Shing Wai Chan's Weblog

How to use Verisign cert in Glassfish and SJSAS 8.x?

Friday Dec 16, 2005

This blog describes the steps needed to use Verisign certificates in GlassFish which can be downloaded from http://glassfish.dev.java.net/public/downloadsindex.html. These steps will also work with the SJSAS 8.x products. You will need to go to the Verisign website to get a certificate if you don't already have one. In the following, we will outline steps on how to use Verisign certificate in Sun Java System Application Server (SJSAS) 8.x PE and Glassfish.

Steps On Using Verisign Certificate

  1. Generate a private key in keystore resided in domains/your_domain/config/keystore.jks.
    keytool -genkey -alias myservkey -keysize 1024 -keyalg RSA -keystore keystore.jks -dname "CN=test.glassfish.com,OU=Testing,O=Java,L=Santa Clara,S=California,C=US"
    Note that
    • there cannot be a space in the CN name. Verisign can only accept RSA at this time, DSA algorithm is not supported.
    • the password for keystore and the key must be the same
    • the password for keystore.jks in default installation is changeit
  2. Create a certificate request.
    keytool -certreq -alias myservkey -sigalg SHA1WithRSA -keystore keystore.jks -file myservkey.csr
  3. Backup your keystore. This is very important as no one can recover the private key if it is lost.
  4. Go to Verisign website http://www.verisign.com to process the certificate.
  5. Once the certificate is processed, Verisign will send an email to you with certificate inside the email. Please cut and paste the certificate and save it to a file, say, myservkeyveri.cer. Please make sure there is no extra whitespace in the file.
  6. Make sure root CA certificate is in
    • domains/your_domain/config/keystore.jks
    • domains/your_domain/config/cacerts.jks
    • in your browser if it is used as SSL client.
    If you are using a Verisign certificate, then root CA has already been there. But if you are using Verisign testing certificate, then you need to import the Verisign testing root CA certificate which can be found in hyperlink of email from Verisign.

    The commands for importing CA root certificate is as follows:
    keytool -import -v -trustcacerts -alias verisigntestroot -file vertestrootca.cer -keystore keystore.jks
    keytool -import -v -trustcacerts -alias verisigntestroot -file vertestrootca.cer -keystore cacerts.jks
  7. Import the certificate to keystore.
    keytool -import -v -alias myservkey -file myservkeyveri.cer -keystore keystore.jks
  8. Verify that the certificate is imported correctly.
    keytool -list -v -alias myservkey -keystore keystore.jks
  9. Update the certificate alias from admin GUI:
    For https certificate alias:
    Configuration > HTTP Service > HTTP Listeners > http-listener-2
        Input certificate alias name in Certificate NickName text box.
        Enable SSL3, TLS, cipher suites if necessary

    For iiop certificate alias:
    Configuration > IIOP Listeners > SSL / SSL_MUTUALAUTH
        Input certificate alias name in Certificate NickName text box.
        Enable SSL3, TLS, cipher suites if necessary

  10. Restart the server by using asadmin.
  11. Verify the server is using the certificate. If you are setting https as above, then you can use browser to access https://your_host:8181 and it will prompt to you to accept the certificate you have just imported.

Troubleshooting

  1. keytool -import -keystore keystore.jks -alias myservkey -file myservkeyveri.cer
        Enter keystore password:
        keytool error: java.security.cert.CertificateException: java.io.EOFException
    Please double check there is no extra whitespace in the file.
  2. keytool -import -v -alias myservkey -keystore keystore.jks -file myservkeyveri.cer
        Enter keystore password:
        keytool error: java.lang.Exception: Public keys in reply and keystore don't match
    The certificate reply does not match with the key in your keystore. You may need to check whether alias name is correct or get backup keystore having the private key.

Remark

The same procedure work for SJSAS EE by using certutil instead of keytool:
  • use certutil -S to generate a key
  • use certutil -R to import a certificate
  • use certutil -A to import a certificate
  • use certutil -L to list a certificate
More information on how to use certutil in SJSAS can be found in Key Management and PKCS#11 Tokens in Sun Java System Application Server 8.1, May 19, 2005.

[4] Comments
Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 05:21PM Dec 16, 2005 by swchan in Sun
Tags:
Comments:

In step 9, you have this phrase:
  • "Enable SSL3, TLS, cipher suites if necessary"
How does an admin know that these are necessary?

Is there some kind of "indicator" that an admin should look for?

Where would I find information about enabling SSL3, TLS, etc?

Posted by vince kraemer on January 03, 2006 at 07:30 PM PST #

In step 9, the administrator would like to check which cipher suites to use for appserver SSL communication. Then one can decide which options are suitable for them. The SSL3 cipher suites can be found in SSL v3 Internal Draft and TLS cipher suites can be found in RFC 2246.

Posted by Shing Wai Chan on January 12, 2006 at 10:58 AM PST #

Hi. Would like to check. If I already had a pte key and public cert from server A. Will I be able to use in server B?
By the way, I'm able to encrypt, but how to decrypt the message digest to ensure its correct?

Thanks.

Posted by Jas on March 05, 2008 at 05:56 PM PST #

How does an admin know that these are necessary?

Is there some kind of "indicator" that an admin should look for?

Where would I find information about enabling SSL3, TLS, etc

Posted by BATTERY on November 28, 2008 at 04:25 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed