TLS Connections (Client Side)

Last modified 29 May 2024 12:41 +02:00

Connectors, notification plugins and other parts of midPoint connect to external systems. Some of the connections are secured using SSL/TLS. In SSL/TLS connections the server side provides a certificate that needs to be validated on the client side. This means that midPoint needs to have a way how to check validity of the certificate provided by SSL/TLS server. MidPoint is using standard Java libraries to validate the certificate. Java security modules are using a truststore mechanism which is closely related to keystore. The truststore is a small database of trusted certificates. When a certificate needs to be validate Java libraries check if the certificates the authority in chain that issues are in the truststore.

For real deployments with public or private certification authorities all root and intermediate certificates in chain must be imported into midPoint keystore.

The following procedure describes how to get server certificate and import it into the trustore which makes it a trusted certificate. Basic steps to do:

  1. Getting server certificate

  2. Import the certificate

Getting server certificate

There are many tools to get a server certificate from SSL/TLS connection. We prefer to use opensource library OpenSSL (openssl library for windows can be downloaded here) . It has a nice s_client utility to do this.

Example how to obtain all server certificates in chain:

openssl s_client -showcerts -servername google.com -connect google.com:443
Loading 'screen' into random state - done
CONNECTED(00000260)
depth=2 /C=US/O=Google Trust Services LLC/CN=GTS Root R1
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=*.google.com
   i:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
-----BEGIN CERTIFICATE-----
MIIPKDCCDhCgAwIBAgIQXZPVtDG27jgQT6mqCHHkAzANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
QzETMBEGA1UEAxMKR1RTIENBIDFDMzAeFw0yNDAyMTkwODAzNTRaFw0yNDA1MTMw
ODAzNTNaMBcxFTATBgNVBAMMDCouZ29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAM13e70d+ZprybekMI9Vh+kanYwTAUYy0ziIpayXrSgf
