On 3/16/10 2:44 PM, Erwin Rehme wrote:
>
>
> Shing Wai Chan wrote:
>> On 3/16/10 8:38 AM, Erwin Rehme wrote:
>>> Maybe I should restate what I'm trying to do and see if I'm even on
>>> the right track.
>>>
>>> I have an application running in glassfish that needs to make http
>>> and https requests to other servers. All I'm trying to do is give my
>>> application certificates so that it can make https requests to other
>>> servers. With the standalone version of glassfish I was able to just
>>> import the remote server's certificate into the cacerts.jks file and
>>> the https requests worked. However, my application will be deployed
>>> using the Enterprise edition so I thought that importing the
>>> certificate into the db should make it available to my application.
>>> Is this not the case?
>> Yes, you just need to import the certificate (without the private key).
>> Shing Wai Chan
> I don't see exactly how to do that. If I import using pk12util it
> looks like the cert is added and also the private key.
yes.
>
> If I import using 'certutil -A -t "u,u,u"...' the cert is added and
> not the key but the cert is not valid. So, I'm back to my original
> problem. If I use -t "P,," I get a valid cert but my https request
> fails. Is "P" the right trust arg to use? It seems to be the only flag
> that gives me a valid cert.
Have you try "T,c,c"?
>>>
>>> -- Erwin
>>>
>>> Shing Wai Chan wrote:
>>>> On 3/15/10 3:27 PM, Erwin Rehme wrote:
>>>>> Thanks Shing,
>>>>>
>>>>> With the help of this web page I was able to get the certificate
>>>>> into the db. Instead of using certutil to export the cert from the
>>>>> server, I used pk12util. I was then able to import to my client
>>>>> app server db using pk12util. This gave me a cert with "u,u,u"
>>>>> trust attributes.
>>>>>
>>>>> Now my question is how do I get my .asadmintruststore updated with
>>>>> this new cert? I tried deleting the .asadmintruststore file and
>>>>> running an asadmin command but that only put the app server cert
>>>>> in and not the new one.
>>>> So, this means your admin listener is using the app server cert
>>>> rather than your new cert.
>>>> You may configure your listener to use your corresponding
>>>> certificates for inbound
>>>> as in my previous blog in GlassFish v2,
>>>> http://blogs.sun.com/swchan/entry/multiple_private_keys_in_a
>>>>
>>>> Shing Wai Chan
>>>>>
>>>>> -- Erwin
>>>>>
>>>>> Shing Wai Chan wrote:
>>>>>> You may like to read:
>>>>>>
>>>>>> http://developers.sun.com/appserver/reference/techart/keymgmt.html
>>>>>> Shing Wai Chan
>>>>>>
>>>>>> On 3/15/10 10:08 AM, Erwin Rehme wrote:
>>>>>>> I have some client code running in glassfish that needs to
>>>>>>> connect to a
>>>>>>> server using SSL. I have been given the .rfc file for the
>>>>>>> self-signed
>>>>>>> certificate of the server and I'm trying to add it to my
>>>>>>> .asadmintruststore.
>>>>>>>
>>>>>>> The command:
>>>>>>>
>>>>>>> certutil -A -n SampleSSLServerCert -t "u,u,u" -d
>>>>>>> /opt/SUNWappserver/domains/domain1/config/ -i
>>>>>>> /SampleSSLServerCert.rfc
>>>>>>>
>>>>>>> adds the cert to the db but when I do:
>>>>>>>
>>>>>>> certutil -L -d /opt/SUNWappserver/domains/domain1/config
>>>>>>>
>>>>>>> I get:
>>>>>>>
>>>>>>> SampleSSLServerCert ,,
>>>>>>>
>>>>>>> and:
>>>>>>>
>>>>>>> certutil -V -u V -d /opt/SUNWappserver/domains/domain1/config -n
>>>>>>> SampleSSLServerCert
>>>>>>>
>>>>>>> says that the cert is invalid.
>>>>>>>
>>>>>>> If I use -t "P,P,P", the certificate is valid but when I delete
>>>>>>> .asadmintruststore and run:
>>>>>>>
>>>>>>> asadmin list-jms-hosts
>>>>>>>
>>>>>>> I get a prompt that asks me if I want to trust the app server
>>>>>>> certificate but I don't get a prompt to trust the self-signed
>>>>>>> certificate.
>>>>>>>
>>>>>>> Does the self-signed cert need to be added to the db using -t
>>>>>>> "u,u,u"
>>>>>>> and if so, how to I do that?
>>>>>>>
>>>>>>> If I can use -t "P,P,P" to get a valid cert into the db, how do
>>>>>>> I get
>>>>>>> that self-signed cert into .asadmintruststore?
>>>>>>>
>>>>>>> Thanks for your help.
>>>>>>>
>>>>>>> -- Erwin
>>>>>>>
>>>>>>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>