On 15. juli. 2008, at 12.00, V B Kumar Jayanti wrote:
> Chris Searle wrote:
>
>> I'm having an issue with getting the admin gui to run over SSL with
>> a given certificate.
>>
>> I believe that I have the certificate in the keystore correctly:
>>
>> glassfish/domains/domain1/config$ keytool -list -keystore
>> keystore.jks -alias chrissearle.net
>> Enter keystore password:
>> chrissearle.net, Jul 10, 2008, trustedCertEntry,
>> Certificate fingerprint (MD5): 01:91:81:C5:79:71:96:A3:EA:
>> 58:B4:16:CA:AC:F0:6E
>>
> the keystore for SSL should contain "keyEntry" as opposed to
> "trustedCertEntry" that you have above. That means the keystore
> currently has only the cert and not the cert-privatekey pair.
Yes - I've understood that since :)
>
>
>> (Note - I have used the same cert previously with tomcat - imported
>> to the JVM's default keystore - so for glassfish I simply imported
>> it to the specified glassfish keystore under domains/domain1/
>> config/ keystore.jks - that is the correct one I hope?)
>>
>> And then in the admin GUI for the admin-listener I set SSL3 and
>> TLS on, with a Certificate NickName of "chrissearle.net" and
>> enabled security for the listener.
>>
>> Glassfish then says it requires a restart - which then fails with:
>>
>> server.log:Caused by: LifecycleException: PWC3985: Protocol
>> handler initialization failed: java.io.IOException: PWC5330: Alias
>> name chrissearle.net does not identify a key entry
>>
> Where did you obtain the certificate from ?.
I didn't post a follow up since it didn't feel glassfish specific -
but - the story is on
http://www.chrissearle.org/blog/technical/unable_import_openssl_key_java_keystore
In short - the key anr cert are openssl generated - and "not yet
commons-ssl" 0.3.9 was able to import both to the keystore - it now
says PrivateKeyEntry instead of trustedCertEntry