2
votes

I'm trying to create a non-dev Node with proper certificate. There are my create certificate command from Java Keytool:

keytool -genkeypair -keyalg EC -keysize 256 -sigalg SHA256withECDSA -keystore root.jks -dname "O=Bank A,L=London,C=GB" -storepass password -keypass password -alias root -ext bc:c

keytool -keystore root.jks -storepass password -alias root -exportcert -rfc > root.pem

keytool -importkeystore -srckeystore root.jks -destkeystore truststore.jks -srcstorepass password -deststorepass password -srcalias root -destalias cordarootca

keytool -genkeypair -keyalg EC -keysize 256 -sigalg SHA256withECDSA -keystore intermediate.jks -dname "keytool -genkeypair -keyalg RSA -keystore root.jks -dname "O=Bank A,L=London,C=GB" -storepass password -keypass password -alias root -ext bc:c" -storepass password -keypass password -alias intermediate -ext bc:c

keytool -keystore intermediate.jks -storepass password -alias intermediate -certreq | keytool -keystore root.jks -storepass password -alias root -gencert -ext bc:c -rfc > intermediate.pem

type root.pem intermediate.pem > intermediatecachain.pem

keytool -keystore intermediate.jks -storepass password -alias intermediate -        importcert -file intermediatecachain.pem -noprompt

keytool -keystore intermediate.jks -storepass password -alias intermediate -exportcert -rfc > intermediate.pem

keytool -genkeypair -keyalg EC -keysize 256 -sigalg SHA256withECDSA -keystore nodekeystore.jks -dname "keytool -genkeypair -keyalg RSA -keystore root.jks -dname "O=Bank A,L=London,C=GB" -storepass password -keypass password -alias root -ext bc:c" -alias cordaclientca -storepass password -keypass password -ext bc:c

keytool -keystore nodekeystore.jks -storepass password -alias cordaclientca -certreq | keytool -keystore intermediate.jks -storepass password -alias     intermediate -gencert -ext bc:c -rfc > cordaclientca.pem

type intermediate.pem cordaclientca.pem > cordaclientcachain.pem

keytool -keystore nodekeystore.jks -storepass password -alias cordaclientca -importcert -file cordaclientcachain.pem -noprompt

keytool -genkeypair -keyalg EC -keysize 256 -sigalg SHA256withECDSA -keystore sslkeystore.jks -dname "keytool -genkeypair -keyalg RSA -keystore root.jks -dname "O=Bank A,L=London,C=GB" -storepass password -keypass password -alias root -ext bc:c" -alias cordaclientttls -storepass password -keypass password

keytool -keystore sslkeystore.jks -storepass password -alias cordaclienttls -certreq | keytool -keystore intermediate.jks -storepass password -alias intermediate -gencert -ext bc:0 -rfc > cordaclienttls.pem

type intermediate.pem cordaclienttls.pem > cordaclienttlschain.pem

keytool -keystore sslkeystore.jks -storepass password -alias cordaclienttls -importcert -file cordaclienttlschain.pem -noprompt

When it's done, I receive the error:

[main] internal.Node.run - Exception during node startup java.lang.IllegalArgumentException: No certificate chain under the alias cordaclienttls at net.corda.nodeapi.internal.crypto.X509KeyStore.getCertificateChain(X509KeyStore.kt:52) ~[corda-node-api-3.1.jar:?] at net.corda.node.internal.AbstractNode.validateKeystore(AbstractNode.kt:824) ~[corda-node-3.1.jar:?] at net.corda.node.internal.AbstractNode.initCertificate(AbstractNode.kt:240) ~[corda-node-3.1.jar:?] at net.corda.node.internal.AbstractNode.start(AbstractNode.kt:282) ~[corda-node-3.1.jar:?] at net.corda.node.internal.Node.start(Node.kt:387) ~[corda-node-3.1.jar:?] at net.corda.node.internal.EnterpriseNode.start(EnterpriseNode.kt:181) ~[corda-node-3.1.jar:?] at net.corda.node.internal.NodeStartup.startNode(NodeStartup.kt:270) ~[corda-node-3.1.jar:?] at net.corda.node.internal.NodeStartup.run(NodeStartup.kt:160) [corda-node-3.1.jar:?] at net.corda.node.Corda.main(Corda.kt:25) [corda-node-3.1.jar:?]

