openssl s_client -connect <server_name>:<port>
TLS Connections (Client Side)
This page explains how to obtain server certificates and import them into the midPoint truststore for SSL/TLS connections.
Introduction
Connectors, notification plugins and other parts of midPoint connect to external systems. Some of the connections are secured using SSL/TLS.
In SSL/TLS connections, the server side provides a certificate that needs to be validated on the client side. This means that midPoint needs to have a way to check the validity of the certificate provided by the SSL/TLS server. MidPoint uses the standard Java libraries to validate the certificate. Java security modules use a truststore mechanism which is closely related to keystore. The truststore is a small database of trusted certificates. When a certificate needs to be validated, Java libraries check if the issuing certificate authority (CA) and the certificates in the chain are in the truststore.
For real deployments with public or private certification authorities, all root and intermediate certificates in the chain must be imported into the midPoint keystore. |
In order to set up a secure connection to an external system, you need to:
-
Import the certificate into the truststore
Get server certificate
There are many tools you can use to get a server certificate for a SSL/TLS connection. In this guide, we are using our preferred open source library, OpenSSL (download for Windows).
-
Get the server certificate using the s_client utility:
Example: Get a server certificate
$ openssl s_client -connect deimos.lab.evolveum.com:3636 CONNECTED(00000003) depth=1 OU = Organizational CA, O = EXAMPLE-TREE verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/O=EXAMPLE-TREE/CN=deimos i:/OU=Organizational CA/O=EXAMPLE-TREE 1 s:/OU=Organizational CA/O=EXAMPLE-TREE i:/OU=Organizational CA/O=EXAMPLE-TREE --- Server certificate -----BEGIN CERTIFICATE----- MIIFLTCCBBWgAwIBAgIkAhwR/6b9fHPRsgM0dS4h3nlIxIQoUQDjdnEzC8MrAgJC C3WvMA0GCSqGSIb3DQEBBQUAMDMxGjAYBgNVBAsTEU9yZ2FuaXphdGlvbmFsIENB MRUwEwYDVQQKEwxFWEFNUExFLVRSRUUwHhcNMTQwNjA1MTEyNjQ3WhcNMTYwNjA0 MTEyNjQ3WjAoMRUwEwYDVQQKEwxFWEFNUExFLVRSRUUxDzANBgNVBAMTBmRlaW1v czCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJO+X5vjQ/0WNWBOTvGw +amQCQ22dVM9zfWXa5fhtBAuq5oYrnImmqnU0Xl2k0TfZjDgWcDrlh620ByNr/JV