users@glassfish.java.net

Re: Setting up self-signed certs in new JKS keystore doesn't work 100%

From: <glassfish_at_javadesktop.org>
Date: Tue, 24 Nov 2009 07:58:11 PST

If I executed the following, the issuer is showed correctly.
(Sorry Japanese Firefox Image.)
CA: ca-server.sun.com
HTTPS Server : sw-103.japan.sun.com

Delete existing Server-Cert and CA cert.
# keytool -list -keystore cacerts.jks -alias s1as -storepass changeit
# keytool -list -keystore keystore.jks -alias s1as -storepass changeit

# keytool -delete -alias s1as -keystore keystore.jks -storepass changeit
# keytool -delete -alias s1as -keystore cacerts.jks -storepass changeit

Create private Key
# keytool -genkeypair -alias s1as -keystore keystore.jks -it -keyalg RSA -keysize 2048 -validity 365

Create CSR
# keytool -certreq -alias s1as -keystore ./keystore.jks -file sw-103.japan.sun.com.csr -storepass changeit

Signed the Server-Cert
# openssl ca -in ./sw-103.japan.sun.com.csr -keyfile ./demoCA/private/cakey.pem -cert ./demoCA/cacert.pem -out ./signed-sw-103.japan.sun.com.cert

Create DER format for the created signed server cert.
# openssl x509 -in new-server-cert.txt -outform DER -out new-server-cert.der

Copying the X509 format of the CA Trusted Cert.
# vi cacert.x509
"cacert.x509" [新規ファイル]
-----BEGIN CERTIFICATE-----
MIIDmTCCAwKgAwIBAgIJAM3q2/TI45OEMA0GCSqGSIb3DQEBBQUAMIGQMQswCQYD
VQQGEwJKUDEOMAwGA1UECBMFVG9reW8xGTAXBgNVBAoTEFN1biBNaWNyb3N5c3Rl
bXMxGjAYBgNVBAsTEVNvZnR3YXJlIFByYWN0aWNlMRowGAYDVQQDExFjYS1zZXJ2
ZXIuc3VuLmNvbTEeMBwGCSqGSIb3DQEJARYPY2FhZG1pbkBTdW4uQ09NMB4XDTA5
MTEwOTA0NDAwOVoXDTEyMTEwODA0NDAwOVowgZAxCzAJBgNVBAYTAkpQMQ4wDAYD
VQQIEwVUb2t5bzEZMBcGA1UEChMQU3VuIE1pY3Jvc3lzdGVtczEaMBgGA1UECxMR
U29mdHdhcmUgUHJhY3RpY2UxGjAYBgNVBAMTEWNhLXNlcnZlci5zdW4uY29tMR4w
HAYJKoZIhvcNAQkBFg9jYWFkbWluQFN1bi5DT00wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBALbumBZl+9qUSGdxADtmgW8JRlriRmwOgOoYyrifayZz7to2SB09
+gk7alqzEFz1vFA2jUZu4X8veWMP/PLFvmjwPVXtSbk3HeRWosinb0ge49sX1/Nl
GOe90wGQzxci30O6V8FlHo1bWt9p/SSXZzLAtSn9Y5Au1GlpGHO4gL4hAgMBAAGj
gfgwgfUwHQYDVR0OBBYEFB24TDDMoTWycjWgisz6+RecxNJKMIHFBgNVHSMEgb0w
gbqAFB24TDDMoTWycjWgisz6+RecxNJKoYGWpIGTMIGQMQswCQYDVQQGEwJKUDEO
MAwGA1UECBMFVG9reW8xGTAXBgNVBAoTEFN1biBNaWNyb3N5c3RlbXMxGjAYBgNV
BAsTEVNvZnR3YXJlIFByYWN0aWNlMRowGAYDVQQDExFjYS1zZXJ2ZXIuc3VuLmNv
bTEeMBwGCSqGSIb3DQEJARYPY2FhZG1pbkBTdW4uQ09NggkAzerb9Mjjk4QwDAYD
VR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAyiypjUnJBMMyy615ZYM3oOUYZ
3UgwLOnos/rGGCov9CIcxiLH8PcXc3IXRYgRFDqINRhSqfDrjt4YP9cz4QmEbNqy
9wPxrje4HPYZU+AKErN7Wt058dKFSeA+Wp2JsDiwdoARy4Ow/j/tkhVoOm07E3fM
TbEdS42dtkHlBgdSrw==
-----END CERTIFICATE-----

Import the CA to key store and CA trusted store.
# keytool -import -file cacert.x509 -trustcacerts -alias private-ca -keystore ./keystore.jks -storepass changeit
# keytool -import -file cacert.x509 -trustcacerts -alias private-ca -keystore ./cacerts.jks -storepass changeit

Import the Signed Server Cert to keystore.
# keytool -import -alias s1as -file signed-sw-103.japan.sun.com.der -keystore ./keystore.jks -storepass changeit

Please restart the domain.
[Message sent by forum member 'yosshi2008' ]

http://forums.java.net/jive/thread.jspa?messageID=373148