I am down to a few day's left and had to leave for work, but back now
(still at the same result). The original 'master' password is the
default changeit, and now the new .jks has the same default password
as is the existing (and working) keystore.jks as well as the
cacerts.jks file now all have the same password.
I can test with the following;
keytool -list -v -keystore cacerts.jks (this should be the cert file)
keytool -list -v -keystore keystore.jks (this is the in place working
keystore that is expiring)
keytool -list -v -keystore gf.jks (the new certificate)
each prompts, and I issue changeit and I can see the information. If
I change the domain.xml file to use the new gf.jks and start, I get
this;
Caused by: java.lang.IllegalStateException:
java.security.UnrecoverableKeyException: Cannot recover key
at com.sun.enterprise.security.SSLUtils.<clinit>(SSLUtils.java:128)
... 10 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:138)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:55)
at java.security.KeyStore.getKey(KeyStore.java:779)
at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:131)
Now, I only have 1 SSL cert needed for this server, and when I issue a
keytool -list -v -keystore keystore.jks (the working one) I notice;
Your keystore contains 4 entries
Alias name: wfgfcert
Alias name: root
Alias name: slas
Alias name: intermediate
when I look at the new gf.jks I get;
Your keystore contains 2 entries
Alias name: wfgfcert
Alias name: intermediate
The working one I need is the wfgfcert so I am thinking maybe in a
config somewhere its still set to use another alias, but I am really
in a bind now. I am not sure where to go next, since all the
passwords are correct, could I have loeded something wrong, or not
loaded something? Looking at the working keystore.jks with the
wfgfcert alias, there is probably 50+ lines of data, the cert info (O,
OU) up top , then 30+ lines under an [extentions] section such as this
example;
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
]
The new gf.jks with the wfgfcert alias has none of that!
Thanks to all who read/help.
On Tue, Sep 13, 2011 at 5:24 PM, Shing Wai Chan
<shing.wai.chan_at_oracle.com> wrote:
> The following error indicates that there is a problem with password.
> You have to make sure that the passwords for keystore.jks, cacerts.jks and
> new certificate are the same before.
>>
>> Caused by: java.security.UnrecoverableKeyException: Cannot recover key
>
>