mEGUoAqIsZijbIYsb3/4C97Y9AKL8KWA5/HOxAZw7My65ydy2Wg0sgYb2wX2EHm3 E4gkcNtw9Lf1eLxCwnRmbGjUrAjXlc2e8HbP9lfRjAysGVqfEsk/JRtXmLPOqW0Y THjSp+j87OTDbFPwWPlWh/atx2/3Q/xN+kJOLx4M1PMCAp/kDzdVA0bVWm1m/RZx lpRpF2lRtdJgwP897jFurJfpubSwE7IgqKUXdkSdESpnaL62xtFnFbtEKbcsv1iR Zb0CAwEAAaOCAjIwggIuMB0GA1UdDgQWBBR9W+sIkHjmchbjgIcED+3VPBshHzAf BgNVHSMEGDAWgBScoCWoSW3ygoqk23J+4DXdx6xWGTAPBgNVHREECDAGhwQKAgEP MAsGA1UdDwQEAwIFoDCCAcwGC2CGSAGG+DcBCQQBBIIBuzCCAbcEAgEAAQH/Ex1O b3ZlbGwgU2VjdXJpdHkgQXR0cmlidXRlKHRtKRZDaHR0cDovL2RldmVsb3Blci5u b3ZlbGwuY29tL3JlcG9zaXRvcnkvYXR0cmlidXRlcy9jZXJ0YXR0cnNfdjEwLmh0 bTCCAUigGgEBADAIMAYCAQECAUYwCDAGAgEBAgEKAgFpoRoBAQAwCDAGAgEBAgEA MAgwBgIBAQIBAAIBAKIGAgEXAQH/o4IBBKBYAgECAgIA/wIBAAMNAIAAAAAAAAAA AAAAAAMJAIAAAAAAAAAAMBgwEAIBAAIIf/////////8BAQACBAbw30gwGDAQAgEA Agh//////////wEBAAIEBvDfSKFYAgECAgIA/wIBAAMNAEAAAAAAAAAAAAAAAAMJ AEAAAAAAAAAAMBgwEAIBAAIIf/////////8BAQACBBH/pv0wGDAQAgEAAgh///// /////wEBAAIEEf+m/aJOMEwCAQICAQACAgD/Aw0AgAAAAAAAAAAAAAAAAwkAgAAA AAAAAAAwEjAQAgEAAgh//////////wEBADASMBACAQACCH//////////AQEAMA0G CSqGSIb3DQEBBQUAA4IBAQAF/LlSJUz6I4UuzYivJyhcG8S4inWCB/4AkTP2rvOj iU7oZDKLUoLMZGP2mxgGYPp+nPNmN0NbFyuNoZiRmCBxvdVmABwKHHEZKCl8f+sn pw2wXPKrrZWY2PtbpJ2V815T8pAuraS1Ko08N/MZlIiZOZZpcyjq6EOTrELuaX+q tDFsCNZSfNKjqYMyrPEaYSSNIcBbWx2Ip170AA6rNqaOR5oo/N6Cw/f7GAhaon8V 3j/pLivirDLbHBmsRLjzTcaSFtdhYzWR5Xr0hGh0oVA9OaL9EZF+wtKd4yMwL0Jn g9cH8n3kIjW+d4uFbCYY/K0YX1n7l8zMiSRuRzUz5a+w -----END CERTIFICATE----- subject=/O=EXAMPLE-TREE/CN=deimos issuer=/OU=Organizational CA/O=EXAMPLE-TREE --- No client certificate CA names sent --- SSL handshake has read 2831 bytes and written 551 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 3D1D82E86E3F87CF4F5C61DF1A1C5061973B371C75EE089C1ED38FF5FAFC58F9 Session-ID-ctx: Master-Key: A58639B7067B0169C626DB8B45BD50AAF12A50A2F09BA4FC5D0112CE40E74F5CA6BD941A0F86D744AA12AA1592F450A3 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1401979683 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) ---
You can get all server certificates in the chain by using:
openssl s_client -showcerts -connect <server_name>:<port>
If the server hosts multiple domains, use
-servername
for Server Name Indication (SNI):openssl s_client -showcerts -servername <server_name> -connect <server_name>:<port>
Example: Get all server certificates in the chain
