Shing Wai Chan wrote:
> On 3/16/10 2:44 PM, Erwin Rehme wrote:
>>
>>
>> Shing Wai Chan wrote:
>>> On 3/16/10 8:38 AM, Erwin Rehme wrote:
>>>> Maybe I should restate what I'm trying to do and see if I'm even on
>>>> the right track.
>>>>
>>>> I have an application running in glassfish that needs to make http
>>>> and https requests to other servers. All I'm trying to do is give
>>>> my application certificates so that it can make https requests to
>>>> other servers. With the standalone version of glassfish I was able
>>>> to just import the remote server's certificate into the cacerts.jks
>>>> file and the https requests worked. However, my application will be
>>>> deployed using the Enterprise edition so I thought that importing
>>>> the certificate into the db should make it available to my
>>>> application. Is this not the case?
>>> Yes, you just need to import the certificate (without the private key).
>>> Shing Wai Chan
>> I don't see exactly how to do that. If I import using pk12util it
>> looks like the cert is added and also the private key.
> yes.
>>
>> If I import using 'certutil -A -t "u,u,u"...' the cert is added and
>> not the key but the cert is not valid. So, I'm back to my original
>> problem. If I use -t "P,," I get a valid cert but my https request
>> fails. Is "P" the right trust arg to use? It seems to be the only
>> flag that gives me a valid cert.
> Have you try "T,c,c"?
The validity check says "Peer's Certificate issuer is not recognized.".
Does this mean that the original cert was generated incorrectly?
>>>>
>>>> -- Erwin
>>>>
>>>> Shing Wai Chan wrote:
>>>>> On 3/15/10 3:27 PM, Erwin Rehme wrote:
>>>>>> Thanks Shing,
>>>>>>
>>>>>> With the help of this web page I was able to get the certificate
>>>>>> into the db. Instead of using certutil to export the cert from
>>>>>> the server, I used pk12util. I was then able to import to my
>>>>>> client app server db using pk12util. This gave me a cert with
>>>>>> "u,u,u" trust attributes.
>>>>>>
>>>>>> Now my question is how do I get my .asadmintruststore updated
>>>>>> with this new cert? I tried deleting the .asadmintruststore file
>>>>>> and running an asadmin command but that only put the app server
>>>>>> cert in and not the new one.
>>>>> So, this means your admin listener is using the app server cert
>>>>> rather than your new cert.
>>>>> You may configure your listener to use your corresponding
>>>>> certificates for inbound
>>>>> as in my previous blog in GlassFish v2,
>>>>> http://blogs.sun.com/swchan/entry/multiple_private_keys_in_a
>>>>>
>>>>> Shing Wai Chan
>>>>>>
>>>>>> -- Erwin
>>>>>>
>>>>>> Shing Wai Chan wrote:
>>>>>>> You may like to read:
>>>>>>>
>>>>>>> http://developers.sun.com/appserver/reference/techart/keymgmt.html
>>>>>>> Shing Wai Chan
>>>>>>>
>>>>>>> On 3/15/10 10:08 AM, Erwin Rehme wrote:
>>>>>>>> I have some client code running in glassfish that needs to
>>>>>>>> connect to a
>>>>>>>> server using SSL. I have been given the .rfc file for the
>>>>>>>> self-signed
>>>>>>>> certificate of the server and I'm trying to add it to my
>>>>>>>> .asadmintruststore.
>>>>>>>>
>>>>>>>> The command:
>>>>>>>>
>>>>>>>> certutil -A -n SampleSSLServerCert -t "u,u,u" -d
>>>>>>>> /opt/SUNWappserver/domains/domain1/config/ -i
>>>>>>>> /SampleSSLServerCert.rfc
>>>>>>>>
>>>>>>>> adds the cert to the db but when I do:
>>>>>>>>
>>>>>>>> certutil -L -d /opt/SUNWappserver/domains/domain1/config
>>>>>>>>
>>>>>>>> I get:
>>>>>>>>
>>>>>>>> SampleSSLServerCert ,,
>>>>>>>>
>>>>>>>> and:
>>>>>>>>
>>>>>>>> certutil -V -u V -d /opt/SUNWappserver/domains/domain1/config -n
>>>>>>>> SampleSSLServerCert
>>>>>>>>
>>>>>>>> says that the cert is invalid.
>>>>>>>>
>>>>>>>> If I use -t "P,P,P", the certificate is valid but when I delete
>>>>>>>> .asadmintruststore and run:
>>>>>>>>
>>>>>>>> asadmin list-jms-hosts
>>>>>>>>
>>>>>>>> I get a prompt that asks me if I want to trust the app server
>>>>>>>> certificate but I don't get a prompt to trust the self-signed
>>>>>>>> certificate.
>>>>>>>>
>>>>>>>> Does the self-signed cert need to be added to the db using -t
>>>>>>>> "u,u,u"
>>>>>>>> and if so, how to I do that?
>>>>>>>>
>>>>>>>> If I can use -t "P,P,P" to get a valid cert into the db, how do
>>>>>>>> I get
>>>>>>>> that self-signed cert into .asadmintruststore?
>>>>>>>>
>>>>>>>> Thanks for your help.
>>>>>>>>
>>>>>>>> -- Erwin
>>>>>>>>
>>>>>>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>