PKCS#12 trust store without private key

I’m using SearchGuard 2.4.0.16 with ES 2.4.0.0.
I get the following exception when I try to use a trust store that contains a self-signed certificate that doesn’t have a private key:
Exception in thread “main” ElasticsearchSecurityException[Error while initializing HTTP SSL layer: java.security.KeyStoreException: no certificate chain or certificate with alias: null]; nested: KeyStoreException[no certificate chain or certificate with alias: null];
Likely root cause: java.security.KeyStoreException: no certificate chain or certificate with alias: null

This is an extract from my config file.
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.keystore_type: PKCS12
searchguard.ssl.transport.keystore_filepath: client.p12
searchguard.ssl.transport.keystore_password: 1
searchguard.ssl.transport.truststore_type: PKCS12
searchguard.ssl.transport.truststore_filepath: root.p12
searchguard.ssl.transport.truststore_password: 1

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_type: PKCS12
searchguard.ssl.http.keystore_filepath: client.p12
searchguard.ssl.http.keystore_password: 1
searchguard.ssl.http.truststore_type: PKCS12
searchguard.ssl.http.truststore_filepath: root.p12
searchguard.ssl.http.truststore_password: 1

Everything is fine when root.p12 has the private key.
Why is it required to have private keys in the trust store?

Thanks in advance!
Oleg

Can you provide logs on debug level?

You should see log statements like:

Alias xxx: is a certificate entry?true/is a key entry?false

···

Am 19.09.2016 um 18:31 schrieb Oleg Yegorov <yegorov.oleg@gmail.com>:

I'm using SearchGuard 2.4.0.16 with ES 2.4.0.0.
I get the following exception when I try to use a trust store that contains a self-signed certificate that doesn't have a private key:
Exception in thread "main" ElasticsearchSecurityException[Error while initializing HTTP SSL layer: java.security.KeyStoreException: no certificate chain or certificate with alias: null]; nested: KeyStoreException[no certificate chain or certificate with alias: null];
Likely root cause: java.security.KeyStoreException: no certificate chain or certificate with alias: null

This is an extract from my config file.
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.keystore_type: PKCS12
searchguard.ssl.transport.keystore_filepath: client.p12
searchguard.ssl.transport.keystore_password: 1
searchguard.ssl.transport.truststore_type: PKCS12
searchguard.ssl.transport.truststore_filepath: root.p12
searchguard.ssl.transport.truststore_password: 1

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_type: PKCS12
searchguard.ssl.http.keystore_filepath: client.p12
searchguard.ssl.http.keystore_password: 1
searchguard.ssl.http.truststore_type: PKCS12
searchguard.ssl.http.truststore_filepath: root.p12
searchguard.ssl.http.truststore_password: 1

Everything is fine when root.p12 has the private key.
Why is it required to have private keys in the trust store?

Thanks in advance!
Oleg

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f6e3e383-d3b0-430f-b198-3d2b305d9e72%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

This is what I see in the logs:
[2016-09-20 17:06:10,843][DEBUG][com.floragunn.searchguard.ssl.util.SSLCertificateHelper] Alias iis express development certificate container: is a certificate entry?false/is a key entry?true

``

I attached the full log, as well as the PKCS#12 files I’m using.
Basically, in this simple setup I’m trying to use the same certificate for the trust store (no private key) and key store (with private key)

Thanks.
Oleg

output.txt (38.2 KB)

elasticsearch.log (39.7 KB)

client.p12 (1.7 KB)

root.p12 (723 Bytes)

···

On Monday, September 19, 2016 at 10:33:25 PM UTC+3, SG wrote:

Can you provide logs on debug level?

You should see log statements like:

Alias xxx: is a certificate entry?true/is a key entry?false

Am 19.09.2016 um 18:31 schrieb Oleg Yegorov yegoro...@gmail.com:

I’m using SearchGuard 2.4.0.16 with ES 2.4.0.0.

I get the following exception when I try to use a trust store that contains a self-signed certificate that doesn’t have a private key:

Exception in thread “main” ElasticsearchSecurityException[Error while initializing HTTP SSL layer: java.security.KeyStoreException: no certificate chain or certificate with alias: null]; nested: KeyStoreException[no certificate chain or certificate with alias: null];

Likely root cause: java.security.KeyStoreException: no certificate chain or certificate with alias: null

This is an extract from my config file.

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.keystore_type: PKCS12

searchguard.ssl.transport.keystore_filepath: client.p12

searchguard.ssl.transport.keystore_password: 1

searchguard.ssl.transport.truststore_type: PKCS12

searchguard.ssl.transport.truststore_filepath: root.p12

searchguard.ssl.transport.truststore_password: 1

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_type: PKCS12

searchguard.ssl.http.keystore_filepath: client.p12

searchguard.ssl.http.keystore_password: 1

searchguard.ssl.http.truststore_type: PKCS12

searchguard.ssl.http.truststore_filepath: root.p12

searchguard.ssl.http.truststore_password: 1

Everything is fine when root.p12 has the private key.
Why is it required to have private keys in the trust store?

Thanks in advance!

Oleg


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f6e3e383-d3b0-430f-b198-3d2b305d9e72%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Any ideas about the possible cause? Thanks in advance.

···

On Tuesday, September 20, 2016 at 5:10:39 PM UTC+3, Oleg Yegorov wrote:

This is what I see in the logs:
[2016-09-20 17:06:10,843][DEBUG][com.floragunn.searchguard.ssl.util.SSLCertificateHelper] Alias iis express development certificate container: is a certificate entry?false/is a key entry?true

``

I attached the full log, as well as the PKCS#12 files I’m using.
Basically, in this simple setup I’m trying to use the same certificate for the trust store (no private key) and key store (with private key)

Thanks.
Oleg

On Monday, September 19, 2016 at 10:33:25 PM UTC+3, SG wrote:

Can you provide logs on debug level?

You should see log statements like:

Alias xxx: is a certificate entry?true/is a key entry?false

Am 19.09.2016 um 18:31 schrieb Oleg Yegorov yegoro...@gmail.com:

I’m using SearchGuard 2.4.0.16 with ES 2.4.0.0.

I get the following exception when I try to use a trust store that contains a self-signed certificate that doesn’t have a private key:

Exception in thread “main” ElasticsearchSecurityException[Error while initializing HTTP SSL layer: java.security.KeyStoreException: no certificate chain or certificate with alias: null]; nested: KeyStoreException[no certificate chain or certificate with alias: null];

Likely root cause: java.security.KeyStoreException: no certificate chain or certificate with alias: null

This is an extract from my config file.

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.keystore_type: PKCS12

searchguard.ssl.transport.keystore_filepath: client.p12

searchguard.ssl.transport.keystore_password: 1

searchguard.ssl.transport.truststore_type: PKCS12

searchguard.ssl.transport.truststore_filepath: root.p12

searchguard.ssl.transport.truststore_password: 1

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_type: PKCS12

searchguard.ssl.http.keystore_filepath: client.p12

searchguard.ssl.http.keystore_password: 1

searchguard.ssl.http.truststore_type: PKCS12

searchguard.ssl.http.truststore_filepath: root.p12

searchguard.ssl.http.truststore_password: 1

Everything is fine when root.p12 has the private key.
Why is it required to have private keys in the trust store?

Thanks in advance!

Oleg


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f6e3e383-d3b0-430f-b198-3d2b305d9e72%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.