SEC5054: Certificate has expired

One of the authority certificates in the Glassfish truststore (i.e., cacerts.jks) expired on Jan 7, 2010. On startup, Glassfish will log a message (to server.log) indicating that the following certificate has expired.

Version: V1
  Subject: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
  Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2

  Key:  SunPKCS11-Solaris RSA public key, 1000 bits (id 17891456, session object)
  modulus: 
  public exponent: 
  Validity: [From: Tue Nov 08 19:00:00 GMT-05:00 1994,
               To: Thu Jan 07 18:59:59 GMT-05:00 2010]
  Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
  SerialNumber: [    02ad667e 4e45fe5e 576f3c98 195eddc0]

The expired authority certificate will be removed in update 18 of Java SE 6. It will also be removed from the Glassfish truststore.

No action is required on your part, as all certificates issued under the expired authority certificate have also expired.

If you would like to stop your installation of Glassfish from reporting the presence of the expired authority certificate, you can use keytool to remove the certificate from the Glassfish truststore.

=> cd domains/domainX/config
=> cp cacerts.jks cacerts.jks.save
=> keytool -delete -keystore cacerts.jks -alias verisignserverca
Enter keystore password: 

to prevent the expired cert from reappearing in subsequently created domains, The cert should also be removed from the template truststore.

=> cd glassfish/lib/templates
=> cp cacerts.jks cacerts.jks.save
=> keytool -delete -keystore cacerts.jks -alias verisignserverca
Enter keystore password: 

For more details on the expired certificate please see:

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6852796

The Glassfish V3 admin guide may be found at:

http://wiki.glassfish.java.net/attach/AdministrationGuide/SJSASEEAG.pdf

For versions and installations of Glassfish that use Network Security Services, i.e., NSS, the certutil command may be used to remove the expired certificate from the cert8.db file, and the corresponding cert8.db template file. For example:

==> cd directory-where-cert8.db-is-located
==> cp cert8.db cert8.db.save
==> certutil -D -n "Verisign/RSA Secure Server CA"
Comments:

So what is the keystore password?

Posted by David Loeffler on January 18, 2010 at 06:25 AM EST #

please search the admin guide at the link (above) for the "default password".

Posted by guest on January 19, 2010 at 09:06 AM EST #

changeit

Posted by guest on January 31, 2010 at 01:01 PM EST #

Thanks for the detailed instructions. The message is somewhat scary! Your removal command works perfectly.

Posted by Stijn on February 09, 2010 at 08:55 AM EST #

I just ran into this same problem and can't seem to proceed. Is there any known solution for this issue?

Posted by Helen Neely on April 19, 2010 at 01:42 AM EDT #

Hi Ron:
Thanks for your help. Better than the one from Oracle.
I am a Masters Degree Student in Applied Computing in Venezuela and in my Thesis I need to run an Application Server. I chose glassfish before it was bought by Oracle.
I had a lot of trouble with this problem of certifcates..
I followed the instructions in this blog and it worked perfectly.
I have to add only one comment: For those users in Windows, it is better to install glassfish outside "Program Files" folder because I ran into trouble due to user permissions.
I installed the server in root "c:\\glassfish" and it is working fine.
For the person that asked about the password, is: CHANGEIT

Posted by Jaime Soto on April 21, 2010 at 09:18 AM EDT #

What is "cp" from "cp cacerts.jks cacerts.jks.save"?
I receive an error that it is not recognized as an internal/external command.
Please help.

Posted by Hershe on April 21, 2010 at 10:28 PM EDT #

Re: "What is "cp" from "cp cacerts.jks cacerts.jks.save"?
I receive an error that it is not recognized as an internal/external command.
Please help."

I am betting you are using Windows. You cannot use "cp". "cp" is the copy command in Linux/Unix and is also used to rename files. If you are under Windows, simply use right-click to rename the file from "cacerts.jks" to "cacerts.jks.save".

Posted by Matt on May 04, 2010 at 10:34 AM EDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

monzillo

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today