fCQLYi6WdoiGpL76ATZ1Nah3xonRK2VLo7SIMdztsBUfa6Pv0PrsJa34qc2ipr95
4K9NhUAI6dv1ka7qqAvYOIP4yQwIbFZs5b7YMr0LbvS29V3qnev7IT/Rpe1n2+nL
R8DPXPYHuKtaIJTmBJ6zegf2v4x/G6MHlKQ+xMwkpoNCyqkKYRidy2f/ENxTZIFn
Gq9nbebTzAozvTjYzwT/s2x1nRiGNhdcMp4pTeszmjQ9co/SBIyL2pGef39iw20p
TfwYPGi1WG9kuFKkNUNzfhppQ9e5CNskKi0wM3BJE1sCAwEAAaOCDD8wggw7MA4G
A1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBSW6bOCv2Afuev4kI1nRbhRWOBz1DAfBgNVHSMEGDAWgBSKdH+v
hc3ulc09nNDiRhTzcTUdJzBqBggrBgEFBQcBAQReMFwwJwYIKwYBBQUHMAGGG2h0
dHA6Ly9vY3NwLnBraS5nb29nL2d0czFjMzAxBggrBgEFBQcwAoYlaHR0cDovL3Br
aS5nb29nL3JlcG8vY2VydHMvZ3RzMWMzLmRlcjCCCe8GA1UdEQSCCeYwggniggwq
Lmdvb2dsZS5jb22CFiouYXBwZW5naW5lLmdvb2dsZS5jb22CCSouYmRuLmRldoIV
Ki5vcmlnaW4tdGVzdC5iZG4uZGV2ghIqLmNsb3VkLmdvb2dsZS5jb22CGCouY3Jv
d2Rzb3VyY2UuZ29vZ2xlLmNvbYIYKi5kYXRhY29tcHV0ZS5nb29nbGUuY29tggsq
Lmdvb2dsZS5jYYILKi5nb29nbGUuY2yCDiouZ29vZ2xlLmNvLmlugg4qLmdvb2ds
ZS5jby5qcIIOKi5nb29nbGUuY28udWuCDyouZ29vZ2xlLmNvbS5hcoIPKi5nb29n
bGUuY29tLmF1gg8qLmdvb2dsZS5jb20uYnKCDyouZ29vZ2xlLmNvbS5jb4IPKi5n
b29nbGUuY29tLm14gg8qLmdvb2dsZS5jb20udHKCDyouZ29vZ2xlLmNvbS52boIL
Ki5nb29nbGUuZGWCCyouZ29vZ2xlLmVzggsqLmdvb2dsZS5mcoILKi5nb29nbGUu
aHWCCyouZ29vZ2xlLml0ggsqLmdvb2dsZS5ubIILKi5nb29nbGUucGyCCyouZ29v
Z2xlLnB0gg8qLmdvb2dsZWFwaXMuY26CESouZ29vZ2xldmlkZW8uY29tggwqLmdz
dGF0aWMuY26CECouZ3N0YXRpYy1jbi5jb22CD2dvb2dsZWNuYXBwcy5jboIRKi5n
b29nbGVjbmFwcHMuY26CEWdvb2dsZWFwcHMtY24uY29tghMqLmdvb2dsZWFwcHMt
Y24uY29tggxna2VjbmFwcHMuY26CDiouZ2tlY25hcHBzLmNughJnb29nbGVkb3du
bG9hZHMuY26CFCouZ29vZ2xlZG93bmxvYWRzLmNughByZWNhcHRjaGEubmV0LmNu
ghIqLnJlY2FwdGNoYS5uZXQuY26CEHJlY2FwdGNoYS1jbi5uZXSCEioucmVjYXB0
Y2hhLWNuLm5ldIILd2lkZXZpbmUuY26CDSoud2lkZXZpbmUuY26CEWFtcHByb2pl
Y3Qub3JnLmNughMqLmFtcHByb2plY3Qub3JnLmNughFhbXBwcm9qZWN0Lm5ldC5j
boITKi5hbXBwcm9qZWN0Lm5ldC5jboIXZ29vZ2xlLWFuYWx5dGljcy1jbi5jb22C
GSouZ29vZ2xlLWFuYWx5dGljcy1jbi5jb22CF2dvb2dsZWFkc2VydmljZXMtY24u
Y29tghkqLmdvb2dsZWFkc2VydmljZXMtY24uY29tghFnb29nbGV2YWRzLWNuLmNv
bYITKi5nb29nbGV2YWRzLWNuLmNvbYIRZ29vZ2xlYXBpcy1jbi5jb22CEyouZ29v
Z2xlYXBpcy1jbi5jb22CFWdvb2dsZW9wdGltaXplLWNuLmNvbYIXKi5nb29nbGVv
cHRpbWl6ZS1jbi5jb22CEmRvdWJsZWNsaWNrLWNuLm5ldIIUKi5kb3VibGVjbGlj
