Jetty - .cer/.p7b - no suite cipher (No cipher suites in common)

0
votes

I am with little knowledge of certificates.

Need add certificate for jetty (v.9.4.11) which is a part of application.

Try with self-signed - all OK. But now, need do it with organization official certificate.

Administrator gives me 2 files - .cer and .p7b. Documentation of application said that enough command like:

keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

I will try this command with .cer instead .crt. Keystore was created, configured jetty-http.xml and started application. Try open - and error SSL_ERROR_NO_CIPHER_OVERLAP.

Check with openssl connect to my address with -tsl1/1_1/1_2 - nothing, connection ok, but but nothing in keystore.

Check with keytool content of keystore - 1 entry, trustedCertEntry and no key (not private/not public)

Is it real to configure only with this 2 files - .cer/.p7b or i need something else?

2
ssljetty-9

2 Answers

0
votes

Usually when setting up SSL Certificates, you will more often than not have 2 or 3 files.

The base working format for certificates is a certificate / key pair. For example, you could have a certificate for example.com with it's associated key.

example.com.cer
example.com.key

If the certificates were created using a provider, you will most likely also need the Root Certificate Authority. In our infra for instance, our ROOT CA's are in the .pem or .cer format. Here is a config for one of my webservers, using the entrust.crt as the root ca chain file :

SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
SSLCertificateChainFile /etc/apache2/ssl/entrust.crt

In your case, you have a .p7b file. P7B files often have more than a single entry, they can contain both the certificate and the ROOT CA's chains. You can open the p7b in a windows machine, then find the certificates and right-click > Export. Export your files in Base64 and set them on your server.

ExportCert Base64

0
votes

The problem was that beginner .csr-file was incorrect. -Recreated it

  • get .cer

  • run in cmd: certutil -repairstore my "serial" for generate key

  • export to .pfx

-connect apllication to .pfx