Hello Hakan Altındağ,

Thank you so much for this video and all your help.

I am facing some build issues with client code.

The only difference I could see is you are using jdk 11 whereas in my local environment I am using jdk 8.

I will update you the final status of curl command once these issues are resolved.

Thanks,
Ishan Aggarwal

from mutual-tls-ssl.

Hi Ishan,

Thank you very much, I really appreciate your compliments :)
I would love to help you out with doing these tasks with curl command.

I am not so familiar yet with curl and https requests with certificates, so feel free anyone who reads this page to provide me feedback.

Curl requires PEM formatted files to do a request. Within this project we used mainly jks files and in some cases a p12 file.

What I did was the following steps:

1. fast forward to mutual authentication based on root ca with the provided script within the project: ./script/configure-two-way-authentication-by-trusting-root-ca.sh black-hole This configures the whole project with mutual authentication and also creates all the cert/keystores. It is basically all the steps within the readme within a script file.
2. build the project: mvn clean verify
3. start the server: java -jar server/target/server.jar
4. convert the truststore.jks to a p12 file: keytool -importkeystore -srckeystore client/src/test/resources/truststore.jks -destkeystore client/src/test/resources/truststore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass secret -deststorepass secret
5. convert the truststore.p12 to a pem file: openssl pkcs12 -in client/src/test/resources/truststore.p12 -out client/src/test/resources/truststore.pem -passin pass:secret
6. convert the client-signed.p12 to a pem file: openssl pkcs12 -in client/src/test/resources/client-signed.p12 -out client/src/test/resources/client-signed.pem -passin pass:secret
7. execute the curl command: curl --cert client/src/test/resources/client-signed.pem --pass secret --cacert client/src/test/resources/truststore.pem https://localhost:8443/api/hello

With the --cert command I load the client public and private key. With the --cacert I load my custom trusted certificates. I used secret as password when converting my client certificate to a pem file and by passing the argument --pass curl won't prompt for asking the password.

Hope this will work for you, please let me know if you succeeded.

from mutual-tls-ssl.

Hello Hakan Altındağ,

Thank you so much for your quick response.

As mentioned, I performed all the required steps. However, it seems to be not working as per the steps.

Please find below details -

curl -v --cert client/src/test/resources/client-signed.pem --pass secret --cacert client/src/test/resources/truststore.pem https://localhost:8445/api/hello

• About to connect() to localhost port 8445 (#0)
• Trying 127.0.0.1...
• Connected to localhost (127.0.0.1) port 8445 (#0)
• Initializing NSS with certpath: sql:/etc/pki/nssdb
• CAfile: client/src/test/resources/truststore.pem
  CApath: none
• unable to load client key: -8178 (SEC_ERROR_BAD_KEY)
• NSS error -8178 (SEC_ERROR_BAD_KEY)
• Peer's public key is invalid.
• Closing connection 0
  curl: (58) unable to load client key: -8178 (SEC_ERROR_BAD_KEY)

Could you please help me further to debug this issue and run this example using curl command.

Thanks,
Ishan Aggarwal

from mutual-tls-ssl.

Could you push all your changes to a forked repo? In that way I am able to easily find the root cause of this failed request.

from mutual-tls-ssl.

Hello Hakan Altındağ,

I am using the same server side code and the script you mentioned to create the certificates and keystore, truststore etc.

There are no changes other than that. Please suggest should I still share the changes?

Thanks,
Ishan Aggarwal

from mutual-tls-ssl.

Than I am not quite sure what the cause would be, the only different what I still see is the port is different within your curl command: curl -v --cert client/src/test/resources/client-signed.pem --pass secret --cacert client/src/test/resources/truststore.pem https://localhost:8445/api/hello

Could you check if your server is running on port 8443 or 8445?

If it is still not working, let's do a remote session with teamviewer

from mutual-tls-ssl.

Hello Hakan Altındağ,

As mentioned by you earlier, I have pushed all my changes to forked repository -
https://github.com/ishan-aggarwal/mutual-tls-ssl.git

Yes, I am using the server port 8445 in application.yml file for server application.

I am basically using server application and curl command as client to fetch the response from server.

I have used the script - configure-two-way-authentication-by-trusting-root-ca.sh for setting up all the required pre-requisites, made minor modifications to the script to make it work.

Client curl command used is
curl -v --cert client/src/test/resources/client-signed.pem --pass secret --cacert client/src/test/resources/truststore.pem https://localhost:8445/api/hello
About to connect() to localhost port 8445 (#0)
Trying 127.0.0.1...
Connected to localhost (127.0.0.1) port 8445 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: client/src/test/resources/truststore.pem
CApath: none
unable to load client key: -8178 (SEC_ERROR_BAD_KEY)
NSS error -8178 (SEC_ERROR_BAD_KEY)
Peer's public key is invalid.
Closing connection 0
curl: (58) unable to load client key: -8178 (SEC_ERROR_BAD_KEY)

Please help me to make this example work using curl command.

Thank you in advance for all your help.

Thanks,
Ishan Aggarwal

from mutual-tls-ssl.

Thank you for pushing your code into a separate git repository.

I have analysed your changes and I can conclude that the creation of the certificates/keystores are correct. Unfortunately the server project couldn't be build because the pom was not correct.

I reverted the changes of the two files below to make fix the build for the server:

• server/pom.xml
• LogCertificateAspect.java

The client is also failing, but after adjusting the following expected Hello message to Hello from server! within the feature file and adjusting the port from 8443 to 8445 within the Constants.java and TestConstants.java the client build is also (almost) passing.

After applying these changes and rebuilding it with mvn clean verify from the root directory I start the server with the following command: java -jar server/targer/server.jar. After this I execute the curl command and it works.

Please have a look at this video where I show the changes step by step: Debug ishan-aggarwal-muutual-tls-ssl The video will be available in HD quality soon.

After your changes within the server project especially the pom.xml and LogCertificateAspect.java the server couldn't be build and therefor it was also not able to create the jar. So maybe you where using an older jar file when starting up the server and therefor the curl was also failing. But that is an assumption, I hope the explanation above and the video make sense, please let me know if it is working on your side after applying the changes.

from mutual-tls-ssl.

By the way @ishan-aggarwal I have added a gist for the specific commands to transform a keystore into something which will be accepted by the curl command. It is available here for if you need to bookmark it: curl-with-java-keystore.md

from mutual-tls-ssl.