users@glassfish.java.net

Re: Add a self-signed certificate to a truststore.

From: Erwin Rehme <erwin.rehme_at_oracle.com>
Date: Tue, 16 Mar 2010 15:44:05 -0600

Shing Wai Chan wrote:
> On 3/16/10 8:38 AM, Erwin Rehme wrote:
>> Maybe I should restate what I'm trying to do and see if I'm even on
>> the right track.
>>
>> I have an application running in glassfish that needs to make http
>> and https requests to other servers. All I'm trying to do is give my
>> application certificates so that it can make https requests to other
>> servers. With the standalone version of glassfish I was able to just
>> import the remote server's certificate into the cacerts.jks file and
>> the https requests worked. However, my application will be deployed
>> using the Enterprise edition so I thought that importing the
>> certificate into the db should make it available to my application.
>> Is this not the case?
> Yes, you just need to import the certificate (without the private key).
> Shing Wai Chan
I don't see exactly how to do that. If I import using pk12util it looks
like the cert is added and also the private key.

If I import using 'certutil -A -t "u,u,u"...' the cert is added and not
the key but the cert is not valid. So, I'm back to my original problem.
If I use -t "P,," I get a valid cert but my https request fails. Is "P"
the right trust arg to use? It seems to be the only flag that gives me a
valid cert.
>>
>> -- Erwin
>>
>> Shing Wai Chan wrote:
>>> On 3/15/10 3:27 PM, Erwin Rehme wrote:
>>>> Thanks Shing,
>>>>
>>>> With the help of this web page I was able to get the certificate
>>>> into the db. Instead of using certutil to export the cert from the
>>>> server, I used pk12util. I was then able to import to my client app
>>>> server db using pk12util. This gave me a cert with "u,u,u" trust
>>>> attributes.
>>>>
>>>> Now my question is how do I get my .asadmintruststore updated with
>>>> this new cert? I tried deleting the .asadmintruststore file and
>>>> running an asadmin command but that only put the app server cert in
>>>> and not the new one.
>>> So, this means your admin listener is using the app server cert
>>> rather than your new cert.
>>> You may configure your listener to use your corresponding
>>> certificates for inbound
>>> as in my previous blog in GlassFish v2,
>>> http://blogs.sun.com/swchan/entry/multiple_private_keys_in_a
>>>
>>> Shing Wai Chan
>>>>
>>>> -- Erwin
>>>>
>>>> Shing Wai Chan wrote:
>>>>> You may like to read:
>>>>>
>>>>> http://developers.sun.com/appserver/reference/techart/keymgmt.html
>>>>> Shing Wai Chan
>>>>>
>>>>> On 3/15/10 10:08 AM, Erwin Rehme wrote:
>>>>>> I have some client code running in glassfish that needs to
>>>>>> connect to a
>>>>>> server using SSL. I have been given the .rfc file for the
>>>>>> self-signed
>>>>>> certificate of the server and I'm trying to add it to my
>>>>>> .asadmintruststore.
>>>>>>
>>>>>> The command:
>>>>>>
>>>>>> certutil -A -n SampleSSLServerCert -t "u,u,u" -d
>>>>>> /opt/SUNWappserver/domains/domain1/config/ -i
>>>>>> /SampleSSLServerCert.rfc
>>>>>>
>>>>>> adds the cert to the db but when I do:
>>>>>>
>>>>>> certutil -L -d /opt/SUNWappserver/domains/domain1/config
>>>>>>
>>>>>> I get:
>>>>>>
>>>>>> SampleSSLServerCert ,,
>>>>>>
>>>>>> and:
>>>>>>
>>>>>> certutil -V -u V -d /opt/SUNWappserver/domains/domain1/config -n
>>>>>> SampleSSLServerCert
>>>>>>
>>>>>> says that the cert is invalid.
>>>>>>
>>>>>> If I use -t "P,P,P", the certificate is valid but when I delete
>>>>>> .asadmintruststore and run:
>>>>>>
>>>>>> asadmin list-jms-hosts
>>>>>>
>>>>>> I get a prompt that asks me if I want to trust the app server
>>>>>> certificate but I don't get a prompt to trust the self-signed
>>>>>> certificate.
>>>>>>
>>>>>> Does the self-signed cert need to be added to the db using -t
>>>>>> "u,u,u"
>>>>>> and if so, how to I do that?
>>>>>>
>>>>>> If I can use -t "P,P,P" to get a valid cert into the db, how do I
>>>>>> get
>>>>>> that self-signed cert into .asadmintruststore?
>>>>>>
>>>>>> Thanks for your help.
>>>>>>
>>>>>> -- Erwin
>>>>>>
>>>>>>
>