users@glassfish.java.net

renewing an expiring SSL cert

From: xkaliburx <lance.raymond_at_gmail.com>
Date: Fri, 2 Sep 2011 08:19:14 -0700 (PDT)

Forgot about this usergroup, the java.net forums are either 503'ing, slow,
can't login, etc. But heres the deal. I have 3 glassfish 2 servers with
an SSL cert that will expire in a week so I have a little time to play.

I have followed the doc's on howto generate a new keystore, csr request,
etc. and now I am stuck. I have the old keystore.jks file running fine and
a new file (new.jks). I have imported the root, intermediate and cert into
the new.jks, then told the domain.xml file to use that and it bombs with the
following;

Caused by: java.lang.IllegalStateException:
java.security.UnrecoverableKeyException: Cannot recover key
at com.sun.enterprise.security.SSLUtils.<clinit>(SSLUtils.java:128)

I can test to make sure the cert is in using the keytool;
keytool -list -v -keystore new.jks -alias myalias and get the info (this is
just the top);

Owner: CN=api.mydomain.com, OU=Domain Control Validated - RapidSSL(R),
OU=See www.rapidssl.com/resources/cps (c)11, OU=GT06273877,
O=api.mydomain.com, C=US, SERIALNUMBER=uqovQ4SFeb-FcCu5KrGxbRef3IomKkVc
Issuer: CN=RapidSSL CA, O="GeoTrust, Inc.", C=US
Serial number: 2fea8
Valid from: Tue Aug 30 22:56:35 EDT 2011 until: Fri Nov 01 03:05:11 EDT 2013

I dont think the original PW was ever changed, so I made the pass on this
new.jks file the same. I am looking around and reading while I wait for a
reply, but I am not sure if I can simply import the new .cert file into the
existing one. When playing I got a root already exists, do deleted that
alias, imported, etc. but that went down a road of errors, so I am wondering
if it's simply best to use the new.jks file I made, with the new cert, etc.
and just get GF to play nice.

Also I assume once this is fixed, I can copy the file over along with
whatever change I make to get it to work to the other servers.

Please let me know if I need to provide any other details, commands, etc. as
this is a bit timely.

Thanks 
-- 
View this message in context: http://old.nabble.com/renewing-an-expiring-SSL-cert-tp32387442p32387442.html
Sent from the java.net - glassfish users mailing list archive at Nabble.com.
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.