openssl s_client -showcerts -servername google.com -connect google.com:443 Loading 'screen' into random state - done CONNECTED(00000260) depth=2 /C=US/O=Google Trust Services LLC/CN=GTS Root R1 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/CN=*.google.com i:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3 -----BEGIN CERTIFICATE----- MIIPKDCCDhCgAwIBAgIQXZPVtDG27jgQT6mqCHHkAzANBgkqhkiG9w0BAQsFADBG MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM QzETMBEGA1UEAxMKR1RTIENBIDFDMzAeFw0yNDAyMTkwODAzNTRaFw0yNDA1MTMw ODAzNTNaMBcxFTATBgNVBAMMDCouZ29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAM13e70d+ZprybekMI9Vh+kanYwTAUYy0ziIpayXrSgf fCQLYi6WdoiGpL76ATZ1Nah3xonRK2VLo7SIMdztsBUfa6Pv0PrsJa34qc2ipr95 4K9NhUAI6dv1ka7qqAvYOIP4yQwIbFZs5b7YMr0LbvS29V3qnev7IT/Rpe1n2+nL R8DPXPYHuKtaIJTmBJ6zegf2v4x/G6MHlKQ+xMwkpoNCyqkKYRidy2f/ENxTZIFn Gq9nbebTzAozvTjYzwT/s2x1nRiGNhdcMp4pTeszmjQ9co/SBIyL2pGef39iw20p TfwYPGi1WG9kuFKkNUNzfhppQ9e5CNskKi0wM3BJE1sCAwEAAaOCDD8wggw7MA4G A1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAA MB0GA1UdDgQWBBSW6bOCv2Afuev4kI1nRbhRWOBz1DAfBgNVHSMEGDAWgBSKdH+v hc3ulc09nNDiRhTzcTUdJzBqBggrBgEFBQcBAQReMFwwJwYIKwYBBQUHMAGGG2h0 dHA6Ly9vY3NwLnBraS5nb29nL2d0czFjMzAxBggrBgEFBQcwAoYlaHR0cDovL3Br aS5nb29nL3JlcG8vY2VydHMvZ3RzMWMzLmRlcjCCCe8GA1UdEQSCCeYwggniggwq Lmdvb2dsZS5jb22CFiouYXBwZW5naW5lLmdvb2dsZS5jb22CCSouYmRuLmRldoIV Ki5vcmlnaW4tdGVzdC5iZG4uZGV2ghIqLmNsb3VkLmdvb2dsZS5jb22CGCouY3Jv d2Rzb3VyY2UuZ29vZ2xlLmNvbYIYKi5kYXRhY29tcHV0ZS5nb29nbGUuY29tggsq Lmdvb2dsZS5jYYILKi5nb29nbGUuY2yCDiouZ29vZ2xlLmNvLmlugg4qLmdvb2ds ZS5jby5qcIIOKi5nb29nbGUuY28udWuCDyouZ29vZ2xlLmNvbS5hcoIPKi5nb29n bGUuY29tLmF1gg8qLmdvb2dsZS5jb20uYnKCDyouZ29vZ2xlLmNvbS5jb4IPKi5n b29nbGUuY29tLm14gg8qLmdvb2dsZS5jb20udHKCDyouZ29vZ2xlLmNvbS52boIL Ki5nb29nbGUuZGWCCyouZ29vZ2xlLmVzggsqLmdvb2dsZS5mcoILKi5nb29nbGUu aHWCCyouZ29vZ2xlLml0ggsqLmdvb2dsZS5ubIILKi5nb29nbGUucGyCCyouZ29v Z2xlLnB0gg8qLmdvb2dsZWFwaXMuY26CESouZ29vZ2xldmlkZW8uY29tggwqLmdz dGF0aWMuY26CECouZ3N0YXRpYy1jbi5jb22CD2dvb2dsZWNuYXBwcy5jboIRKi5n b29nbGVjbmFwcHMuY26CEWdvb2dsZWFwcHMtY24uY29tghMqLmdvb2dsZWFwcHMt Y24uY29tggxna2VjbmFwcHMuY26CDiouZ2tlY25hcHBzLmNughJnb29nbGVkb3du bG9hZHMuY26CFCouZ29vZ2xlZG93bmxvYWRzLmNughByZWNhcHRjaGEubmV0LmNu ghIqLnJlY2FwdGNoYS5uZXQuY26CEHJlY2FwdGNoYS1jbi5uZXSCEioucmVjYXB0 Y2hhLWNuLm5ldIILd2lkZXZpbmUuY26CDSoud2lkZXZpbmUuY26CEWFtcHByb2pl Y3Qub3JnLmNughMqLmFtcHByb2plY3Qub3JnLmNughFhbXBwcm9qZWN0Lm5ldC5j