From: Ka-Hung Wu <Karen.Wu_at_Sun.COM>
Date: Mon, 08 Mar 2010 09:52:00 -0800

Hi,

I was trying to setup a new server certificate on one of our demo servers which has glassfish (Sun GlassFish Enterprise Server v2.1.1 Patch01) installed. And I got the production servrer certificate from the corp SSL Server site: https://wikis.sun.com/display/SunPKIstore/Corp+SSL+Server. However, after I installed the new cert, the .asadmintruststore file didn't get updated. According to the doc, I should be able to run any asadmin command to be prompted to accept the new cert, but none of the command prompt me, do you know what would cause this?

I used the following command to install the new certificate:
# ./certutil -A -n TestSSLCert -t "P,u,u" -d /opt/glassfishv2/domains/domain1/config -i /export/home/aries-app-server.cert
# ./certutil -V -u V -d /opt/glassfishv2/domains/domain1/config -n TestSSLCert
certutil: certificate is valid
# ./certutil -L -n TestSSLCert -d /opt/glassfishv2/domains/domain1/config
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            34:36:00:30:55:0d:04:28:19:ab:43:94:8c:b2:3d:9d
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=Sun Microsystems Inc SSL CA,OU=Class 3 MPKI Secure Server
             CA,OU=VeriSign Trust Network,O=Sun Microsystems Inc"
        Validity:
            Not Before: Tue Jan 05 00:00:00 2010
            Not After : Wed Jan 05 23:59:59 2011
        Subject: "CN=aries.demo.sun.com,OU=Class B,OU=Comms,O=Sun Microsystem
            s Inc.,L=Santa Clara,ST=California,C=US"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    fa:a9:d7:74:d9:58:ff:d7:d3:ee:76:1c:3a:ed:52:25:
                    14:3e:e9:f6:69:ec:41:e0:8f:fd:94:13:b2:fa:6b:77:
                    53:89:17:2b:1d:ca:f7:e0:64:b6:ec:f5:2c:0b:56:e3:
                    c1:ec:f1:a1:9e:85:37:69:eb:be:ed:f2:f2:8e:97:c5:
                    b7:2c:da:2b:27:36:e0:e8:8f:91:ab:aa:bc:95:fb:44:
                    0d:72:06:fc:2e:f8:cf:09:93:be:b5:00:7d:07:8e:c9:
                    c9:85:aa:91:96:10:ff:b5:e1:d5:23:9e:6a:cf:d6:28:
                    f4:2b:7f:ab:ee:19:60:36:6e:f8:52:d2:c9:44:af:f1
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Basic Constraints
            Data: Is not a CA.

            Name: Certificate Subject Key ID
            Data:
                12:05:b6:2b:d4:97:44:6c:7e:23:88:4a:75:cc:69:ae:
                ff:e0:a0:26

            Name: Certificate Authority Key Identifier
            Key ID:
                d7:dd:5e:81:be:cf:5c:e3:dc:d2:f2:8d:ed:04:b8:ac:
                17:f9:01:fa

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Key Encipherment

            Name: Extended Key Usage
                TLS Web Server Authentication Certificate
                TLS Web Client Authentication Certificate

            Name: Certificate Policies
            Data:
                Policy Name: Verisign Class 3 Certificate Policy
                    Policy Qualifier Name: PKIX CPS Pointer Qualifier
                    Policy Qualifier Data: "https://www.verisign.com/rpa"
                Policy Name: OID.2.16.840.1.113536.509.3647
                    Policy Qualifier Name: PKIX CPS Pointer Qualifier
                    Policy Qualifier Data: "https://www.sun.com/pki/cps"
                    Policy Qualifier Name: PKIX User Notice Qualifier
                        Display Text: "lidated For Sun Business Operations"

            Name: CRL Distribution Points
            URI: "http://SVRC3SecureSunMicrosystems-MPKI-crl.verisign.com/Sun
                MicrosystemsIncClassBUnified/LatestCRLSrv.crl"

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location:
                URI: "http://ocsp.verisign.com"

    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
        2f:13:e3:5a:5e:2d:ec:4e:c0:72:d0:e4:f6:09:61:85:
        e3:b6:76:03:00:df:d1:38:d5:91:e8:10:2a:50:d5:94:
        fa:ef:c2:bd:65:e7:fd:b9:2c:bf:3f:9a:77:32:b0:c6:
        f2:ac:83:37:58:53:15:65:2b:cd:b6:c3:ec:d1:56:7a:
        af:fa:cb:2e:7b:a8:78:7e:5b:20:f1:d1:0f:dd:ac:27:
        07:10:b2:c3:5a:e8:78:54:77:82:f2:31:49:ba:ce:76:
        39:da:7c:d6:0b:55:61:85:e6:4f:f8:9a:8a:8e:01:53:
        31:3a:86:fc:1a:e9:16:61:bf:33:6a:2b:6c:21:3d:a9:
        01:bf:e1:41:a8:91:8a:2f:d8:be:bc:91:d8:97:b3:d0:
        d9:79:9b:b9:45:eb:08:55:80:7d:06:e1:fd:32:1c:6b:
        e9:00:80:09:52:c1:f6:3f:c7:53:ea:c0:df:20:d2:fc:
        88:f8:64:0d:79:1b:ba:14:b2:fd:23:62:df:66:fe:c3:
        fa:1c:17:ad:38:96:15:e5:94:41:6f:71:2e:44:80:62:
        30:c4:b2:6f:4a:5c:41:e0:de:fb:c3:07:97:09:fe:86:
        14:63:c8:d1:ba:a1:76:6a:e5:79:e1:1b:c6:bf:12:f5:
        53:a0:54:8e:c0:33:21:37:88:df:ed:cd:fd:e9:47:07
    Fingerprint (MD5):
        F0:F4:22:3D:6D:47:C7:42:EB:6E:EE:F1:AA:11:48:78
    Fingerprint (SHA1):
        CE:F6:3F:FA:8D:09:2B:61:33:EC:7E:84:4B:65:4B:B1:92:7E:41:57

    Certificate Trust Flags:
        SSL Flags:
            Valid Peer
            Trusted
        Email Flags:
        Object Signing Flags:

Any help is appreciated. Thanks,
Karen