ay1jbi5uZXSCGCouZmxzLmRvdWJsZWNsaWNrLWNuLm5ldIIWKi5nLmRvdWJsZWNs
aWNrLWNuLm5ldIIOZG91YmxlY2xpY2suY26CECouZG91YmxlY2xpY2suY26CFCou
ZmxzLmRvdWJsZWNsaWNrLmNughIqLmcuZG91YmxlY2xpY2suY26CEWRhcnRzZWFy
Y2gtY24ubmV0ghMqLmRhcnRzZWFyY2gtY24ubmV0gh1nb29nbGV0cmF2ZWxhZHNl
cnZpY2VzLWNuLmNvbYIfKi5nb29nbGV0cmF2ZWxhZHNlcnZpY2VzLWNuLmNvbYIY
Z29vZ2xldGFnc2VydmljZXMtY24uY29tghoqLmdvb2dsZXRhZ3NlcnZpY2VzLWNu
LmNvbYIXZ29vZ2xldGFnbWFuYWdlci1jbi5jb22CGSouZ29vZ2xldGFnbWFuYWdl
ci1jbi5jb22CGGdvb2dsZXN5bmRpY2F0aW9uLWNuLmNvbYIaKi5nb29nbGVzeW5k
aWNhdGlvbi1jbi5jb22CJCouc2FmZWZyYW1lLmdvb2dsZXN5bmRpY2F0aW9uLWNu
LmNvbYIWYXBwLW1lYXN1cmVtZW50LWNuLmNvbYIYKi5hcHAtbWVhc3VyZW1lbnQt
Y24uY29tggtndnQxLWNuLmNvbYINKi5ndnQxLWNuLmNvbYILZ3Z0Mi1jbi5jb22C
DSouZ3Z0Mi1jbi5jb22CCzJtZG4tY24ubmV0gg0qLjJtZG4tY24ubmV0ghRnb29n
bGVmbGlnaHRzLWNuLm5ldIIWKi5nb29nbGVmbGlnaHRzLWNuLm5ldIIMYWRtb2It
Y24uY29tgg4qLmFkbW9iLWNuLmNvbYIUZ29vZ2xlc2FuZGJveC1jbi5jb22CFiou
Z29vZ2xlc2FuZGJveC1jbi5jb22CHiouc2FmZW51cC5nb29nbGVzYW5kYm94LWNu
LmNvbYINKi5nc3RhdGljLmNvbYIUKi5tZXRyaWMuZ3N0YXRpYy5jb22CCiouZ3Z0
MS5jb22CESouZ2NwY2RuLmd2dDEuY29tggoqLmd2dDIuY29tgg4qLmdjcC5ndnQy
LmNvbYIQKi51cmwuZ29vZ2xlLmNvbYIWKi55b3V0dWJlLW5vY29va2llLmNvbYIL
Ki55dGltZy5jb22CC2FuZHJvaWQuY29tgg0qLmFuZHJvaWQuY29tghMqLmZsYXNo
LmFuZHJvaWQuY29tggRnLmNuggYqLmcuY26CBGcuY2+CBiouZy5jb4IGZ29vLmds
ggp3d3cuZ29vLmdsghRnb29nbGUtYW5hbHl0aWNzLmNvbYIWKi5nb29nbGUtYW5h
bHl0aWNzLmNvbYIKZ29vZ2xlLmNvbYISZ29vZ2xlY29tbWVyY2UuY29tghQqLmdv
b2dsZWNvbW1lcmNlLmNvbYIIZ2dwaHQuY26CCiouZ2dwaHQuY26CCnVyY2hpbi5j
b22CDCoudXJjaGluLmNvbYIIeW91dHUuYmWCC3lvdXR1YmUuY29tgg0qLnlvdXR1
YmUuY29tghR5b3V0dWJlZWR1Y2F0aW9uLmNvbYIWKi55b3V0dWJlZWR1Y2F0aW9u
LmNvbYIPeW91dHViZWtpZHMuY29tghEqLnlvdXR1YmVraWRzLmNvbYIFeXQuYmWC
ByoueXQuYmWCGmFuZHJvaWQuY2xpZW50cy5nb29nbGUuY29tghtkZXZlbG9wZXIu
YW5kcm9pZC5nb29nbGUuY26CHGRldmVsb3BlcnMuYW5kcm9pZC5nb29nbGUuY26C
GHNvdXJjZS5hbmRyb2lkLmdvb2dsZS5jboIaZGV2ZWxvcGVyLmNocm9tZS5nb29n
bGUuY26CGHdlYi5kZXZlbG9wZXJzLmdvb2dsZS5jbjAhBgNVHSAEGjAYMAgGBmeB
DAECATAMBgorBgEEAdZ5AgUDMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmxz
LnBraS5nb29nL2d0czFjMy9mVkp4YlYtS3Rtay5jcmwwggEEBgorBgEEAdZ5AgQC