boITKi5hbXBwcm9qZWN0Lm5ldC5jboIXZ29vZ2xlLWFuYWx5dGljcy1jbi5jb22C GSouZ29vZ2xlLWFuYWx5dGljcy1jbi5jb22CF2dvb2dsZWFkc2VydmljZXMtY24u Y29tghkqLmdvb2dsZWFkc2VydmljZXMtY24uY29tghFnb29nbGV2YWRzLWNuLmNv bYITKi5nb29nbGV2YWRzLWNuLmNvbYIRZ29vZ2xlYXBpcy1jbi5jb22CEyouZ29v Z2xlYXBpcy1jbi5jb22CFWdvb2dsZW9wdGltaXplLWNuLmNvbYIXKi5nb29nbGVv cHRpbWl6ZS1jbi5jb22CEmRvdWJsZWNsaWNrLWNuLm5ldIIUKi5kb3VibGVjbGlj ay1jbi5uZXSCGCouZmxzLmRvdWJsZWNsaWNrLWNuLm5ldIIWKi5nLmRvdWJsZWNs aWNrLWNuLm5ldIIOZG91YmxlY2xpY2suY26CECouZG91YmxlY2xpY2suY26CFCou ZmxzLmRvdWJsZWNsaWNrLmNughIqLmcuZG91YmxlY2xpY2suY26CEWRhcnRzZWFy Y2gtY24ubmV0ghMqLmRhcnRzZWFyY2gtY24ubmV0gh1nb29nbGV0cmF2ZWxhZHNl cnZpY2VzLWNuLmNvbYIfKi5nb29nbGV0cmF2ZWxhZHNlcnZpY2VzLWNuLmNvbYIY Z29vZ2xldGFnc2VydmljZXMtY24uY29tghoqLmdvb2dsZXRhZ3NlcnZpY2VzLWNu LmNvbYIXZ29vZ2xldGFnbWFuYWdlci1jbi5jb22CGSouZ29vZ2xldGFnbWFuYWdl ci1jbi5jb22CGGdvb2dsZXN5bmRpY2F0aW9uLWNuLmNvbYIaKi5nb29nbGVzeW5k aWNhdGlvbi1jbi5jb22CJCouc2FmZWZyYW1lLmdvb2dsZXN5bmRpY2F0aW9uLWNu LmNvbYIWYXBwLW1lYXN1cmVtZW50LWNuLmNvbYIYKi5hcHAtbWVhc3VyZW1lbnQt Y24uY29tggtndnQxLWNuLmNvbYINKi5ndnQxLWNuLmNvbYILZ3Z0Mi1jbi5jb22C DSouZ3Z0Mi1jbi5jb22CCzJtZG4tY24ubmV0gg0qLjJtZG4tY24ubmV0ghRnb29n bGVmbGlnaHRzLWNuLm5ldIIWKi5nb29nbGVmbGlnaHRzLWNuLm5ldIIMYWRtb2It Y24uY29tgg4qLmFkbW9iLWNuLmNvbYIUZ29vZ2xlc2FuZGJveC1jbi5jb22CFiou Z29vZ2xlc2FuZGJveC1jbi5jb22CHiouc2FmZW51cC5nb29nbGVzYW5kYm94LWNu LmNvbYINKi5nc3RhdGljLmNvbYIUKi5tZXRyaWMuZ3N0YXRpYy5jb22CCiouZ3Z0 MS5jb22CESouZ2NwY2RuLmd2dDEuY29tggoqLmd2dDIuY29tgg4qLmdjcC5ndnQy LmNvbYIQKi51cmwuZ29vZ2xlLmNvbYIWKi55b3V0dWJlLW5vY29va2llLmNvbYIL Ki55dGltZy5jb22CC2FuZHJvaWQuY29tgg0qLmFuZHJvaWQuY29tghMqLmZsYXNo LmFuZHJvaWQuY29tggRnLmNuggYqLmcuY26CBGcuY2+CBiouZy5jb4IGZ29vLmds ggp3d3cuZ29vLmdsghRnb29nbGUtYW5hbHl0aWNzLmNvbYIWKi5nb29nbGUtYW5h bHl0aWNzLmNvbYIKZ29vZ2xlLmNvbYISZ29vZ2xlY29tbWVyY2UuY29tghQqLmdv b2dsZWNvbW1lcmNlLmNvbYIIZ2dwaHQuY26CCiouZ2dwaHQuY26CCnVyY2hpbi5j b22CDCoudXJjaGluLmNvbYIIeW91dHUuYmWCC3lvdXR1YmUuY29tgg0qLnlvdXR1 YmUuY29tghR5b3V0dWJlZWR1Y2F0aW9uLmNvbYIWKi55b3V0dWJlZWR1Y2F0aW9u LmNvbYIPeW91dHViZWtpZHMuY29tghEqLnlvdXR1YmVraWRzLmNvbYIFeXQuYmWC ByoueXQuYmWCGmFuZHJvaWQuY2xpZW50cy5nb29nbGUuY29tghtkZXZlbG9wZXIu YW5kcm9pZC5nb29nbGUuY26CHGRldmVsb3BlcnMuYW5kcm9pZC5nb29nbGUuY26C GHNvdXJjZS5hbmRyb2lkLmdvb2dsZS5jboIaZGV2ZWxvcGVyLmNocm9tZS5nb29n bGUuY26CGHdlYi5kZXZlbG9wZXJzLmdvb2dsZS5jbjAhBgNVHSAEGjAYMAgGBmeB