I'm trying to install a wildfly9 server with client certificate authorization. To do that I have:
On the Client: Create a self signed certificate:
keytool -genkey -keystore client.keystore -validity 3650 -keyalg RSA -keysize 4096 -storetype pkcs12 -alias myClient
On the Client: export certificate
keytool -exportcert -keystore client.keystore -alias myClient -storetype pkcs12 -file myClient.crt
On the server: Import the crt certificate file into the truststore
keytool -import -file myClient.crt -keystore /etc/pki/wildfly/client.truststore
On the server: adjusting the wildfly config (enabling client certifacte authentication):
<security-realm name="UndertowRealm"> <server-identities> <ssl> <keystore path="/etc/pki/wildfly/server.keystore" keystore-password="123456" alias="server" key-password="123456"/> </ssl> </server-identities> <authentication> <truststore path="/etc/pki/wildfly/client.truststore" keystore-password="123456"/> <local default-user="$local" skip-group-loading="true"/> <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/> </authentication> </security-realm> ... <subsystem xmlns="urn:jboss:domain:undertow:2.0"> <server name="default-server"> <https-listener name="https" socket-binding="https" security-realm="UndertowRealm" verify-client="REQUIRED"/> ... </server> </subsystem>
The client is a python script. For this client I need the certifacte and the key in PEM format. To export the certificate in PEM I do (all on client side):
Export certificate key:
keytool -v -importkeystore -srckeystore client.keystore -srcalias myClient -destkeystore myClient.key.tmp.pem -deststoretype PKCS12 -destkeypass 123456
Remove the password from key (yes, of course I will also restrict the access to the key later by changing the file mode):
openssl pkcs12 -in myClient.key.tmp.pem -nocerts -nodes > myClient.key.pem
Remove all outside '-----BEGIN PRIVATE KEY-----' and '-----END PRIVATE KEY-----' of the myClient.key.pem
Export the certificat as PEM:
keytool -exportcert -keystore client.keystore -alias myClient -rfc -file myClient.pem
But every time if I want connect the server I get (on the server) the error:
2016-10-31 09:50:55,102 DEBUG [io.undertow.request.io] (default I/O-1) Error reading request: javax.net.ssl.SSLException: Received fatal alert: unknown_ca
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.xnio.ssl.JsseSslConduitEngine.engineUnwrap(JsseSslConduitEngine.java:688)
at org.xnio.ssl.JsseSslConduitEngine.unwrap(JsseSslConduitEngine.java:620)
at org.xnio.ssl.JsseSslConduitEngine.unwrap(JsseSslConduitEngine.java:574)
at org.xnio.ssl.JsseSslStreamSourceConduit.read(JsseSslStreamSourceConduit.java:89)
at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127)
at io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:150)
at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:128)
at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:539)
If I disable the client certificate authentification all is fine. so there must be anything wrong with the client certificate authentification.
Anybody knows whats wrong?