BIH1BIHyAPAAdgBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAY3A
m5XyAAAEAwBHMEUCIHlRkebho8dI/RUCwPRapoKiOcIhvQddNeZP81myigtOAiEA
5XNQPZzw0tjFVzTllWCJXqM6MjM0Sm0q6ZmII5nDcscAdgDuzdBk1dsazsVct520
zROiModGfLzs3sNRSFlGcR+1mwAAAY3Am5XMAAAEAwBHMEUCIHs6XwsGtdpSkEYl
lrO1q1mqi9ylrfpYWfGCyVJQ4f8uAiEAzujxJjpjIOr7Fs58+Oaij3A+sahNS9aa
asn5gcHigRIwDQYJKoZIhvcNAQELBQADggEBAIHJiBhis3ZzX4/Wk/K/tdjCnNtv
blcljLZZ86OeUoAYB1dnZmEEqT3zPm93FlUxe77ghE3fPw9xVSlUHSZ3UaELBS+w
n/x8ZHB//nDH9Vdwv+oG9O9DT+O4sLpQHSHOJRgbQJCk7+K5BbVWzp+zdNkJzUzX
M0twXORS0OnUSOBxm+JNgsjDrLlYhSDLO1kinRoeyX27A28CWWP7RTyXs2G4KZAW
T/VI+eLUSjrDk+jTFP1bYKOTa0hRcrAGWjqT66KUpjHvun32QbItamtsLEpX9VAH
mLyeS0SHUGaGBNgcPQk8ejUaHMUJkadjrDjf1mC02JdHzsqUl3NuGZ8avR4=
-----END CERTIFICATE-----
 1 s:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
   i:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
-----BEGIN CERTIFICATE-----
MIIFljCCA36gAwIBAgINAgO8U1lrNMcY9QFQZjANBgkqhkiG9w0BAQsFADBHMQsw
CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMjAwODEzMDAwMDQyWhcNMjcwOTMwMDAw
MDQyWjBGMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
Y2VzIExMQzETMBEGA1UEAxMKR1RTIENBIDFDMzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAPWI3+dijB43+DdCkH9sh9D7ZYIl/ejLa6T/belaI+KZ9hzp
kgOZE3wJCor6QtZeViSqejOEH9Hpabu5dOxXTGZok3c3VVP+ORBNtzS7XyV3NzsX
lOo85Z3VvMO0Q+sup0fvsEQRY9i0QYXdQTBIkxu/t/bgRQIh4JZCF8/ZK2VWNAcm
BA2o/X3KLu/qSHw3TT8An4Pf73WELnlXXPxXbhqW//yMmqaZviXZf5YsBvcRKgKA
gOtjGDxQSYflispfGStZloEAoPtR28p3CwvJlk/vcEnHXG0g/Zm0tOLKLnf9LdwL
tmsTDIwZKxeWmLnwi/agJ7u2441Rj72ux5uxiZ0CAwEAAaOCAYAwggF8MA4GA1Ud
DwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0T
AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUinR/r4XN7pXNPZzQ4kYU83E1HScwHwYD
VR0jBBgwFoAU5K8rJnEaK0gnhS9SZizv8IkTcT4waAYIKwYBBQUHAQEEXDBaMCYG
CCsGAQUFBzABhhpodHRwOi8vb2NzcC5wa2kuZ29vZy9ndHNyMTAwBggrBgEFBQcw
AoYkaHR0cDovL3BraS5nb29nL3JlcG8vY2VydHMvZ3RzcjEuZGVyMDQGA1UdHwQt
MCswKaAnoCWGI2h0dHA6Ly9jcmwucGtpLmdvb2cvZ3RzcjEvZ3RzcjEuY3JsMFcG
A1UdIARQME4wOAYKKwYBBAHWeQIFAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3Br
aS5nb29nL3JlcG9zaXRvcnkvMAgGBmeBDAECATAIBgZngQwBAgIwDQYJKoZIhvcN
