Actually yes, that much has :)
Now I do have a backup keystore.jks file which I think he used and just
found, and do have the password. So I did the following; (note this is the
old one)
keytool -list -v -keystore keystore.jks (entered the pw) and have this;
(just including the good stuff)
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
Alias name: wfgfcert
Creation date: Sep 23, 2009
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=api.mydomain.com, OU=Domain Control Validated - RapidSSL(R),
OU=See www.rapidssl.com/resources/cps (c)09, OU=GT06273877, O=
api.mydomain.com, C=US
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Alias name: root
Creation date: Sep 23, 2009
Entry type: trustedCertEntry
Owner: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Serial number: 35def4cf
Valid from: Sat Aug 22 12:41:51 EDT 1998 until: Wed Aug 22 12:41:51 EDT 2018
Alias name: s1as
Creation date: Sep 23, 2009
Entry type: trustedCertEntry
Owner: CN=api.domain.com, OU=Domain Control Validated - RapidSSL(R), OU=See
www.rapidssl.com/resources/cps (c)09, OU=GT06273877, O=api.domain.com, C=US
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
So that was done last month and it looks like he imported the key into the
keystore.jks file (I almost sound like I know what I'm talking about)! The
only issue I see with that file is the last one, the s1as alias is using the
same domain info, where the new install uses the self-signed one. Not sure
if that matters or not as I don't really need that s1as alias, but you say
other things use it.
As for not being around, doesn't matter, I have the laptop and will be
checking in all day/night :D Thanks again for the time already spent
helping.
On Wed, Oct 28, 2009 at 3:00 PM, <bamoss_at_sceats.com> wrote:
> If you don't have the original keystore where the wflow alias was created,
> you may need to create a new keypair and get the certificate signed by
> rapidssl.
>
> The issue is that for SSL to work correctly, you need a keypair in your
> keystore. When you do a signing request to a CA, you export the certificate
> (not the key) then reimport the signed certificate. This gives you a chain
> keypair. What you need to see in your keystore when you do keytool -list -v
> -keystore keystore.jks, is the name of your alias (eg: wflow) followed by
> "Entry Type: keyEntry". You should also see this after alias "s1as". If
> you don't see this in your keystore, you need to go through the cert request
> process with the CA.
>
> Does this make sense?
>
> If not, I'll try to help, but will be offline for a couple of hours.
>
>
> -------- Original Message --------
> Subject: Re: Clean install, import key help requested *2nd*
> From: Lance Raymond <lraymond_at_weatherflow.com>
> Date: Wed, October 28, 2009 11:44 am
> To: users_at_glassfish.dev.java.net
>
> 1st all can ignore the new post (sorry for the dup as it came from namble)
> and I am just mentally shot!
> Next;
> "If you used mystore.jks as the keystore where you created your original
> certificate request for alias" well unfortunatly I didn't create the request
> someone else did who left. I have just the .csr and .cert
>
> I have since wiped the app server again, so sitting idle with the
> following;
> default keystore.jks
> folder in my home with; trustedroot.crt, wfgfcert.csr, wfgfcert.cert
>
> I can access the normal app server on 8080, 8181 is the ssl port and the
> admin on 4848.
>
> So starting from step 1, can I simply import the wfgfcert into the existing
> keystore using wflow (I assume there can be multiple) since other things use
> that s1as alias, then change ssl to use that wflow alias?
>
> You threw alot out there (better than anything I have read) but dont want
> to screw up again!
>
> Thanks
>
>
> On Wed, Oct 28, 2009 at 2:35 PM, <bamoss_at_sceats.com> wrote:
>
>> So with the original keystore.jks, which contains alias s1as, you are able
>> to access the glassfish admin console on port 4848, correct?
>>
>> If you used mystore.jks as the keystore where you created your original
>> certificate request for alias, then imported back the signed certificate and
>> the class and root certificate, you should see three entries, a chained
>> signing key and the two imported certificates (class and root certs) in the
>> mystore.jks keystore. However you won't have the s1as self-signed
>> certificate, that is in the original keystore, since this is created when
>> glassfish is built.
>>
>> If the above is true, create alias s1as using genkey in mystore.jks. Then
>> rename the keystore.jks to keystore.old and copy and rename mystore.jks to
>> keystore.jks. You should be able to log into the glassfish admin console.
>> I have enabled SSL on port 4848 and 8181, leaving 8080 for HTTP. If you
>> enable SSL on these ports, the default certificate nickname will be "s1as".
>> If you change this to "wflow", you should now be using your signed
>> certificate. This would be done by going to Configuration tab > HTTP
>> Services > HTTP Listeners > SSL tab. After this change, you need to restart
>> Glassfish.
>>
>> Does this make sense?
