payara
Please remove expired certificates from distribution/FISH-6107
Description
Please remove expired certificates from distribution
Expected Outcome
Payara Micro ran just after release should warn about minimal number of expired certificates, and not about certs that expired months earlier.
Current Outcome
15 warnings about expired bundled certificates.
Alternatives
Context
- #5592
- #4740
- #3082
Are all certificates really needed?
Does Payara have a regular release cycle? Then perhaps all certificates due to expire before the next release can be proactively replaced/removed as part of the release process?
- #5677
Please consider removing following certificates from below keystores:
for a in cert_2_globalsign_root_ca___r22
globalsignrootca-r2
cert_91_pscprocert91
cert_14_quovadis_root_ca14
mykey
dstrootcax3
cert_46_cybertrust_global_root46
soneraclass2ca
globalsignr2ca
soneraclass2rootca
cert_18_sonera_class_2_root_ca18
soneraclass1ca
thawteserverca
quovadisrootca
cert_30_dst_root_ca_x330
verisigntsaca
cybertrustglobalroot
thawtepremiumserverca
thawtepersonalfreemailca
do
keytool -delete -alias $a -keystore ./nucleus/security/core/src/main/resources/config/cacerts.jks -storepass changeit
done
for a in cert_30_dst_root_ca_x330
cert_91_pscprocert91
cert_46_cybertrust_global_root46
soneraclass1ca
thawtepersonalfreemailca
globalsignr2ca
quovadisrootca
mykey
cert_2_globalsign_root_ca___r22
cert_18_sonera_class_2_root_ca18
cert_14_quovadis_root_ca14
thawteserverca
soneraclass2ca
thawtepremiumserverca
verisigntsaca
do
keytool -delete -alias $a -keystore ./nucleus/admin/template/src/main/resources/config/cacerts.jks -storepass changeit
done
Also - in few months following certs will also expire - cert_11_visa_ecommerce_root11, cert_8_geotrust_global_ca8, geotrustglobalca. Perhaps removal of them could also be considered.
I'd open PR with this but the modified binary would be harder to review than script to do it, I guess.
This also occurs on a Payara server install.
There are several certificates which are 1024-bit RSA keys, which keytool warns are "are considered a security risk and the key size will be disabled in a future update". It would be sensible to remove those at the same time.
Hi @pzygielo,
Payara Micro does not come with certificates. If there is a mention of expired certificates, they are from the JVM itself. For the Payara server, they are removed when released. But when they expire after release, you can have this message. You should remove expired certificates from the Payara server's truststore by yourself if the message bothers you. Thanks
Hi @shub8968, thanks for checking.
Payara Micro does not come with certificates.
What that could be then?
$ wget https://repo.maven.apache.org/maven2/fish/payara/extras/payara-micro/5.2022.1/payara-micro-5.2022.1.jar
$ unzip -qd micro payara-micro-5.2022.1.jar
$ find micro -name *.jks
micro/MICRO-INF/domain/keystore.jks
micro/MICRO-INF/domain/cacerts.jks
If there is a mention of expired certificates, they are from the JVM itself.
No, there is no mykey there. But there is one expired in micro's:
$ keytool -list -alias mykey -keystore micro/MICRO-INF/domain/cacerts.jks -storepass changeit
mykey, 26 Apr 2018, trustedCertEntry,
Certificate fingerprint (SHA-256): 73:1D:3D:9C:FA:A0:61:48:7A:1D:71:44:5A:42:F6:7D:F0:AF:CA:2A:6C:2D:2F:98:FF:7B:3C:E1:12:B1:F5:68
$ keytool -list -alias mykey -v -keystore micro/MICRO-INF/domain/cacerts.jks -storepass changeit | grep Valid
Valid from: Thu Oct 06 17:43:55 CEST 2016 until: Wed Oct 06 17:43:55 CEST 2021
and to check all reported originally
$ for a in cert_2_globalsign_root_ca___r22 \
globalsignrootca-r2 \
cert_91_pscprocert91 \
cert_14_quovadis_root_ca14 \
mykey \
dstrootcax3 \
cert_46_cybertrust_global_root46 \
soneraclass2ca \
globalsignr2ca \
soneraclass2rootca \
cert_18_sonera_class_2_root_ca18 \
soneraclass1ca \
thawteserverca \
quovadisrootca \
cert_30_dst_root_ca_x330 \
verisigntsaca \
cybertrustglobalroot \
thawtepremiumserverca \
thawtepersonalfreemailca
do
keytool -list -alias $a -v -keystore micro/MICRO-INF/domain/cacerts.jks -storepass changeit | grep Valid
done
Valid from: Fri Dec 15 09:00:00 CET 2006 until: Wed Dec 15 09:00:00 CET 2021
Valid from: Tue Dec 28 17:51:00 CET 2010 until: Sat Dec 26 00:59:59 CET 2020
Valid from: Mon Mar 19 19:33:33 CET 2001 until: Wed Mar 17 19:33:33 CET 2021
Valid from: Thu Oct 06 17:43:55 CEST 2016 until: Wed Oct 06 17:43:55 CEST 2021
Valid from: Fri Dec 15 09:00:00 CET 2006 until: Wed Dec 15 09:00:00 CET 2021
Valid from: Fri Apr 06 09:29:40 CEST 2001 until: Tue Apr 06 09:29:40 CEST 2021
Valid from: Fri Dec 15 09:00:00 CET 2006 until: Wed Dec 15 09:00:00 CET 2021
Valid from: Fri Apr 06 09:29:40 CEST 2001 until: Tue Apr 06 09:29:40 CEST 2021
Valid from: Fri Apr 06 12:49:13 CEST 2001 until: Tue Apr 06 12:49:13 CEST 2021
Valid from: Thu Aug 01 02:00:00 CEST 1996 until: Sat Jan 02 00:59:59 CET 2021
Warning:
The certificate uses a 1024-bit RSA key which is considered a security risk and is disabled.
Valid from: Mon Mar 19 19:33:33 CET 2001 until: Wed Mar 17 19:33:33 CET 2021
Valid from: Sat Sep 30 23:12:19 CEST 2000 until: Thu Sep 30 16:01:15 CEST 2021
Valid from: Wed Jan 01 01:00:00 CET 1997 until: Fri Jan 01 00:59:59 CET 2021
Warning:
The certificate uses a 1024-bit RSA key which is considered a security risk and is disabled.
Valid from: Thu Aug 01 02:00:00 CEST 1996 until: Sat Jan 02 00:59:59 CET 2021
Warning:
The certificate uses a 1024-bit RSA key which is considered a security risk and is disabled.
Valid from: Mon Jan 01 01:00:00 CET 1996 until: Sat Jan 02 00:59:59 CET 2021
Warning:
The certificate uses a 1024-bit RSA key which is considered a security risk and is disabled.
For the Payara server, they are removed when released.
Could this be also considered for payara micro? I can't remove them without repackaging jar.
Hi @pzygielo,
I have created an internal JIRA FISH-6107 in order to fix this anomalous behavior.
Thanks, Shubham
I don't know what is the status of FISH-6107, if this was automated or is handled manually - but payara-micro/5.2022.3 seems to be fine wrt this issue.
Feel free to close this one. Thanks.