AQELBQADggIBAIl9rCBcDDy+mqhXlRu0rvqrpXJxtDaV/d9AEQNMwkYUuxQkq/BQ
cSLbrcRuf8/xam/IgxvYzolfh2yHuKkMo5uhYpSTld9brmYZCwKWnvy15xBpPnrL
RklfRuFBsdeYTWU0AIAaP0+fbH9JAIFTQaSSIYKCGvGjRFsqUBITTcFTNvNCCK9U
+o53UxtkOCcXCb1YyRt8OS1b887U7ZfbFAO/CVMkH8IMBHmYJvJh8VNS/UKMG2Yr
PxWhu//2m+OBmgEGcYk1KCTd4b3rGS3hSMs9WYNRtHTGnXzGsYZbr8w0xNPM1IER
lQCh9BIiAfq0g3GvjLeMcySsN1PCAJA/Ef5c7TaUEDu9Ka7ixzpiO2xj2YC/WXGs
Yye5TBeg2vZzFb8q3o/zpWwygTMD0IZRcZk0upONXbVRWPeyk+gB9lm+cZv9TSjO
z23HFtz30dZGm6fKa+l3D/2gthsjgx0QGtkJAITgRNOidSOzNIb2ILCkXhAd4FJG
AJ2xDx8hcFH1mt0G/FX0Kw4zd8NLQsLxdxP8c4CU6x+7Nz/OAipmsHMdMqUybDKw
juDEI/9bfU1lcKwrmz3O2+BtjjKAvpafkmO8l7tdufThcV4q5O8DIrGKZTqPwJNl
1IXNDw9bg1kWRxYtnCQ6yICmJhSFm/Y3m6xv+cXDBlHz4n/FsRC6UfTd
-----END CERTIFICATE-----
 2 s:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgIQd70NbNs2+RrqIQ/E8FjTDTANBgkqhkiG9w0BAQsFADBX
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE
CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIwMDYx
OTAwMDA0MloXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT
GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIx
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthECix7joXebO9y/lD63
ladAPKH9gvl9MgaCcfb2jH/76Nu8ai6Xl6OMS/kr9rH5zoQdsfnFl97vufKj6bwS
iV6nqlKr+CMny6SxnGPb15l+8Ape62im9MZaRw1NEDPjTrETo8gYbEvs/AmQ351k
KSUjB6G00j0uYODP0gmHu81I8E3CwnqIiru6z1kZ1q+PsAewnjHxgsHA3y6mbWwZ
DrXYfiYaRQM9sHmklCitD38m5agI/pboPGiUU+6DOogrFZYJsuB6jC511pzrp1Zk
j5ZPaK49l8KEj8C8QMALXL32h7M1bKwYUH+E4EzNktMg6TO8UpmvMrUpsyUqtEj5
cuHKZPfmghCN6J3Cioj6OGaK/GP5Afl4/Xtcd/p2h/rs37EOeZVXtL0m79YB0esW
CruOC7XFxYpVq9Os6pFLKcwZpDIlTirxZUTQAs6qzkm06p98g7BAe+dDq6dso499
iYH6TKX/1Y7DzkvgtdizjkXPdsDtQCv9Uw+wp9U7DbGKogPeMa3Md+pvez7W35Ei
Eua++tgy/BBjFFFy3l3WFpO9KWgz7zpm7AeKJt8T11dleCfeXkkUAKIAf5qoIbap
sZWwpbkNFhHax2xIPEDgfg1azVY80ZcFuctL7TlLnMQ/0lUTbiSw1nH69MG6zO0b
9f6BQdgAmD06yK56mDcYBZUCAwEAAaOCATgwggE0MA4GA1UdDwEB/wQEAwIBhjAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTkrysmcRorSCeFL1JmLO/wiRNxPjAf
BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzBgBggrBgEFBQcBAQRUMFIw
JQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnBraS5nb29nL2dzcjEwKQYIKwYBBQUH