Next, I use the following code:

keytool -genkeypair -keyalg EC -keysize 256 -sigalg SHA256withECDSA -keystore root.jks -dname "O=Bank A,L=London,C=GB" -storepass password -keypass password -alias root -ext bc:c

keytool -keystore root.jks -storepass password -alias root -exportcert -rfc > root.pem

keytool -importkeystore -srckeystore root.jks -destkeystore truststore.jks -srcstorepass password -deststorepass password -srcalias root -destalias cordarootca

keytool -genkeypair -keyalg EC -keysize 256 -sigalg SHA256withECDSA -keystore intermediate.jks -dname "O=Bank A,L=London,C=GB" -storepass password -keypass password -alias intermediate -ext bc:c

keytool -keystore intermediate.jks -storepass password -alias intermediate -certreq | keytool -keystore root.jks -storepass password -alias root -gencert -ext bc:c -rfc > intermediate.pem

type root.pem intermediate.pem > intermediatecachain.pem

keytool -keystore intermediate.jks -storepass password -alias intermediate -importcert -file 

intermediatecachain.pem -noprompt

keytool -keystore intermediate.jks -storepass password -alias intermediate -exportcert -rfc > intermediate.pem

keytool -genkeypair -keyalg EC -keysize 256 -sigalg SHA256withECDSA -keystore nodekeystore.jks -dname "O=Bank A,L=London,C=GB" -alias cordaclientca -storepass password -keypass password -ext bc:c

keytool -keystore nodekeystore.jks -storepass password -alias cordaclientca -certreq | keytool -keystore intermediate.jks -storepass password -alias intermediate -gencert -ext bc:c -rfc > cordaclientca.pem

type intermediate.pem cordaclientca.pem > cordaclientcachain.pem

keytool -keystore nodekeystore.jks -storepass password -alias cordaclientca -importcert -file cordaclientcachain.pem -noprompt

keytool -genkeypair -keyalg EC -keysize 256 -sigalg SHA256withECDSA -keystore sslkeystore.jks -dname "O=Bank A,L=London,C=GB" -alias cordaclienttls -storepass password -keypass password

keytool -keystore sslkeystore.jks -storepass password -alias cordaclienttls -certreq | keytool -keystore intermediate.jks -storepass password -alias intermediate -gencert -ext bc:0 -rfc > cordaclienttls.pem

type intermediate.pem cordaclienttls.pem > cordaclienttlschain.pem

keytool -keystore sslkeystore.jks -storepass password -alias cordaclienttls -importcert -file cordaclienttlschain.pem -noprompt

And get this error:

[main] internal.Node.run - Exception during node startup java.lang.IllegalArgumentException: TLS certificate must chain to the trusted root. at net.corda.node.internal.AbstractNode.validateKeystore(AbstractNode.kt:828) ~[corda-node-3.1.jar:?] at net.corda.node.internal.AbstractNode.initCertificate(AbstractNode.kt:240) ~[corda-node-3.1.jar:?] at net.corda.node.internal.AbstractNode.start(AbstractNode.kt:282) ~[corda-node-3.1.jar:?] at net.corda.node.internal.Node.start(Node.kt:387) ~[corda-node-3.1.jar:?] at net.corda.node.internal.EnterpriseNode.start(EnterpriseNode.kt:181) ~[corda-node-3.1.jar:?] at net.corda.node.internal.NodeStartup.startNode(NodeStartup.kt:270) ~[corda-node-3.1.jar:?] at net.corda.node.internal.NodeStartup.run(NodeStartup.kt:160) [corda-node-3.1.jar:?] at net.corda.node.Corda.main(Corda.kt:25) [corda-node-3.1.jar:?]

Anyone can tell me how to fix this problem?

Thank you.

1

1 Answers

0
votes

So be aware that Corda open source doesn't do a lot of the PKI stuff that you might be trying to get working, you probably need to be on Corda enterprise.

If you're using Corda enterprise, the support team is very qualified to help you out with this one as it's pretty specific.

You're going to want to take a long hard look at the CENM. (Corda Network Manager).

If you're still trying to fight it out on your own, take a look at the corda docs on this: https://docs.corda.net/docs/cenm/1.3/pki-tool.html#public-key-infrastructure-pki-tool