users@glassfish.java.net

Re: Add a self-signed certificate to a truststore.

From: Shing Wai Chan <Shing-Wai.Chan_at_Sun.COM>
Date: Tue, 16 Mar 2010 16:41:46 -0700

The corresponding CA are not recognized.
Is it a self-signed cert?
You can try "TC,c,c".
Shing Wai Chan

On 3/16/10 4:00 PM, Erwin Rehme wrote:
>
>
> Shing Wai Chan wrote:
>> On 3/16/10 2:44 PM, Erwin Rehme wrote:
>>>
>>>
>>> Shing Wai Chan wrote:
>>>> On 3/16/10 8:38 AM, Erwin Rehme wrote:
>>>>> Maybe I should restate what I'm trying to do and see if I'm even
>>>>> on the right track.
>>>>>
>>>>> I have an application running in glassfish that needs to make http
>>>>> and https requests to other servers. All I'm trying to do is give
>>>>> my application certificates so that it can make https requests to
>>>>> other servers. With the standalone version of glassfish I was able
>>>>> to just import the remote server's certificate into the
>>>>> cacerts.jks file and the https requests worked. However, my
>>>>> application will be deployed using the Enterprise edition so I
>>>>> thought that importing the certificate into the db should make it
>>>>> available to my application. Is this not the case?
>>>> Yes, you just need to import the certificate (without the private
>>>> key).
>>>> Shing Wai Chan
>>> I don't see exactly how to do that. If I import using pk12util it
>>> looks like the cert is added and also the private key.
>> yes.
>>>
>>> If I import using 'certutil -A -t "u,u,u"...' the cert is added and
>>> not the key but the cert is not valid. So, I'm back to my original
>>> problem. If I use -t "P,," I get a valid cert but my https request
>>> fails. Is "P" the right trust arg to use? It seems to be the only
>>> flag that gives me a valid cert.
>> Have you try "T,c,c"?
> The validity check says "Peer's Certificate issuer is not
> recognized.". Does this mean that the original cert was generated
> incorrectly?
>>>>>
>>>>> -- Erwin
>>>>>
>>>>> Shing Wai Chan wrote:
>>>>>> On 3/15/10 3:27 PM, Erwin Rehme wrote:
>>>>>>> Thanks Shing,
>>>>>>>
>>>>>>> With the help of this web page I was able to get the certificate
>>>>>>> into the db. Instead of using certutil to export the cert from
>>>>>>> the server, I used pk12util. I was then able to import to my
>>>>>>> client app server db using pk12util. This gave me a cert with
>>>>>>> "u,u,u" trust attributes.
>>>>>>>
>>>>>>> Now my question is how do I get my .asadmintruststore updated
>>>>>>> with this new cert? I tried deleting the .asadmintruststore file
>>>>>>> and running an asadmin command but that only put the app server
>>>>>>> cert in and not the new one.
>>>>>> So, this means your admin listener is using the app server cert
>>>>>> rather than your new cert.
>>>>>> You may configure your listener to use your corresponding
>>>>>> certificates for inbound
>>>>>> as in my previous blog in GlassFish v2,
>>>>>> http://blogs.sun.com/swchan/entry/multiple_private_keys_in_a
>>>>>>
>>>>>> Shing Wai Chan
>>>>>>>
>>>>>>> -- Erwin
>>>>>>>
>>>>>>> Shing Wai Chan wrote:
>>>>>>>> You may like to read:
>>>>>>>>
>>>>>>>> http://developers.sun.com/appserver/reference/techart/keymgmt.html
>>>>>>>> Shing Wai Chan
>>>>>>>>
>>>>>>>> On 3/15/10 10:08 AM, Erwin Rehme wrote:
>>>>>>>>> I have some client code running in glassfish that needs to
>>>>>>>>> connect to a
>>>>>>>>> server using SSL. I have been given the .rfc file for the
>>>>>>>>> self-signed
>>>>>>>>> certificate of the server and I'm trying to add it to my
>>>>>>>>> .asadmintruststore.
>>>>>>>>>
>>>>>>>>> The command:
>>>>>>>>>
>>>>>>>>> certutil -A -n SampleSSLServerCert -t "u,u,u" -d
>>>>>>>>> /opt/SUNWappserver/domains/domain1/config/ -i
>>>>>>>>> /SampleSSLServerCert.rfc
>>>>>>>>>
>>>>>>>>> adds the cert to the db but when I do:
>>>>>>>>>
>>>>>>>>> certutil -L -d /opt/SUNWappserver/domains/domain1/config
>>>>>>>>>
>>>>>>>>> I get:
>>>>>>>>>
>>>>>>>>> SampleSSLServerCert ,,
>>>>>>>>>
>>>>>>>>> and:
>>>>>>>>>
>>>>>>>>> certutil -V -u V -d /opt/SUNWappserver/domains/domain1/config -n
>>>>>>>>> SampleSSLServerCert
>>>>>>>>>
>>>>>>>>> says that the cert is invalid.
>>>>>>>>>
>>>>>>>>> If I use -t "P,P,P", the certificate is valid but when I delete
>>>>>>>>> .asadmintruststore and run:
>>>>>>>>>
>>>>>>>>> asadmin list-jms-hosts
>>>>>>>>>
>>>>>>>>> I get a prompt that asks me if I want to trust the app server
>>>>>>>>> certificate but I don't get a prompt to trust the self-signed
>>>>>>>>> certificate.
>>>>>>>>>
>>>>>>>>> Does the self-signed cert need to be added to the db using -t
>>>>>>>>> "u,u,u"
>>>>>>>>> and if so, how to I do that?
>>>>>>>>>
>>>>>>>>> If I can use -t "P,P,P" to get a valid cert into the db, how
>>>>>>>>> do I get
>>>>>>>>> that self-signed cert into .asadmintruststore?
>>>>>>>>>
>>>>>>>>> Thanks for your help.
>>>>>>>>>
>>>>>>>>> -- Erwin
>>>>>>>>>
>>>>>>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>