Monday Jan 11, 2010

SEC5054: Certificate has expired

One of the authority certificates in the Glassfish truststore (i.e., cacerts.jks) expired on Jan 7, 2010. On startup, Glassfish will log a message (to server.log) indicating that the following certificate has expired.

Version: V1
  Subject: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
  Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2

  Key:  SunPKCS11-Solaris RSA public key, 1000 bits (id 17891456, session object)
  modulus: 
  public exponent: 
  Validity: [From: Tue Nov 08 19:00:00 GMT-05:00 1994,
               To: Thu Jan 07 18:59:59 GMT-05:00 2010]
  Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
  SerialNumber: [    02ad667e 4e45fe5e 576f3c98 195eddc0]

The expired authority certificate will be removed in update 18 of Java SE 6. It will also be removed from the Glassfish truststore.

No action is required on your part, as all certificates issued under the expired authority certificate have also expired.

If you would like to stop your installation of Glassfish from reporting the presence of the expired authority certificate, you can use keytool to remove the certificate from the Glassfish truststore.

=> cd domains/domainX/config
=> cp cacerts.jks cacerts.jks.save
=> keytool -delete -keystore cacerts.jks -alias verisignserverca
Enter keystore password: 

to prevent the expired cert from reappearing in subsequently created domains, The cert should also be removed from the template truststore.

=> cd glassfish/lib/templates
=> cp cacerts.jks cacerts.jks.save
=> keytool -delete -keystore cacerts.jks -alias verisignserverca
Enter keystore password: 

For more details on the expired certificate please see:

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6852796

The Glassfish V3 admin guide may be found at:

http://wiki.glassfish.java.net/attach/AdministrationGuide/SJSASEEAG.pdf

For versions and installations of Glassfish that use Network Security Services, i.e., NSS, the certutil command may be used to remove the expired certificate from the cert8.db file, and the corresponding cert8.db template file. For example:

==> cd directory-where-cert8.db-is-located
==> cp cert8.db cert8.db.save
==> certutil -D -n "Verisign/RSA Secure Server CA"
About

monzillo

Search

Categories
Archives
« January 2010
SunMonTueWedThuFriSat
     
1
2
3
5
6
7
8
9
10
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
      
Today