Setup SSL Secure localhost proxy

gkburnsgkburns Posts: 4


I'm trying to setup the proxy for SSL (https) access on the localhost. I created the secure Listener on port 9443 but when I hit the proxy URL from my code in the Visual Studio debugger, I get the error:

{"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."}

I've already installed the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files as suggested by the proxy security tab.

I'm not sure what else I need to setup to get the proxy https://localhost working.


  • williammccuskerwilliammccusker Posts: 82

    It sounds like your code doesn't trust the certificate being used by the secure listener. Could you attach a screenshot of the settings you used for the secure listener?

  • gkburnsgkburns Posts: 4

    Listener screenshot attached

  • williammccuskerwilliammccusker Posts: 82

    Ok so it looks like based on you settings you code should connect to port 9143 using SSL and it is configured to use the default self signed certificate. You will need to setup the proper trust for the certificate. It may be that you can change your code to trust self signed certificates or you may need to import the certificate into a trust store used by your code.

    You can find some information about the default certificate used by virtualize at the link below, specifically looking at the section about "Editing server.xml" to help you find the default certificate.

  • gkburnsgkburns Posts: 4

    Thanks. I opened Chrome to the proxy URL that I setup, and Chrome complained that it was an invalid certificate. I exported the certificate to a file and then imported the file into mmc.exe into both the Personal/Certificates and the Trusted Root Certificate folders. I tried again with Chrome and it still complained about the certificate. Using Chrome's F12 tools, I went to the security tab and found these errors with the certificate (see screenshot).

    Several months ago Chrome changed it's policies to not trust certificates without a SAN (Subject Alternative Name). The certificate does not have a SAN. So I'm thinking I'm going to need to generate my own self-signed certificate with a SAN and get Parasoft to use my certificate instead of the default Parasoft certificate using the information you sent about server.xml.

  • williammccuskerwilliammccusker Posts: 82

    Yes generating your own certificate sounds like the best option for you case :smiley:

  • gkburnsgkburns Posts: 4
    edited March 13

    Here's how I got it working.

    Using Windows 10 PowerShell, create a self-signed certificate as follows:

        $rootCert = New-SelfSignedCertificate -DnsName "Parasoft Dev Root CA" -CertStoreLocation cert:\LocalMachine\My -KeyUsage DigitalSignature,CertSign
        $myCert = New-SelfSignedCertificate -CertStoreLocation cert:\LocalMachine\My -Subject "" -Type SSLServerAuthentication -KeyDescription "virtualize" -KeyFriendlyName "virtualize" -KeyExportPolicy Exportable -DnsName "localhost" -FriendlyName "" -Signer $rootcert -KeyUsage KeyEncipherment,DataEncipherment -NotAfter (Get-Date).AddYears(10)
        $thumbprint = $myCert.Thumbprint 
        $pwd = ConvertTo-SecureString -String "changeit" -Force -AsPlainText
        Export-PfxCertificate -cert cert:\localMachine\my\$thumbprint  -FilePath c:\temp\Parasoft-localhost.pfx -Password $pwd

    Then copy the file Parasoft-localhost.pfx from the c:\temp folder to the Tomcat runtime lib folder (your folder may be different depending on the Parasoft version installed)...

    C:\Program Files\Parasoft\SOAtest & Virtualize\9.10\eclipse\plugins\com.parasoft.xtest.libs.web_9.10.0.20161130\root\lib

    Using the java keytool command,
    1. Determine the guid alias in the generated pfx file:

    keytool -keystore Parasoft-localhost.pfx -list

    Enter keystore password: changeit

    Keystore type: JKS
    Keystore provider: SUN
    Your keystore contains 1 entry
    te-e3ed793b-48c0-42a4-b0d1-1e39de989618, Mar 13, 2018, PrivateKeyEntry,
    Certificate fingerprint (SHA1): 28:3C:7C:46:0C:10:27:55:08:7C:2F:69:7E:5F:A1:52:B7:5A:2D:E0
    1. Use the pfx file and alias to import into the cacerts file:
      (backup your cacerts filebefore doing the following)

    keytool -importkeystore -srckeystore Parasoft-localhost.pfx -srcstoretype pkcs12 -srcalias te-e3ed793b-48c0-42a4-b0d1-1e39de989618 -destkeystore cacerts -deststoretype jks -deststorepass changeit -destalias virtualize

    1. Open mmc.exe, add the certificate plugin, open local computer certificates. Drag the “Parasoft Dev Root CA” from the “Personal->Certificates” folder to the “Trusted Root Certification Authority->Certificates”. Leave the “” certificate in the “Personal->Certificates” folder.

    2. Start the Parasoft localhost server. To test the certificate, open Chrome and hit the URL for your proxy method.

    Using the Chrome F12 tools, Security tab, the certificate should now be valid:

Sign In or Register to comment.