Add a CA certificate to WSO2 truststore

Posted: June 16, 2014 in Uncategorized
Tags: , , , , ,

WSO2 truststore which is located at  contains the certificates of the third parties who are trusted by a WSO2 carbon server.  By default truststore ships packed with some certificates such as GoDaddy, verySign etc. You can view the existing certificates by

List existing certificates
keytool -list -v -keystore CARBON_HOME/repository/resources/security/client-truststore.jks

Below is a sample output of the listed certificate details.

Alias name: verisignclass3g3ca
Creation date: Mar 13, 2009
Entry type: trustedCertEntry

Owner: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Serial number: 9b7e0649a33e62b9d5ee90487129ef57
Valid from: Fri Oct 01 06:00:00 IST 1999 until: Thu Jul 17 05:29:59 IST 2036
Certificate fingerprints:
	 MD5:  CD:68:B6:A7:C7:C4:CE:75:E0:1D:4F:57:44:61:92:09
	 SHA1: 13:2D:0D:45:53:4B:69:97:CD:B2:D5:C3:39:E2:55:76:60:9B:5C:C6
	 Signature algorithm name: SHA1withRSA
	 Version: 1


*******************************************
*******************************************

Alias name: godaddyclass2ca
Creation date: Mar 13, 2009
Entry type: trustedCertEntry

Owner: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
Serial number: 0
Valid from: Tue Jun 29 23:06:20 IST 2004 until: Thu Jun 29 22:36:20 IST 2034
Certificate fingerprints:
	 MD5:  91:DE:06:25:AB:DA:FD:32:17:0C:BB:25:17:2A:84:67
	 SHA1: 27:96:BA:E6:3F:18:01:E2:77:26:1B:A0:D7:77:70:02:8F:20:EE:E4
	 Signature algorithm name: SHA1withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D2 C4 B0 D2 91 D4 4C 11   71 B3 61 CB 3D A1 FE DD  ......L.q.a.=...
0010: A8 6A D4 E3                                        .j..
]
]

Add a CA certificate you trust

Sometimes you may want your carbon server to trust a certificate you trust. In that case you have to add that certificate to the carbon truststore.

 keytool -import -alias udara.com  -file udara.com.crt -keystore CARBON_HOME/repository/resources/security/client-truststore.jks

Please enter “yes” when you are prompted with “Trust this certificate? [no]:

If importing the certificate is successfull you will be shown a output as “Certificate was added to keystore” at the end.

keytool -import -alias udara   -file certificate.crt -keystore client-truststore.jks 
Enter keystore password:  
Owner: EMAILADDRESS=udaraliyanage@gmail.com, CN=udara.com, OU=section, O=Udara Company, L=Wadduwa, ST=Western, C=LK
Issuer: EMAILADDRESS=udaraliyanage@gmail.com, CN=udara.com, OU=section, O=Udara Company, L=Wadduwa, ST=Western, C=LK
Serial number: f486cce7e716f5a2
Valid from: Sat Jun 14 19:26:33 IST 2014 until: Sun Jun 14 19:26:33 IST 2015
Certificate fingerprints:
	 MD5:  DC:A2:CE:72:91:4B:66:12:2B:D0:C9:70:A8:54:3B:45
	 SHA1: B1:09:CF:D8:1E:43:ED:B5:34:7B:75:F8:D8:A8:6A:4F:BC:CB:AD:CB
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [

KeyIdentifier [
0000: 71 5F 14 CB A0 DC 4D A5   8E 1E A2 5C B4 E2 6F 7F  q_....M....\..o.
0010: 82 C8 C8 7E                                        ....
]

]

Trust this certificate? [no]:  yes         
Certificate was added to keystore
Verify the certificate is added
keytool -list -v -keystore CARBON_HOME/repository/resources/security/client-truststore.jks | grep udara.com

 

Search with the alias you provided when importing the certificate. You should see the details of the certificate added.

udara@udara-ThinkPad-T530:~/projects/support/keys$ keytool -list -keystore client-truststore.jks | grep -i udara
Enter keystore password:  wso2carbon
udara, Jun 14, 2014, trustedCertEntry,
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s