Quarkus Two-Way TLS: Backend does not accept the certificat

[softshipper]

Hi all,

I am trying to implement mTLS by my own regarding to the tutorial from https://quarkus.io/blog/quarkus-mutual-tls/.

This is how I have generated server-keystore, client-keystore and server-trustore

keytool -genkeypair \
        -storepass password \
        -keyalg RSA \
        -keysize 2048 \
        -dname "CN=example-server" \
        -alias server \
        -ext "SAN:c=DNS:localhost,IP:127.0.0.1" \
        -keystore ./server-keystore.jks

keytool -genkeypair \
        -storepass password \
        -keyalg RSA \
        -keysize 2048 \
        -dname "CN=example-client" \
        -alias client \
        -ext "SAN:c=DNS:localhost,IP:127.0.0.1" \
        -keystore ./client-keystore.jks


cp ./client-keystore.jks ./server-truststore.jks

keytool -exportcert \
        -alias client \
        -storepass password \
        -keystore ./server-truststore.jks \
        -rfc \
        -file client.pem

as you can see the server-truststore is a copy of client-keystore. Afterwards, I have exported the certificate from server-truststore and named it as client.pem.

Doing the request to the backend via curl curl --cert client.crt https://localhost:8443/hello it complains:

curl: (58) could not load PEM client certificate, LibreSSL error error:02FFF002:system library:func(4095):No such file or directory, (no key found, wrong pass phrase, or wrong file format?)

I assume that the private key is missing in the certificate client.crt. Regarding to https://stackoverflow.com/questions/19604668/use-and-utility-of-p12-certificate-file I thing I need to generate client.p12 file that also contains the private key.

I also tried via Postman with the following certificate configuration:

Unfortunately, I have got a bad response:

What I am trying to achieve is that I would like to generate client certificates and provide it to customers, so that they can do the requests with a valid certificate to the backend server.

The code is hosted on https://github.com/softshipper/playwithmtls.

Would be great if someone can help.

Best regards

[sberyozkin]

I'd try with copying the server keystore into client truststore, I do it with the tests all the time.

It is indeed a self-signed certificate, you can probably configure postman to accept such certificates somehow.

[softshipper]

First of the all, thanks for your answer.
I would be the maintainer of the client certificates. So when customers need a certificate then I would generate it for them.
With the generated client certificate they have access to the API independent of the REST client.
You would say self-signed certificate is what I need right?
Any tutorials for self-signed certificate in Quarkus?

[sberyozkin]

Np, I believe you need to create a certificate signing request with the keystore, and ideally signed it by the authority recognized by the browsers, postman, curl, there should be good tutorials online, Quarkus itself does not have it. The browsers allow to make the exceptions for selg-signed certificates though

[softshipper]

Thanks. I will try it out.