>>
>> Note that you need to have alias s1as in your active keystore, as other
>> glassfish services use this certificate nickname. I suspect this is why the
>> blog entry recommends deleting the original s1as and generating a new s1as
>> alias for the certificate request. The other option if you don't have s1as
>> in the active keystore is to make the change in the domain.xml file
>> replacing all s1as certificate aliases with your alias, however, editing the
>> domain.xml file is not recommended.
>>
>> Hope this helps.
>>
>> Derek
>>
>> -------- Original Message --------
>> Subject: RE: Clean install, import key help requested *2nd*
>> From: xlancealotx <lraymond_at_weatherflow.com>
>> Date: Wed, October 28, 2009 11:17 am
>> To: users_at_glassfish.dev.java.net
>>
>>
>> Yep, I have tried to both copy the mystore.jks over the keystore (renaming
>> it
>> to keystore), trying importing into the existing file. Also tried using a
>> different alias, changing in the admin and restarting, all still fail.
>> There are a few docs out there, all pretty much say the same few things
>> which is why I am surprised I am having such a hard time and the error is
>> just so vague.
>>
>>
>>
>> bamoss wrote:
>> >
>> > Did you replace the existing keystore with your new keystore, mykeystore
>> > and rename it to keystore.jks? Does your new keystore contain the s1as
>> > alias? Derek
>> >
>> >
>> > -------- Original Message --------
>> > Subject: Clean install, import key help requested *2nd*
>> > From: glassfish_at_javadesktop.org
>> > Date: Wed, October 28, 2009 8:18 am
>> > To: users_at_glassfish.dev.java.net
>> >
>> > ok, since over a day passed, 40+ people viewed an no response, figured I
>> > would just wipe the gf server and start from scratch. I already have the
>> > paid cert from rapidssl and have a clean GF2 server running. I followed
>> a
>> > few simple steps from
>> > http://wiki.glassfish.java.net/Wiki.jsp?page=How_to_ssl_versign and
>> have
>> > the same issue. So maybe since it's a clean install, new alias, I can
>> get
>> > at least one response! With that, I did the following;
>> >
>> > [b]Step 1[/b]
>> > keytool -import -alias wflow -keystore mykeystore.jks -trustcacerts
>> -file
>> > wfgfcert.cert
>> > Enter keystore password:
>> > Re-enter new password:
>> > Certificate was added to keystore
>> >
>> > I had a trustedroot.cert from rapidssl which they said I might need to
>> > install, when I did I got the following;
>> > keytool -import -trustcacerts -keystore mykeystore.jks -alias rapidssl
>> > -file trustedroot.crt
>> > Enter keystore password:
>> > Certificate already exists in system-wide CA keystore under alias
>> > <equifaxsecureca>
>> > Do you still want to add it to your own keystore? [no]:
>> >
>> > So to me, that means no, it already knows there good!
>> > [b]Step 2 (per the docs);[/b]
>> > cp mykeystore.jks
>> /var/lib/glassfishv2/domains/domain1/config/keystore.jks
>> >
>> > [b]Step 3 - make the change[/b]
>> > Logged into the admin gui, there are 2 http-listener-2 (one under
>> > default-config and the other under server-config) and the doc doesn't
>> tell
>> > which so I figure do both.
>> >
>> > [b]Step 4: I try to start[/b]
>> > /usr/share/glassfishv2/bin/asadmin start-domain domain1
>> > Starting Domain domain1, please wait.
>> > Log redirected to /var/lib/glassfishv2/domains/domain1/logs/server.log.
>> > Please enter the admin user name>admin
>> > Please enter the admin password>adminadmin
>> > Redirecting output to
>> /var/lib/glassfishv2/domains/domain1/logs/server.log
>> > Domain domain1 failed to startup. Please check the server log for more
>> > details.
>> > CLI156 Could not start the domain domain1.
>> >
>> > The log shows the same;
>> > [i]Caused by: java.lang.IllegalStateException: Keystore was tampered
>> with,
>> > or password was incorrect
>> > [/i]
>> >
>> > I didn't see anyplace that said to enter the keystore password, or where
>> > to put it, could that be it? Either way, I'm stuck, and really would
>> > appreciate some type of help. I do try to provide as much as possible,
>> > and not the 'help' on the subject, but don't know what else to try as
>> this
>> > java.net seems to be the right and best place to post!
>> >
>> > Thanks
>> > [Message sent by forum member 'xlancealotx' (lraymond_at_weatherflow.com)]
>>
>> >
>> > http://forums.java.net/jive/thread.jspa?messageID=369651
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> > For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>> >
>> >
>> >
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> > For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>> >
>> >
>> >
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Clean-install%2C-import-key-help-requested-*2nd*-tp26096557p26099527.html
>> Sent from the java.net - glassfish users mailing list archive at
>> Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>> --------------------------------------------------------------------- To
>> unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net For
>> additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>
> --------------------------------------------------------------------- To
> unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net For
> additional commands, e-mail: users-help_at_glassfish.dev.java.net
>