users@glassfish.java.net

Re: New SSL cert installing on new clean GF server help

From: <glassfish_at_javadesktop.org>
Date: Thu, 24 Sep 2009 09:56:15 PDT

Ah, thanks for the reply. Well I am looking more at the admin (to get familiar with it) and now see under configuration/server-config/http/httpListeners/http-listener-2 uses the 8181 protocol. Looking at the SSL tab I see the Certificate Nickname s1as (this is what I changed last time and broke the server!)

Well I also used the 2 commands you suggested;

keytool -export -file wfgfcert.crt -keystore keystore.jks -alias wfgfcert
Enter keystore password:
Certificate stored in file <wfgfcert.crt>

keytool -printcert -file wfgfcert.crt
Owner: CN=my.domain.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)09, OU=GT06273877, O=my.domain.com, C=US
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Serial number: d0b49
Valid from: Tue Sep 22 14:26:12 EDT 2009 until: Sat Sep 24 16:38:06 EDT 2011
Certificate fingerprints:
         MD5: D9:26:3A:33:26:63:62:F1:B4:C3:4D:16:8B:2D:11:4C
         SHA1: 17:F8:24:21:59:D6:B1:A4:F4:E0:D1:52:B3:D3:D3:10:18:19:DE:66
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_Encipherment
  Data_Encipherment
]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: DA 50 50 FC 5F D6 0E 79 A0 39 D6 36 84 8E A1 3B .PP._..y.9.6...;
0010: 9C 9D 73 66 ..sf
]
]

#3: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.geotrust.com/crls/secureca.crl]
]]

#4: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#5: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23 20 10 4F 33 H.h.+....G.# .O3
0010: 98 90 9F D4 ....
]

]


So, looking at the above, it seems the cert is correct, I just don't know if it's a simple change in that domain.xml file from s1as to wfgfcert, as I said that is what I did last time and broke the server, but now that I have the forum I am a bit more brave :)

So just let me know what the next step will be to enable gf to use that cert as opposed to the self-signed one and I will be good to go with this!

Thanks
[Message sent by forum member 'xlancealotx' (lraymond_at_weatherflow.com)]

http://forums.java.net/jive/thread.jspa?messageID=365588
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.