStore as I do not know the password (but please don't send the password to a public issue tracker), and secondly, the verification may fail for many reasons.

Please enable system property -Djava.security.debug=certpath and figure out what's wrong from the output.

Jetty is out of the picture here, this is the JDK validating your certificates, so you have to set up your KeyStore correctly.

[shrinivas-rudrawar]

Hi Simon,

Thanks for your immediate response, I understand your concern regarding this issue.

Can you please provide answers inline to below questions, it would be of great help to us.

Q1. We used below steps for certificate verification. Does below steps seems fine to you or some other configuration needs to be done in respect of jetty
-- We created host cert signed by CA cert and imported it to keystore of jetty.
-- We imported the CA cert to truststore of jetty
-- We have added ValidateCerts property along with other necessary configuration as provided above in jetty-ssl-context.xml
-- Is there any step missing?

Q2. If we import host certificate to keystore of jetty and CA cert to truststore of jetty, does jetty validate whether the certificate present in keystore is signed by CA cert present in truststore. If yes, what would be the behaviour of jetty if host cert is not signed by correct CA cert?

[joakime]

Can you please provide answers inline to below questions, it would be of great help to us.

Q1. We used below steps for certificate verification. Does below steps seems fine to you or some other configuration needs to be done in respect of jetty

• We created host cert signed by CA cert and imported it to keystore of jetty.
• We imported the CA cert to truststore of jetty.

You created a Java Keystore and Truststore.
These are Java core concepts, not Jetty specific.
All you did was configure Jetty pointing to those files.
Jetty just takes your file configuration and tells Java itself ... "here's the keystore/truststore to use."

• We have added ValidateCerts property along with other necessary configuration as provided above in jetty-ssl-context.xml
• Is there any step missing?

The ValidateCerts setting just tells Java to validate the certs.
This is all Java, not Jetty.
The behaviors you see are Java.
The debugging of your keystore / truststore issues is also Java.

Q2. If we import host certificate to keystore of jetty and CA cert to truststore of jetty, does jetty validate whether the certificate present in keystore is signed by CA cert present in truststore. If yes, what would be the behaviour of jetty if host cert is not signed by correct CA cert?

Don't forget the cacerts from Java too.
The behavior you are trying to get precise about is all Java, not Jetty.
Follow the advice / documentation in Java to understand what kind of information you want to have in the keystore / truststore.
No two configurations of the Java keystore / truststore follow the same rules, or has the same types of information in it.
What you need, the next person configuring their Java keystore / truststore will not want.

As @sbordet pointed out, we cannot help you with your certificates / keystore. Consult java documentation about those files.
Jetty only exists to take your files + configuration and hands it to Java.
All of the behaviors you are working with is Java, Jetty isn't involved until well after all of the TLS / SSL / Certificate behaviors are done in Java.