users@glassfish.java.net

Setting up self-signed certs in new JKS keystore doesn't work 100%

From: Alex Sherwin <alex.sherwin_at_acadiasoft.com>
Date: Mon, 23 Nov 2009 14:10:39 -0500

What I'm doing (generalized):

    - Creating a CA using OpenSSL
    - Create a new JKS keystore using keytool: "keytool -genkeypair -v
-alias <alias> -keysize 1024 -validity 365 -keystore <keystore>
-storepass <storepass>"
    - Generate a new CSR from my keystore using keytool: "keytool
-certreq -v -alias <alias> -keystore <keystore> -storepass <store
password> -file <output csr>"
    - Signing my CSR with OpenSSL: "openssl x509 -req -days 365 -in <csr
file> -CA <ca cert file> -CAkey <ca key file> -set_serial 01 -out
<output server cert>"
    - Importing my CA cert into the glassfish truststore, where
<truststore> is cacerts.jks in my domain: "keytool -import -alias <ca
alias> -keystore <truststore> -storepass <store password> -file <ca
certificate file>"
    - Importing my self-signed cert into my keystore: "keytool -import
-trustcacerts -keystore <keystore> -storepass <store password> -file
<server certificate file>"
    - Replacing my domains existing (default) keystore.jks with my new
keystore.jks.
    - Update domain.xml to replace the "s1as" alias references with my
keystores alias (I've used the same alias for the CA cert I imported
into cacerts.jks as well)

Now, this all works in the sense that when I navigate to the SSL enabled
http listener that I get the expected browser warnings about
unrecognized certs, which allows me to view my cert and add it to my
browser. However, the "Issued By" section of the certificate is
incorrect when displayed by the browser. The "Issued To" and "Issued
By" sections of the details that the browser sees are identical.

The "Issued By" details should be the details of my CA certificate that
I used to sign the server certificate.

If, for example, I follow the same process for generating a self-signed
server certificate for Apache (same process, except the CSR is created
with OpenSSL instead of JKS/keytool), using the same CA, and install my
server key file and certificate file into an apache server, I see the
"Issued To" and "Issued By" sections of the self-signed certificate
appear correctly.

This is an issue, because when if I distribute my CA certificate to
someone to install into their browser such that it should then allow
certificates signed by my CA, it works for the Apache server where the
"Issued By" section of the server certificate appears correctly, but it
does not work with Glassfish because the "Issued By" section is incorrect.

Am I missing a step?