MAKGHWh0dHA6Ly9wa2kuZ29vZy9nc3IxL2dzcjEuY3J0MDIGA1UdHwQrMCkwJ6Al
oCOGIWh0dHA6Ly9jcmwucGtpLmdvb2cvZ3NyMS9nc3IxLmNybDA7BgNVHSAENDAy
MAgGBmeBDAECATAIBgZngQwBAgIwDQYLKwYBBAHWeQIFAwIwDQYLKwYBBAHWeQIF
AwMwDQYJKoZIhvcNAQELBQADggEBADSkHrEoo9C0dhemMXoh6dFSPsjbdBZBiLg9
NR3t5P+T4Vxfq7vqfM/b5A3Ri1fyJm9bvhdGaJQ3b2t6yMAYN/olUazsaL+yyEn9
WprKASOshIArAoyZl+tJaox118fessmXn1hIVw41oeQa1v1vg4Fv74zPl6/AhSrw
9U5pCZEt4Wi4wStz6dTZ/CLANx8LZh1J7QJVj2fhMtfTJr9w4z30Z209fOU0iOMy
+qduBmpvvYuR7hZL6Dupszfnw0Skfths18dG9ZKb59UhvmaSGZRVbNQpsg3BZlvi
d0lIKO2d1xozclOzgjXPYovJJIultzkMu34qQb9Sz/yilrbCgj8=
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=*.google.com
issuer=/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
---
No client certificate CA names sent
---
SSL handshake has read 7076 bytes and written 439 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID:
    Session-ID-ctx:
    Master-Key: 4F24E1D13BF6CA43603CB185446DCB8AB1F57CBCC128B2A15C0F4186DFC517ECFF60FFBC472D0FCE6175584565790B31
    Key-Arg   : None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 02 4b 12 f2 f4 b7 98 7b-7d 30 dd 33 1f bd 28 ca   .K.....{}0.3..(.
    0010 - a8 27 ef cf 8d 8f 73 5d-7f 78 fd 67 cb 97 a6 c6   .'....s].x.g....
    0020 - dc 23 3c 29 f5 7c 6a b8-53 e6 30 6d 1a 14 61 22   .#<).|j.S.0m..a"
    0030 - 14 01 45 2a e4 98 6b 0e-35 fd 46 17 d8 81 c2 d5   ..E*..k.5.F.....
    0040 - d2 06 5f 1a 0a 32 1f 9e-64 b1 7e 9a af 50 09 bd   .._..2..d.~..P..
    0050 - 89 26 62 08 84 6c 80 fa-d6 43 09 63 44 b4 9a 94   .&b..l...C.cD...
    0060 - 2b d1 7e 33 73 73 6b 9e-a5 99 af 88 1e 70 7d 0c   +.~3ssk......p}.
    0070 - 5b 72 51 0e 00 e4 6c ae-20 12 ff 4b 01 af 70 69   [rQ...l. ..K..pi
    0080 - 81 4f 42 cd 95 9e fe 2c-7a 3f 45 a4 21 ad 23 60   .OB....,z?E.!.#`
    0090 - f4 b3 37 84 69 55 95 9f-69 ec 21 6a 7a 5b da 74   ..7.iU..i.!jz[.t
    00a0 - 66 9c 60 3f cc 5a fc 5c-b2 b6 aa db 50 06 31 22   f.`?.Z.\....P.1"
    00b0 - 90 f4 39 73 05 cf 99 f8-3c 05 77 6e 93 a7 95 9b   ..9s....<.wn....
    00c0 - 26 e8 59 84 f6 d1 21 ce-c0 b0 db 3e 15 b4 4b 33   &.Y...!....>..K3
    00d0 - 46 52 41 e2 19 9e 45 2e-06 e2 6d                  FRA...E...m

