By Kevin Smith-Oracle on Oct 02, 2015
I am starting to hate Google Chrome. First they take away Java applet support and now they are making my web sites look bad by giving warning on the SSL certificates for my sites that other browsers don't seem to care about.
Of course this is probably a good idea. We don't want our web sites using insecure protocols.
I ran into this at a customer recently for a WebCenter Portal site. We had Oracle HTTP Server (OHS) as the web front-end to WebCenter Portal and all pages were SSL encrypted. The customer was switching from Internet Explorer to Chrome as their default browser. The first time they launched the site in Chrome the URL icon showed them a nasty icon.
When you click on the icon, Chrome tells you that it doesn't like the SSL configuration of the site because the SSL certificate is signed with SHA-1.
It also warns you that the connection is using TLS 1.0.
I will cover both of these issues.
Chrome considers any certificates signed by SHA-1 to be no good. It is important to note that this not only applies to the user certificate for your site, but also the trusted certificate(s) used to sign the user certificate. You should view the user certificate for your site and determine if it is signed by SHA-1 or if the problem is up the chain. You want a certificate signed with SHA256.
This note on My Oracle Support contains details on how to determine which certificate is the cause of your problems.
To get a certificate signed with SHA256 you need to create a new Certificate Signing Request (CSR) and send it to your certificate authority who will reissue the certificate signed with SHA256.
The problem we ran into with this is that the current versions of Oracle tools like orapki do not allow you to generate a SHA256 CSR. We found a workaround by exporting the wallet to a PKCS#12 file and using openssl to generate the CSR. You can find the details on how to generate a SHA256 CSR from this note on My Oracle Support.
We used these steps as part of our overall procedure to update our certificates to SHA256:
Create a new wallet. You could probably use the existing wallet used by your site, but we decided to create a new wallet.
orapki wallet create -wallet walletdir -auto_login
Add the CSR to the wallet.There is a bug with the orapki command that requires the password to be specified on the command line. If you omit -pwd option it will not prompt you for the password and the command will fail.
orapki wallet add -wallet walletdir -dn 'XXX' -keysize 2048 -pwd PWD
Generate the CSR. We will not use this CSR, but this step still needs to be done.
orapki wallet export -wallet walletdir -dn 'XXX' -request mysite.csr -pwd PWD
Export the wallet to a PKCS#12 file.
openssl pkcs12 -in ewallet.p12 -nodes -out oracle_wallet.pem
Generate the sha256 CSR.
openssl req -new -key oracle_wallet.pem -sha256 -out mysite.csr
openssl req -new -key oracle_wallet.pem -sha256 -out mysite.csr
Submit the CSR to your certificate authority (CA). When you receive the updated certificate from the CA make sure you also get the root CA certificate used to sign the certificate and any interim CA certificates. In our case we were using GeoTrust as the CA. They signed the certificate with one interim certificate that was given to us as a crt file. We also downloaded the root CA certificate as a pem file from the GeoTrust web site.
Import the trusted certificates into the wallet.
orapki wallet add -wallet walletdir -trusted_cert -cert GeoTrust_Global_CA.pem -pwd PWD
orapki wallet add -wallet walletdir -trusted_cert -cert mysite_company_com_i1.crt -pwd PWD
Import the user certificates into the wallets. Replace PASSWORD with the wallet password.
orapki wallet add -wallet walletdir -user_cert -cert mysite_company_com_ee.crt -pwd PWD
Once we have the wallet loaded with the certificates we can replace the existing wallet used by OHS with our new wallet
Stop OHS server
Copy the new wallet file and replace the existing wallet file.
After starting OHS launch the web site in Chrome and hopefully you will see a green icon and a SHA256 signed certificate.
At this point even though the URL icon comes up with a green lock it is still using TLS 1,0. The problem we had it is that we were running OHS 220.127.116.11.0, which does not support TLS 1.2. The most recent protocol that is supports is TLS 1.0. We needed to upgrade OHS to 18.104.22.168.0. See this note on My Oracle Support for the details on SSL support in OHS and FMW in general.
The steps for upgrading OHS to 22.214.171.124.0 are quite simple. You run the standard 126.96.36.199.0 installer, it recognises you already have OHS installed and it upgrades your existing installation. You can find the download link and the detailed upgrade steps in the Oracle Fusion Middleware Download, Installation, and Configuration ReadMe.
One you upgrade OHS you also need to update the SSLProtocol setting in your ssl.conf and admin.conf files to disable the older protocols. Change the SSLProtocol settings to this:
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
This setting will allow support of newer protocols as they become available, but disables support for older protocols. The -protocol setting, e.g. -TLSv1.1, explicitly removes support for that protocol.
Once you upgrade OHS and update the SSLProtocol settings when you launch your site in Chrome you should see that it is using TLS 1.2.
If you want more information on SSL there are some great notes on My Oracle Support. This is a good starting point.
Through the steps above it will be useful to display the contents of the wallet as various points and especially if you have any problems with the commands.The orapki display command will display the contents of the wallet in the directory you specify.
orapki wallet display -wallet walletdir
When you first display the wallet after the initial creation it will be empty, except for the trusted certificates that are added by default by orapki.
Oracle PKI Tool : Version 188.8.131.52.0 Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. Requested Certificates: User Certificates: Trusted Certificates: Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
After you add the certificate request it will be displayed in the wallet.
Oracle PKI Tool : Version 184.108.40.206.0 Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. Requested Certificates: Subject: CN=mysite.mycompany.com,OU=Consulting,O=Oracle,L=Redwood City,ST=California,C=US User Certificates: Trusted Certificates: Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
After you add your user certificate the certificate request will now longer be shown, but your user certificate will be displayed.