users@glassfish.java.net

Re: renewing an expiring SSL cert

From: Kumar Jayanti <v.b.kumar.jayanti_at_oracle.com>
Date: Wed, 21 Sep 2011 16:39:15 +0530

Please make sure that the keypassword and the keystorepassword are both the same. So it appears gf.jks has a keyentry whose password is not the same as the glassfish master password.

Try doing the following :

keytool -keypasswd -alias s1as -keypass <existing key password> -new changeit -keystore gf.jks -storepass changeit

Here i am assuming s1as is the alias of the server cert in gf.jks and you will need to know what is the keypassword for the s1as privatekey in gf.jks

regards,
kumar

On 20-Sep-2011, at 7:59 AM, lance raymond wrote:

> I am down to a few day's left and had to leave for work, but back now
> (still at the same result). The original 'master' password is the
> default changeit, and now the new .jks has the same default password
> as is the existing (and working) keystore.jks as well as the
> cacerts.jks file now all have the same password.
>
> I can test with the following;
> keytool -list -v -keystore cacerts.jks (this should be the cert file)
> keytool -list -v -keystore keystore.jks (this is the in place working
> keystore that is expiring)
> keytool -list -v -keystore gf.jks (the new certificate)
>
> each prompts, and I issue changeit and I can see the information. If
> I change the domain.xml file to use the new gf.jks and start, I get
> this;
>
> Caused by: java.lang.IllegalStateException:
> java.security.UnrecoverableKeyException: Cannot recover key
> at com.sun.enterprise.security.SSLUtils.<clinit>(SSLUtils.java:128)
> ... 10 more
> Caused by: java.security.UnrecoverableKeyException: Cannot recover key
> at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
> at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:138)
> at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:55)
> at java.security.KeyStore.getKey(KeyStore.java:779)
> at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:131)
>
> Now, I only have 1 SSL cert needed for this server, and when I issue a
> keytool -list -v -keystore keystore.jks (the working one) I notice;
> Your keystore contains 4 entries
> Alias name: wfgfcert
> Alias name: root
> Alias name: slas
> Alias name: intermediate
>
> when I look at the new gf.jks I get;
> Your keystore contains 2 entries
> Alias name: wfgfcert
> Alias name: intermediate
>
> The working one I need is the wfgfcert so I am thinking maybe in a
> config somewhere its still set to use another alias, but I am really
> in a bind now. I am not sure where to go next, since all the
> passwords are correct, could I have loeded something wrong, or not
> loaded something? Looking at the working keystore.jks with the
> wfgfcert alias, there is probably 50+ lines of data, the cert info (O,
> OU) up top , then 30+ lines under an [extentions] section such as this
> example;
>
> Extensions:
>
> #1: ObjectId: 2.5.29.15 Criticality=true
> KeyUsage [
> DigitalSignature
> Non_repudiation
> Key_Encipherment
> Data_Encipherment
> ]
>
> The new gf.jks with the wfgfcert alias has none of that!
>
> Thanks to all who read/help.
>
>
>
>
>
> On Tue, Sep 13, 2011 at 5:24 PM, Shing Wai Chan
> <shing.wai.chan_at_oracle.com> wrote:
>> The following error indicates that there is a problem with password.
>> You have to make sure that the passwords for keystore.jks, cacerts.jks and
>> new certificate are the same before.
>>>
>>> Caused by: java.security.UnrecoverableKeyException: Cannot recover key
>>
>>