DAECATAMBgorBgEEAdZ5AgUDMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmxz LnBraS5nb29nL2d0czFjMy9mVkp4YlYtS3Rtay5jcmwwggEEBgorBgEEAdZ5AgQC BIH1BIHyAPAAdgBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAY3A m5XyAAAEAwBHMEUCIHlRkebho8dI/RUCwPRapoKiOcIhvQddNeZP81myigtOAiEA 5XNQPZzw0tjFVzTllWCJXqM6MjM0Sm0q6ZmII5nDcscAdgDuzdBk1dsazsVct520 zROiModGfLzs3sNRSFlGcR+1mwAAAY3Am5XMAAAEAwBHMEUCIHs6XwsGtdpSkEYl lrO1q1mqi9ylrfpYWfGCyVJQ4f8uAiEAzujxJjpjIOr7Fs58+Oaij3A+sahNS9aa asn5gcHigRIwDQYJKoZIhvcNAQELBQADggEBAIHJiBhis3ZzX4/Wk/K/tdjCnNtv blcljLZZ86OeUoAYB1dnZmEEqT3zPm93FlUxe77ghE3fPw9xVSlUHSZ3UaELBS+w n/x8ZHB//nDH9Vdwv+oG9O9DT+O4sLpQHSHOJRgbQJCk7+K5BbVWzp+zdNkJzUzX M0twXORS0OnUSOBxm+JNgsjDrLlYhSDLO1kinRoeyX27A28CWWP7RTyXs2G4KZAW T/VI+eLUSjrDk+jTFP1bYKOTa0hRcrAGWjqT66KUpjHvun32QbItamtsLEpX9VAH mLyeS0SHUGaGBNgcPQk8ejUaHMUJkadjrDjf1mC02JdHzsqUl3NuGZ8avR4= -----END CERTIFICATE----- 1 s:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3 i:/C=US/O=Google Trust Services LLC/CN=GTS Root R1 -----BEGIN CERTIFICATE----- MIIFljCCA36gAwIBAgINAgO8U1lrNMcY9QFQZjANBgkqhkiG9w0BAQsFADBHMQsw CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMjAwODEzMDAwMDQyWhcNMjcwOTMwMDAw MDQyWjBGMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp Y2VzIExMQzETMBEGA1UEAxMKR1RTIENBIDFDMzCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAPWI3+dijB43+DdCkH9sh9D7ZYIl/ejLa6T/belaI+KZ9hzp kgOZE3wJCor6QtZeViSqejOEH9Hpabu5dOxXTGZok3c3VVP+ORBNtzS7XyV3NzsX lOo85Z3VvMO0Q+sup0fvsEQRY9i0QYXdQTBIkxu/t/bgRQIh4JZCF8/ZK2VWNAcm BA2o/X3KLu/qSHw3TT8An4Pf73WELnlXXPxXbhqW//yMmqaZviXZf5YsBvcRKgKA gOtjGDxQSYflispfGStZloEAoPtR28p3CwvJlk/vcEnHXG0g/Zm0tOLKLnf9LdwL tmsTDIwZKxeWmLnwi/agJ7u2441Rj72ux5uxiZ0CAwEAAaOCAYAwggF8MA4GA1Ud DwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0T AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUinR/r4XN7pXNPZzQ4kYU83E1HScwHwYD VR0jBBgwFoAU5K8rJnEaK0gnhS9SZizv8IkTcT4waAYIKwYBBQUHAQEEXDBaMCYG CCsGAQUFBzABhhpodHRwOi8vb2NzcC5wa2kuZ29vZy9ndHNyMTAwBggrBgEFBQcw AoYkaHR0cDovL3BraS5nb29nL3JlcG8vY2VydHMvZ3RzcjEuZGVyMDQGA1UdHwQt MCswKaAnoCWGI2h0dHA6Ly9jcmwucGtpLmdvb2cvZ3RzcjEvZ3RzcjEuY3JsMFcG A1UdIARQME4wOAYKKwYBBAHWeQIFAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3Br aS5nb29nL3JlcG9zaXRvcnkvMAgGBmeBDAECATAIBgZngQwBAgIwDQYJKoZIhvcN AQELBQADggIBAIl9rCBcDDy+mqhXlRu0rvqrpXJxtDaV/d9AEQNMwkYUuxQkq/BQ cSLbrcRuf8/xam/IgxvYzolfh2yHuKkMo5uhYpSTld9brmYZCwKWnvy15xBpPnrL