Here is what I see:
For s1as in keystore.jks, we have
Alias name: s1as
Creation date: Sep 11, 2008
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=GlassFish, O=Sun Microsystems, L=Santa Clara,
ST=California, C=US
Issuer: CN=localhost, OU=GlassFish, O=Sun Microsystems, L=Santa Clara,
ST=California, C=US
Serial number: 48c9e075
Valid from: Thu Sep 11 20:22:29 PDT 2008 until: Sun Sep 09 20:22:29 PDT 2018
Certificate fingerprints:
MD5: 00:E5:5D:1F:07:CC:99:9F:CF:68:0E:AD:29:43:E0:48
SHA1: 1B:62:3E:B2:3D:D7:0B:63:80:92:EE:9A:59:F7:D5:9F:97:A3:FD:98
Signature algorithm name: MD5withRSA
Version: 1
For s1as in cacerts,jks, we have
Alias name: s1as
Creation date: Jan 25, 2007
Entry type: trustedCertEntry
Owner: CN=laturbie.sfbay.sun.com, OU=Sun Java System Application Server,
O=Sun Microsystems, L=Santa Clara, ST=California, C=US
Issuer: CN=laturbie.sfbay.sun.com, OU=Sun Java System Application
Server, O=Sun Microsystems, L=Santa Clara, ST=California, C=US
Serial number: 45b91fb6
Valid from: Thu Jan 25 13:23:02 PST 2007 until: Sun Jan 22 13:23:02 PST 2017
Certificate fingerprints:
MD5: 49:1D:52:BE:B4:B4:43:E5:F8:91:5A:AA:FD:33:75:3A
SHA1: EC:F1:C2:1D:7A:ED:40:CF:50:C3:1F:C0:A6:15:D9:8B:60:C9:B2:E6
Signature algorithm name: MD5withRSA
Version: 1
So, CN name is mismatched.
In fact, the CN=localhost is not usable by IIOP as I have mentioned in
another conversation before.
In our web devtest, we always need to remove the out-of-box domain and
recreate it.
It would be good to see that we plan to generate the domain certificate
correctly in the build.
Regards,
Shing Wai Chan
Kedar Mhaswade wrote:
> Jan,
>
> Can you do an asadmin create-domain and run the failing tests and
> let me know if they succeed?
>
> IMO, the bundled domain contains some random stuff as far as I know.
>
> If the create-domain stuff works, the plan is to call that during the
> build, so we have certs that are current and correct at least as far
> as build time is concerned.
>
> I think you should file this as a bug on build system.
>
> -Kedar
>
> Jan Luehe wrote:
>> Some of the SSL-related web unit tests have been failing (on the
>> client) with this error:
>>
>> javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException:
>> No trusted certificate found
>>
>> The client loads domains/domain1/config/cacerts.jks as its SSL trust
>> store.
>> I've noticed that the entry for "s1as" in cacerts.jks is stale, i.e.,
>> differs from the entry for "s1as" in
>> domains/domain1/config/keystore.jks:
>>
>> cacerts.jks:
>> s1as, Jan 26, 2007, trustedCertEntry,
>> Certificate fingerprint (MD5):
>> 49:1D:52:BE:B4:B4:43:E5:F8:91:5A:AA:FD:33:75:3A
>>
>> keystore.jks:
>> s1as, Sep 12, 2008, PrivateKeyEntry,
>> Certificate fingerprint (MD5):
>> 00:E5:5D:1F:07:CC:99:9F:CF:68:0E:AD:29:43:E0:48
>>
>> Notice the different fingerprints, which explains why the client
>> fails to authenticate
>> the server.
>>
>> This is for an out-of-the-box installation of GlassFish v3.
>>
>> Is this a known issue?
>>
>> Thanks,
>>
>> Jan
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>