X

Technology insights, news and tips.

  • Sun
    December 16, 2005

How to use Verisign cert in Glassfish and SJSAS 8.x?

This blog describes the steps needed to use Verisign certificates in GlassFish which can be downloaded from http://glassfish.dev.java.net/public/downloadsindex.html. These steps will also work with the SJSAS 8.x products.
You will need to go to the Verisign website to get a certificate if
you don't already have one.
In the following, we will outline steps on how to use Verisign
certificate in Sun Java System Application Server (SJSAS) 8.x PE
and Glassfish.

Steps On Using Verisign Certificate


  1. Generate a private key in keystore resided in domains/your_domain/config/keystore.jks.
    keytool -genkey -alias myservkey -keysize 1024 -keyalg RSA -keystore keystore.jks -dname "CN=test.glassfish.com,OU=Testing,O=Java,L=Santa Clara,S=California,C=US"
    Note that
    • there cannot be a space in the CN name. Verisign can only accept RSA at this time, DSA algorithm is not supported.
    • the password for keystore and the key must be the same
    • the password for keystore.jks in default installation is changeit
  2. Create a certificate request.
    keytool -certreq -alias myservkey -sigalg SHA1WithRSA -keystore keystore.jks -file myservkey.csr
  3. Backup your keystore. This is very important as no one can recover the private key if it is lost.
  4. Go to Verisign website http://www.verisign.com to process the certificate.
  5. Once the certificate is processed, Verisign will send an email to you with certificate inside the email.
    Please cut and paste the certificate and save it to a file, say, myservkeyveri.cer.
    Please make sure there is no extra whitespace in the file.
  6. Make sure root CA certificate is in
    • domains/your_domain/config/keystore.jks
    • domains/your_domain/config/cacerts.jks
    • in your browser if it is used as SSL client.

    If you are using a Verisign certificate, then root CA has already been there.
    But if you are using Verisign testing certificate, then you need to import
    the Verisign testing root CA certificate which can be found in hyperlink of email from Verisign.


    The commands for importing CA root certificate is as follows:
    keytool -import -v -trustcacerts -alias verisigntestroot -file vertestrootca.cer -keystore keystore.jks
    keytool -import -v -trustcacerts -alias verisigntestroot -file vertestrootca.cer -keystore cacerts.jks
  7. Import the certificate to keystore.
    keytool -import -v -alias myservkey -file myservkeyveri.cer
    -keystore keystore.jks
  8. Verify that the certificate is imported correctly.
    keytool -list -v -alias myservkey -keystore keystore.jks
  9. Update the certificate alias from admin GUI:
    For https certificate alias:
    Configuration > HTTP Service > HTTP Listeners > http-listener-2
        Input certificate alias name in Certificate NickName text box.
        Enable SSL3, TLS, cipher suites if necessary

    For iiop certificate alias:
    Configuration > IIOP Listeners > SSL / SSL_MUTUALAUTH
        Input certificate alias name in Certificate NickName text box.
        Enable SSL3, TLS, cipher suites if necessary

  10. Restart the server by using asadmin.
  11. Verify the server is using the certificate. If you are setting https as above, then you can use browser to access https://your_host:8181 and it will prompt to you to accept the certificate you have just imported.

Troubleshooting


  1. keytool -import -keystore keystore.jks -alias myservkey -file myservkeyveri.cer
        Enter keystore password:
        keytool error: java.security.cert.CertificateException: java.io.EOFException
    Please double check there is no extra whitespace in the file.
  2. keytool -import -v -alias myservkey -keystore keystore.jks -file myservkeyveri.cer
        Enter keystore password:
        keytool error: java.lang.Exception: Public keys in reply and keystore don't match
    The certificate reply does not match with the key in your keystore. You may need to check whether alias name is correct or get backup keystore having the private key.

Remark


The same procedure work for SJSAS EE by using certutil instead of keytool:
  • use certutil -S to generate a key
  • use certutil -R to import a certificate
  • use certutil -A to import a certificate
  • use certutil -L to list a certificate

More information on how to use certutil in SJSAS can be found in Key Management and PKCS#11 Tokens in Sun Java System Application Server 8.1, May 19, 2005.

Join the discussion

Comments ( 4 )
  • vince kraemer Tuesday, January 3, 2006
    In step 9, you have this phrase:

    • "Enable SSL3, TLS, cipher suites if necessary"

    How does an admin know that these are necessary?

    Is there some kind of "indicator" that an admin should look for?

    Where would I find information about enabling SSL3, TLS, etc?

  • Shing Wai Chan Thursday, January 12, 2006
    In step 9, the administrator would like to check which cipher suites to use for appserver SSL communication. Then one can decide which options are suitable for them.
    The SSL3 cipher suites can be found in
    SSL v3 Internal Draft
    and TLS cipher suites can be found in RFC 2246.
  • Jas Wednesday, March 5, 2008

    Hi. Would like to check. If I already had a pte key and public cert from server A. Will I be able to use in server B?

    By the way, I'm able to encrypt, but how to decrypt the message digest to ensure its correct?

    Thanks.


  • BATTERY Friday, November 28, 2008

    How does an admin know that these are necessary?

    Is there some kind of "indicator" that an admin should look for?

    Where would I find information about enabling SSL3, TLS, etc


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.