RklfRuFBsdeYTWU0AIAaP0+fbH9JAIFTQaSSIYKCGvGjRFsqUBITTcFTNvNCCK9U +o53UxtkOCcXCb1YyRt8OS1b887U7ZfbFAO/CVMkH8IMBHmYJvJh8VNS/UKMG2Yr PxWhu//2m+OBmgEGcYk1KCTd4b3rGS3hSMs9WYNRtHTGnXzGsYZbr8w0xNPM1IER lQCh9BIiAfq0g3GvjLeMcySsN1PCAJA/Ef5c7TaUEDu9Ka7ixzpiO2xj2YC/WXGs Yye5TBeg2vZzFb8q3o/zpWwygTMD0IZRcZk0upONXbVRWPeyk+gB9lm+cZv9TSjO z23HFtz30dZGm6fKa+l3D/2gthsjgx0QGtkJAITgRNOidSOzNIb2ILCkXhAd4FJG AJ2xDx8hcFH1mt0G/FX0Kw4zd8NLQsLxdxP8c4CU6x+7Nz/OAipmsHMdMqUybDKw juDEI/9bfU1lcKwrmz3O2+BtjjKAvpafkmO8l7tdufThcV4q5O8DIrGKZTqPwJNl 1IXNDw9bg1kWRxYtnCQ6yICmJhSFm/Y3m6xv+cXDBlHz4n/FsRC6UfTd -----END CERTIFICATE----- 2 s:/C=US/O=Google Trust Services LLC/CN=GTS Root R1 i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA -----BEGIN CERTIFICATE----- MIIFYjCCBEqgAwIBAgIQd70NbNs2+RrqIQ/E8FjTDTANBgkqhkiG9w0BAQsFADBX MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIwMDYx OTAwMDA0MloXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIx MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthECix7joXebO9y/lD63 ladAPKH9gvl9MgaCcfb2jH/76Nu8ai6Xl6OMS/kr9rH5zoQdsfnFl97vufKj6bwS iV6nqlKr+CMny6SxnGPb15l+8Ape62im9MZaRw1NEDPjTrETo8gYbEvs/AmQ351k KSUjB6G00j0uYODP0gmHu81I8E3CwnqIiru6z1kZ1q+PsAewnjHxgsHA3y6mbWwZ DrXYfiYaRQM9sHmklCitD38m5agI/pboPGiUU+6DOogrFZYJsuB6jC511pzrp1Zk j5ZPaK49l8KEj8C8QMALXL32h7M1bKwYUH+E4EzNktMg6TO8UpmvMrUpsyUqtEj5 cuHKZPfmghCN6J3Cioj6OGaK/GP5Afl4/Xtcd/p2h/rs37EOeZVXtL0m79YB0esW CruOC7XFxYpVq9Os6pFLKcwZpDIlTirxZUTQAs6qzkm06p98g7BAe+dDq6dso499 iYH6TKX/1Y7DzkvgtdizjkXPdsDtQCv9Uw+wp9U7DbGKogPeMa3Md+pvez7W35Ei Eua++tgy/BBjFFFy3l3WFpO9KWgz7zpm7AeKJt8T11dleCfeXkkUAKIAf5qoIbap sZWwpbkNFhHax2xIPEDgfg1azVY80ZcFuctL7TlLnMQ/0lUTbiSw1nH69MG6zO0b 9f6BQdgAmD06yK56mDcYBZUCAwEAAaOCATgwggE0MA4GA1UdDwEB/wQEAwIBhjAP BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTkrysmcRorSCeFL1JmLO/wiRNxPjAf BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzBgBggrBgEFBQcBAQRUMFIw JQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnBraS5nb29nL2dzcjEwKQYIKwYBBQUH MAKGHWh0dHA6Ly9wa2kuZ29vZy9nc3IxL2dzcjEuY3J0MDIGA1UdHwQrMCkwJ6Al oCOGIWh0dHA6Ly9jcmwucGtpLmdvb2cvZ3NyMS9nc3IxLmNybDA7BgNVHSAENDAy MAgGBmeBDAECATAIBgZngQwBAgIwDQYLKwYBBAHWeQIFAwIwDQYLKwYBBAHWeQIF AwMwDQYJKoZIhvcNAQELBQADggEBADSkHrEoo9C0dhemMXoh6dFSPsjbdBZBiLg9 NR3t5P+T4Vxfq7vqfM/b5A3Ri1fyJm9bvhdGaJQ3b2t6yMAYN/olUazsaL+yyEn9 WprKASOshIArAoyZl+tJaox118fessmXn1hIVw41oeQa1v1vg4Fv74zPl6/AhSrw 