Thursday, December 17, 2009

Chained SSL + Java or Smartphone = Not Trusted?

For years we’ve seen our partners that use Java servers, particularly Sun servers, have to manually retrust our VeriSign chained SSL certs every time we had to renew them. The serial number would change (or something) and we’d go from trusted back to untrusted. We’ve also noticed some smartphones also don’t seem to trust our certs either. A year ago I installed an intermediate CA cert to get a clean Mac+Safari machine to trust our site without a popup, but Java servers & smartphones continued to have initial trust issues.

A typical error from a client with Java servers would be something along the lines of this:

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.Validator Exception: PKIX path building failed: sun.security.provider.certpath.SunCertPath BuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1 591)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Clien tHandshaker.java:1035)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHa ndshaker.java:124)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:5 16)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.jav

I put a resolution in place yesterday, it turns out that this is a pretty common problem with consumers of VeriSign chained certs.

VeriSign has a java applet SSL Cert “installation checker” that walks your certification path and looks for gaps in your chain. You can find that applet here:

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1130

To run the applet you’ll need to install the Java JRE runtime if you don’t already have it, it just takes a min, if can be found here:

http://www.java.com/en/download/manual.jsp

So run the applet, point it at your externally accessible domain, and have it crawl your cert chain. If it finds a gap it will tell you, and if you’re using VeriSign certs above and below the gap it should even give you the public key you’ll need to import.

VeriSign changed their chained cert public key in May of 2009, so if you have a new cert since then you’ll need the latest chained key. The applet correctly identified that for us and pointed me to the newest key automatically.

We have our VeriSign certs loaded on the F5 load balancers, and we’re on version 9 of the OS, which makes chained cert key installation a snap.

  1. Import the public key as an SSL cert on the F5.
  2. Edit your client-facing SSL Cert “Profile”.
  3. Go into Advanced Configuration.
  4. Enable “Chain” and select the chained public key that you installed.

It takes effect immediately on all virtual servers using that Client SSL profile.

And now Java/Sun shops will trust your chained cert automatically, and the non-Windows based smartphones (the majority of them) should now trust your website without question!

No comments:

Post a Comment