    Start Time: 1710417148
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

Example how to obtain server certificate:

$ openssl s_client -connect deimos.lab.evolveum.com:3636
CONNECTED(00000003)
depth=1 OU = Organizational CA, O = EXAMPLE-TREE
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/O=EXAMPLE-TREE/CN=deimos
   i:/OU=Organizational CA/O=EXAMPLE-TREE
 1 s:/OU=Organizational CA/O=EXAMPLE-TREE
   i:/OU=Organizational CA/O=EXAMPLE-TREE
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLTCCBBWgAwIBAgIkAhwR/6b9fHPRsgM0dS4h3nlIxIQoUQDjdnEzC8MrAgJC
C3WvMA0GCSqGSIb3DQEBBQUAMDMxGjAYBgNVBAsTEU9yZ2FuaXphdGlvbmFsIENB
MRUwEwYDVQQKEwxFWEFNUExFLVRSRUUwHhcNMTQwNjA1MTEyNjQ3WhcNMTYwNjA0
MTEyNjQ3WjAoMRUwEwYDVQQKEwxFWEFNUExFLVRSRUUxDzANBgNVBAMTBmRlaW1v
czCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJO+X5vjQ/0WNWBOTvGw
+amQCQ22dVM9zfWXa5fhtBAuq5oYrnImmqnU0Xl2k0TfZjDgWcDrlh620ByNr/JV
mEGUoAqIsZijbIYsb3/4C97Y9AKL8KWA5/HOxAZw7My65ydy2Wg0sgYb2wX2EHm3
E4gkcNtw9Lf1eLxCwnRmbGjUrAjXlc2e8HbP9lfRjAysGVqfEsk/JRtXmLPOqW0Y
THjSp+j87OTDbFPwWPlWh/atx2/3Q/xN+kJOLx4M1PMCAp/kDzdVA0bVWm1m/RZx
lpRpF2lRtdJgwP897jFurJfpubSwE7IgqKUXdkSdESpnaL62xtFnFbtEKbcsv1iR
Zb0CAwEAAaOCAjIwggIuMB0GA1UdDgQWBBR9W+sIkHjmchbjgIcED+3VPBshHzAf
BgNVHSMEGDAWgBScoCWoSW3ygoqk23J+4DXdx6xWGTAPBgNVHREECDAGhwQKAgEP
MAsGA1UdDwQEAwIFoDCCAcwGC2CGSAGG+DcBCQQBBIIBuzCCAbcEAgEAAQH/Ex1O
b3ZlbGwgU2VjdXJpdHkgQXR0cmlidXRlKHRtKRZDaHR0cDovL2RldmVsb3Blci5u
b3ZlbGwuY29tL3JlcG9zaXRvcnkvYXR0cmlidXRlcy9jZXJ0YXR0cnNfdjEwLmh0
bTCCAUigGgEBADAIMAYCAQECAUYwCDAGAgEBAgEKAgFpoRoBAQAwCDAGAgEBAgEA
MAgwBgIBAQIBAAIBAKIGAgEXAQH/o4IBBKBYAgECAgIA/wIBAAMNAIAAAAAAAAAA
AAAAAAMJAIAAAAAAAAAAMBgwEAIBAAIIf/////////8BAQACBAbw30gwGDAQAgEA
Agh//////////wEBAAIEBvDfSKFYAgECAgIA/wIBAAMNAEAAAAAAAAAAAAAAAAMJ
AEAAAAAAAAAAMBgwEAIBAAIIf/////////8BAQACBBH/pv0wGDAQAgEAAgh/////
/////wEBAAIEEf+m/aJOMEwCAQICAQACAgD/Aw0AgAAAAAAAAAAAAAAAAwkAgAAA
AAAAAAAwEjAQAgEAAgh//////////wEBADASMBACAQACCH//////////AQEAMA0G
CSqGSIb3DQEBBQUAA4IBAQAF/LlSJUz6I4UuzYivJyhcG8S4inWCB/4AkTP2rvOj
iU7oZDKLUoLMZGP2mxgGYPp+nPNmN0NbFyuNoZiRmCBxvdVmABwKHHEZKCl8f+sn
pw2wXPKrrZWY2PtbpJ2V815T8pAuraS1Ko08N/MZlIiZOZZpcyjq6EOTrELuaX+q
tDFsCNZSfNKjqYMyrPEaYSSNIcBbWx2Ip170AA6rNqaOR5oo/N6Cw/f7GAhaon8V
3j/pLivirDLbHBmsRLjzTcaSFtdhYzWR5Xr0hGh0oVA9OaL9EZF+wtKd4yMwL0Jn
g9cH8n3kIjW+d4uFbCYY/K0YX1n7l8zMiSRuRzUz5a+w
-----END CERTIFICATE-----
subject=/O=EXAMPLE-TREE/CN=deimos
issuer=/OU=Organizational CA/O=EXAMPLE-TREE
---
No client certificate CA names sent
---
SSL handshake has read 2831 bytes and written 551 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 3D1D82E86E3F87CF4F5C61DF1A1C5061973B371C75EE089C1ED38FF5FAFC58F9
    Session-ID-ctx:
    Master-Key: A58639B7067B0169C626DB8B45BD50AAF12A50A2F09BA4FC5D0112CE40E74F5CA6BD941A0F86D744AA12AA1592F450A3
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1401979683
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---

The data between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- is the server certificate. Copy&paste the data into a separate file (including the boundary lines) and save it e.g. as servercert.pem.

Import the certificate

Import the server certificate to a truststore using keytool utility:

keytool -keystore /opt/midpoint/var/keystore.jceks -storetype jceks -storepass changeit -import -alias servercert -trustcacerts -file servercert.pem

Restart midPoint and that’s it.

Notes

  • Make sure that the correct keystore/truststore is used. By default connectors use JVM keystore unless it is overriden by JVM options. See Keystore Configuration page for more details.

  • If an import of a .p7b formated certificate results in the following error: java.lang.Exception: Input not an X.509 certificate. You might try to convert the certificate to the .cer PEM format. This can be done using the following openssl command:

openssl pkcs7 -inform der -in mycert.p7b -out myconvertedcert.cer
Was this page helpful?
YES NO
Thanks for your feedback