9U5pCZEt4Wi4wStz6dTZ/CLANx8LZh1J7QJVj2fhMtfTJr9w4z30Z209fOU0iOMy +qduBmpvvYuR7hZL6Dupszfnw0Skfths18dG9ZKb59UhvmaSGZRVbNQpsg3BZlvi d0lIKO2d1xozclOzgjXPYovJJIultzkMu34qQb9Sz/yilrbCgj8= -----END CERTIFICATE----- --- Server certificate subject=/CN=*.google.com issuer=/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3 --- No client certificate CA names sent --- SSL handshake has read 7076 bytes and written 439 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA Session-ID: Session-ID-ctx: Master-Key: 4F24E1D13BF6CA43603CB185446DCB8AB1F57CBCC128B2A15C0F4186DFC517ECFF60FFBC472D0FCE6175584565790B31 Key-Arg : None TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: 0000 - 02 4b 12 f2 f4 b7 98 7b-7d 30 dd 33 1f bd 28 ca .K.....{}0.3..(. 0010 - a8 27 ef cf 8d 8f 73 5d-7f 78 fd 67 cb 97 a6 c6 .'....s].x.g.... 0020 - dc 23 3c 29 f5 7c 6a b8-53 e6 30 6d 1a 14 61 22 .#<).|j.S.0m..a" 0030 - 14 01 45 2a e4 98 6b 0e-35 fd 46 17 d8 81 c2 d5 ..E*..k.5.F..... 0040 - d2 06 5f 1a 0a 32 1f 9e-64 b1 7e 9a af 50 09 bd .._..2..d.~..P.. 0050 - 89 26 62 08 84 6c 80 fa-d6 43 09 63 44 b4 9a 94 .&b..l...C.cD... 0060 - 2b d1 7e 33 73 73 6b 9e-a5 99 af 88 1e 70 7d 0c +.~3ssk......p}. 0070 - 5b 72 51 0e 00 e4 6c ae-20 12 ff 4b 01 af 70 69 [rQ...l. ..K..pi 0080 - 81 4f 42 cd 95 9e fe 2c-7a 3f 45 a4 21 ad 23 60 .OB....,z?E.!.#` 0090 - f4 b3 37 84 69 55 95 9f-69 ec 21 6a 7a 5b da 74 ..7.iU..i.!jz[.t 00a0 - 66 9c 60 3f cc 5a fc 5c-b2 b6 aa db 50 06 31 22 f.`?.Z.\....P.1" 00b0 - 90 f4 39 73 05 cf 99 f8-3c 05 77 6e 93 a7 95 9b ..9s....<.wn.... 00c0 - 26 e8 59 84 f6 d1 21 ce-c0 b0 db 3e 15 b4 4b 33 &.Y...!....>..K3 00d0 - 46 52 41 e2 19 9e 45 2e-06 e2 6d FRA...E...m Start Time: 1710417148 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) ---
-
Copy the server certificate, including the
-----BEGIN CERTIFICATE-----
and-----END CERTIFICATE-----
lines, and paste it into a separate file, e.g.,servercert.pem
.
Import certificate
-
Import the server certificate to your truststore using the keytool utility:
keytool -keystore <path_to_truststore> -storetype jceks -storepass <truststore_password> -import -alias <alias_name> -trustcacerts -file <path_to_certificate_file>
Examplekeytool -keystore /opt/midpoint/var/keystore.jceks -storetype jceks -storepass changeit -import -alias servercert -trustcacerts -file servercert.pem
-
Restart midPoint.
|