users@glassfish.java.net

Re: Add a self-signed certificate to a truststore.

From: Erwin Rehme <erwin.rehme_at_oracle.com>
Date: Wed, 17 Mar 2010 07:37:32 -0600

Shing Wai Chan wrote:
> The corresponding CA are not recognized.
> Is it a self-signed cert?
Yes
> You can try "TC,c,c".
Same results.
> Shing Wai Chan
>
> On 3/16/10 4:00 PM, Erwin Rehme wrote:
>>
>>
>> Shing Wai Chan wrote:
>>> On 3/16/10 2:44 PM, Erwin Rehme wrote:
>>>>
>>>>
>>>> Shing Wai Chan wrote:
>>>>> On 3/16/10 8:38 AM, Erwin Rehme wrote:
>>>>>> Maybe I should restate what I'm trying to do and see if I'm even
>>>>>> on the right track.
>>>>>>
>>>>>> I have an application running in glassfish that needs to make
>>>>>> http and https requests to other servers. All I'm trying to do is
>>>>>> give my application certificates so that it can make https
>>>>>> requests to other servers. With the standalone version of
>>>>>> glassfish I was able to just import the remote server's
>>>>>> certificate into the cacerts.jks file and the https requests
>>>>>> worked. However, my application will be deployed using the
>>>>>> Enterprise edition so I thought that importing the certificate
>>>>>> into the db should make it available to my application. Is this
>>>>>> not the case?
>>>>> Yes, you just need to import the certificate (without the private
>>>>> key).
>>>>> Shing Wai Chan
>>>> I don't see exactly how to do that. If I import using pk12util it
>>>> looks like the cert is added and also the private key.
>>> yes.
>>>>
>>>> If I import using 'certutil -A -t "u,u,u"...' the cert is added and
>>>> not the key but the cert is not valid. So, I'm back to my original
>>>> problem. If I use -t "P,," I get a valid cert but my https request
>>>> fails. Is "P" the right trust arg to use? It seems to be the only
>>>> flag that gives me a valid cert.
>>> Have you try "T,c,c"?
>> The validity check says "Peer's Certificate issuer is not
>> recognized.". Does this mean that the original cert was generated
>> incorrectly?
>>>>>>
>>>>>> -- Erwin
>>>>>>
>>>>>> Shing Wai Chan wrote:
>>>>>>> On 3/15/10 3:27 PM, Erwin Rehme wrote:
>>>>>>>> Thanks Shing,
>>>>>>>>
>>>>>>>> With the help of this web page I was able to get the
>>>>>>>> certificate into the db. Instead of using certutil to export
>>>>>>>> the cert from the server, I used pk12util. I was then able to
>>>>>>>> import to my client app server db using pk12util. This gave me
>>>>>>>> a cert with "u,u,u" trust attributes.
>>>>>>>>
>>>>>>>> Now my question is how do I get my .asadmintruststore updated
>>>>>>>> with this new cert? I tried deleting the .asadmintruststore
>>>>>>>> file and running an asadmin command but that only put the app
>>>>>>>> server cert in and not the new one.
>>>>>>> So, this means your admin listener is using the app server cert
>>>>>>> rather than your new cert.
>>>>>>> You may configure your listener to use your corresponding
>>>>>>> certificates for inbound
>>>>>>> as in my previous blog in GlassFish v2,
>>>>>>> http://blogs.sun.com/swchan/entry/multiple_private_keys_in_a
>>>>>>>
>>>>>>> Shing Wai Chan
>>>>>>>>
>>>>>>>> -- Erwin
>>>>>>>>
>>>>>>>> Shing Wai Chan wrote:
>>>>>>>>> You may like to read:
>>>>>>>>>
>>>>>>>>> http://developers.sun.com/appserver/reference/techart/keymgmt.html
>>>>>>>>>
>>>>>>>>> Shing Wai Chan
>>>>>>>>>
>>>>>>>>> On 3/15/10 10:08 AM, Erwin Rehme wrote:
>>>>>>>>>> I have some client code running in glassfish that needs to
>>>>>>>>>> connect to a
>>>>>>>>>> server using SSL. I have been given the .rfc file for the
>>>>>>>>>> self-signed
>>>>>>>>>> certificate of the server and I'm trying to add it to my
>>>>>>>>>> .asadmintruststore.
>>>>>>>>>>
>>>>>>>>>> The command:
>>>>>>>>>>
>>>>>>>>>> certutil -A -n SampleSSLServerCert -t "u,u,u" -d
>>>>>>>>>> /opt/SUNWappserver/domains/domain1/config/ -i
>>>>>>>>>> /SampleSSLServerCert.rfc
>>>>>>>>>>
>>>>>>>>>> adds the cert to the db but when I do:
>>>>>>>>>>
>>>>>>>>>> certutil -L -d /opt/SUNWappserver/domains/domain1/config
>>>>>>>>>>
>>>>>>>>>> I get:
>>>>>>>>>>
>>>>>>>>>> SampleSSLServerCert ,,
>>>>>>>>>>
>>>>>>>>>> and:
>>>>>>>>>>
>>>>>>>>>> certutil -V -u V -d
>>>>>>>>>> /opt/SUNWappserver/domains/domain1/config -n
>>>>>>>>>> SampleSSLServerCert
>>>>>>>>>>
>>>>>>>>>> says that the cert is invalid.
>>>>>>>>>>
>>>>>>>>>> If I use -t "P,P,P", the certificate is valid but when I delete
>>>>>>>>>> .asadmintruststore and run:
>>>>>>>>>>
>>>>>>>>>> asadmin list-jms-hosts
>>>>>>>>>>
>>>>>>>>>> I get a prompt that asks me if I want to trust the app server
>>>>>>>>>> certificate but I don't get a prompt to trust the self-signed
>>>>>>>>>> certificate.
>>>>>>>>>>
>>>>>>>>>> Does the self-signed cert need to be added to the db using -t
>>>>>>>>>> "u,u,u"
>>>>>>>>>> and if so, how to I do that?
>>>>>>>>>>
>>>>>>>>>> If I can use -t "P,P,P" to get a valid cert into the db, how
>>>>>>>>>> do I get
>>>>>>>>>> that self-signed cert into .asadmintruststore?
>>>>>>>>>>
>>>>>>>>>> Thanks for your help.
>>>>>>>>>>
>>>>>>>>>> -- Erwin
>>>>>>>>>>
>>>>>>>>>>
>