I have downloaded GlassFish v2.1.1 and do the following experiment.
In the following, we have server A, GlassFish v2.1.1 and another server B.
In my experiment, server B is GlassFish v3.
1. In another server B, we create a new key cert pair, mycert in
keystore.jks
and export mycert to mycert.cert (and import back to cacerts,jks if
necessary)
Restart server B.
2. Import mycert into NSS db with "T,c,c" of server A and restart.
3. create a jsp in server A to connect to Server B thru https.
It is working fine for me.
Regards,
Shing Wai Chan
On 3/17/10 6:37 AM, Erwin Rehme wrote:
>
>
> Shing Wai Chan wrote:
>> The corresponding CA are not recognized.
>> Is it a self-signed cert?
> Yes
>> You can try "TC,c,c".
> Same results.
>> Shing Wai Chan
>>
>> On 3/16/10 4:00 PM, Erwin Rehme wrote:
>>>
>>>
>>> Shing Wai Chan wrote:
>>>> On 3/16/10 2:44 PM, Erwin Rehme wrote:
>>>>>
>>>>>
>>>>> Shing Wai Chan wrote:
>>>>>> On 3/16/10 8:38 AM, Erwin Rehme wrote:
>>>>>>> Maybe I should restate what I'm trying to do and see if I'm even
>>>>>>> on the right track.
>>>>>>>
>>>>>>> I have an application running in glassfish that needs to make
>>>>>>> http and https requests to other servers. All I'm trying to do
>>>>>>> is give my application certificates so that it can make https
>>>>>>> requests to other servers. With the standalone version of
>>>>>>> glassfish I was able to just import the remote server's
>>>>>>> certificate into the cacerts.jks file and the https requests
>>>>>>> worked. However, my application will be deployed using the
>>>>>>> Enterprise edition so I thought that importing the certificate
>>>>>>> into the db should make it available to my application. Is this
>>>>>>> not the case?
>>>>>> Yes, you just need to import the certificate (without the private
>>>>>> key).
>>>>>> Shing Wai Chan
>>>>> I don't see exactly how to do that. If I import using pk12util it
>>>>> looks like the cert is added and also the private key.
>>>> yes.
>>>>>
>>>>> If I import using 'certutil -A -t "u,u,u"...' the cert is added
>>>>> and not the key but the cert is not valid. So, I'm back to my
>>>>> original problem. If I use -t "P,," I get a valid cert but my
>>>>> https request fails. Is "P" the right trust arg to use? It seems
>>>>> to be the only flag that gives me a valid cert.
>>>> Have you try "T,c,c"?
>>> The validity check says "Peer's Certificate issuer is not
>>> recognized.". Does this mean that the original cert was generated
>>> incorrectly?
>>>>>>>
>>>>>>> -- Erwin
>>>>>>>
>>>>>>> Shing Wai Chan wrote:
>>>>>>>> On 3/15/10 3:27 PM, Erwin Rehme wrote:
>>>>>>>>> Thanks Shing,
>>>>>>>>>
>>>>>>>>> With the help of this web page I was able to get the
>>>>>>>>> certificate into the db. Instead of using certutil to export
>>>>>>>>> the cert from the server, I used pk12util. I was then able to
>>>>>>>>> import to my client app server db using pk12util. This gave me
>>>>>>>>> a cert with "u,u,u" trust attributes.
>>>>>>>>>
>>>>>>>>> Now my question is how do I get my .asadmintruststore updated
>>>>>>>>> with this new cert? I tried deleting the .asadmintruststore
>>>>>>>>> file and running an asadmin command but that only put the app
>>>>>>>>> server cert in and not the new one.
>>>>>>>> So, this means your admin listener is using the app server cert
>>>>>>>> rather than your new cert.
>>>>>>>> You may configure your listener to use your corresponding
>>>>>>>> certificates for inbound
>>>>>>>> as in my previous blog in GlassFish v2,
>>>>>>>> http://blogs.sun.com/swchan/entry/multiple_private_keys_in_a
>>>>>>>>
>>>>>>>> Shing Wai Chan
>>>>>>>>>
>>>>>>>>> -- Erwin
>>>>>>>>>
>>>>>>>>> Shing Wai Chan wrote:
>>>>>>>>>> You may like to read:
>>>>>>>>>>
>>>>>>>>>> http://developers.sun.com/appserver/reference/techart/keymgmt.html
>>>>>>>>>>
>>>>>>>>>> Shing Wai Chan
>>>>>>>>>>
>>>>>>>>>> On 3/15/10 10:08 AM, Erwin Rehme wrote:
>>>>>>>>>>> I have some client code running in glassfish that needs to
>>>>>>>>>>> connect to a
>>>>>>>>>>> server using SSL. I have been given the .rfc file for the
>>>>>>>>>>> self-signed
>>>>>>>>>>> certificate of the server and I'm trying to add it to my
>>>>>>>>>>> .asadmintruststore.
>>>>>>>>>>>
>>>>>>>>>>> The command:
>>>>>>>>>>>
>>>>>>>>>>> certutil -A -n SampleSSLServerCert -t "u,u,u" -d
>>>>>>>>>>> /opt/SUNWappserver/domains/domain1/config/ -i
>>>>>>>>>>> /SampleSSLServerCert.rfc
>>>>>>>>>>>
>>>>>>>>>>> adds the cert to the db but when I do:
>>>>>>>>>>>
>>>>>>>>>>> certutil -L -d /opt/SUNWappserver/domains/domain1/config
>>>>>>>>>>>
>>>>>>>>>>> I get:
>>>>>>>>>>>
>>>>>>>>>>> SampleSSLServerCert ,,
>>>>>>>>>>>
>>>>>>>>>>> and:
>>>>>>>>>>>
>>>>>>>>>>> certutil -V -u V -d
>>>>>>>>>>> /opt/SUNWappserver/domains/domain1/config -n
>>>>>>>>>>> SampleSSLServerCert
>>>>>>>>>>>
>>>>>>>>>>> says that the cert is invalid.
>>>>>>>>>>>
>>>>>>>>>>> If I use -t "P,P,P", the certificate is valid but when I delete
>>>>>>>>>>> .asadmintruststore and run:
>>>>>>>>>>>
>>>>>>>>>>> asadmin list-jms-hosts
>>>>>>>>>>>
>>>>>>>>>>> I get a prompt that asks me if I want to trust the app server
>>>>>>>>>>> certificate but I don't get a prompt to trust the
>>>>>>>>>>> self-signed certificate.
>>>>>>>>>>>
>>>>>>>>>>> Does the self-signed cert need to be added to the db using
>>>>>>>>>>> -t "u,u,u"
>>>>>>>>>>> and if so, how to I do that?
>>>>>>>>>>>
>>>>>>>>>>> If I can use -t "P,P,P" to get a valid cert into the db, how
>>>>>>>>>>> do I get
>>>>>>>>>>> that self-signed cert into .asadmintruststore?
>>>>>>>>>>>
>>>>>>>>>>> Thanks for your help.
>>>>>>>>>>>
>>>>>>>>>>> -- Erwin
>>>>>>>>>>>
>>>>>>>>>>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>