Re: Importing CERTIFICATE into Java Keystore

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Uma,

Please keep posts on the list for the benefit of the community.

On 11/22/2010 7:31 PM, uma ravi wrote:
 I am trying to import the certificate  and did the same as you did but
 still go the same error.My test connection on IDm is not working.I saw
 your post (year back) that you got it working.Can you please send me the
 steps   to get rid of this problem.It would be really  helpful

Please tell me what file(s) you have and what you are trying to achieve.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzsNCgACgkQ9CaO5/Lv0PBkoQCgwLUMIxjxHbgCm9LN4SrwlYRT
jQEAn2fM9lRpqFicvVcFpZXAe+5Pb/GO
=Pw1N
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Importing CERTIFICATE into Java Keystore

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Stephen,

On 11/20/2009 3:05 AM, Stephen . wrote:
 I got the LDAP connection working on my IDM.
 
 Test Connection Succeeded

Glad to hear it.

 However, when I try to create a new User on the LDAP Resource, I get the 
 following error :
 
 javax.naming.CommunicationException: 
 sun.security.validator.ValidatorException: PKIX path building failed: 
 
 sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
 valid 
 certification path to requested target

 Do you have an idea what this could mean?

This means that your client doesn't trust the server's SSL certificate.

How are you configuring your LDAP resource? You have not yet posted
that, so it's hard to help, here.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAksUGMMACgkQ9CaO5/Lv0PCv2wCbBODzpoquP5eA38U+OnB3yH/v
h9QAoMLZGgjzGZ+8r/4SkJ43lxkI9Fai
=U+CG
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Importing CERTIFICATE into Java Keystore

[Stephen .]

Hi again,

I got the LDAP connection working on my IDM.

Test Connection Succeeded


However, when I try to create a new User on the LDAP Resource, I get the 
following error :


javax.naming.CommunicationException: 
sun.security.validator.ValidatorException: PKIX path building failed: 


sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid 
certification path to requested target



Do you have an idea what this could mean?

Thanks


Regards

Stephen





 Date: Thu, 19 Nov 2009 15:22:07 -0500
 From: ch...@christopherschultz.net
 To: marr...@hotmail.com
 CC: users@tomcat.apache.org
 Subject: Re: Importing CERTIFICATE  into Java Keystore
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Stephen,
 
 On 11/19/2009 2:42 AM, Stephen . wrote:
  My JAVA folder has 3 different locations which contain the command KEYTOOL
  
  I don't even know which of them is supposed to hold the certificate.
 
 None of those hold any certificates: they are just programs that operate
 on files called keystores. A keystore is a specially-formatted file
 that contains one or more certificates and keys. You can create a new
 one or use an existing one.
 
 Typically, your JVM has a system-level keystore installed that contains
 all of the special top-level certificates from the big guys like
 VeriSign and Thawte. That allows your JVM to trust certificates signed
 by those certificate authorities. X.509 (which is what all this stuff is
 defined as) is built on a tree of trust where a small number of
 implicitly-trusted entities (VeriSign, Thawte, etc.) are allowed to
 dictate who is and who is not trusted on the web via these certificates.
 It's a great racket.
 
  Yesterday, just to be on the safe side, I imported my certificate into
  ALL 3 locations (under 3 different aliases)
 
 The real question was which keystore you were operating on. From the
 'keytool' manual page:
 
 
 Each keytool command has a -keystore option for specifying the name and
 location of the persistent keystore file for the keystore managed by
 keytool. The keystore is by default stored in a file named .keystore
 in the user's home directory, as determined by the user.home system
 property.
 
 
 So, do you have a file in ~/.keystore? If so, it's likely to be the
 place where all the certificates you are (re-)importing are going. You
 need to configure this keystore to be the one that is used for your JNDI
 connection. How are you configuring your JNDI resource? Please post the
 configuration (minus any passwords, of course) and tell us where that
 configuration appears.
 
  Then I found yet another command online which says that, it's not enough
  to import the certificate into keystore.  It needs to be imported
  directly into the CACERT file.
 
 That sounds like malarkey.
 
  To make matters even worse, I found yet another advice in Tomcat's
  documentation, saying : before importing the certificate, you need to
  first import a so-called TRUST CHAIN.
 
 That may be possible. See... the big guys like VeriSign don't have just
 a single certificate/key that they use to sign your certificate(s): they
 have dozens. That is, in the tree of trust, there are many branches.
 There are many reasons for that which I won't go into, here. Basically,
 VeriSign's top-level cert (and they have more than one) trusts
 VeriSign's mid-level certs, which in turn trust VeriSign's lowest-level
 cert, which trusts you.
 
 If you want the JVM to trust your certificate, you need to provide your
 certificate (duh!) plus the 2 intervening (chain) certificates to
 bridge the chain of trust from your cert to the top-level VeriSign cert
 that ships with the JVM.
 
  In some places, it says you need this trust chain if the certificate was
  applied for by yourself.
 
 That statement is a bit ambiguous.
 
  is it:
  *keytool -import -file tomcatCert.crt -trustcacerts
  -alias tomcat -keystore c:/apps/jdk/jre/lib/security/cacerts -storepass
  changeit*
  
  or is it  :   * keytool -import -alias root -keystore
  your_keystore_filename -trustcacerts -file
  filename_of_the_chain_certificate*
 
 It's both, or neither :)
 
 Usually, you don't want to modify the keystore that came with the JVM
 (that's c:/apps/jdk/jre/lib/security/cacerts). Why? Because if you
 upgrade your JVM, then you're trusted certs will appear to vanish
 because the new JVM ships with a new cacerts file which doesn't include
 your changes.
 
 What would be best is something like this (the \s in here are a
 *NIX-style command continues on the next line convention... they are
 not intended to be actually entered on the command line, but indicate
 that you shouldn't press ENTER at the end of each line of text):
 
 keytool -import  \
 -file chain-1-cert.crt   \
 -trustcacerts\
 -alias chain-1   \
 -keystore path\to\my\keystore
 
 (then enter the password when prompted)
 
 This will import one of the chain

Re: Importing CERTIFICATE into Java Keystore

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Stephen,

On 11/19/2009 2:42 AM, Stephen . wrote:
 My JAVA folder has 3 different locations which contain the command KEYTOOL
 
 I don't even know which of them is supposed to hold the certificate.

None of those hold any certificates: they are just programs that operate
on files called keystores. A keystore is a specially-formatted file
that contains one or more certificates and keys. You can create a new
one or use an existing one.

Typically, your JVM has a system-level keystore installed that contains
all of the special top-level certificates from the big guys like
VeriSign and Thawte. That allows your JVM to trust certificates signed
by those certificate authorities. X.509 (which is what all this stuff is
defined as) is built on a tree of trust where a small number of
implicitly-trusted entities (VeriSign, Thawte, etc.) are allowed to
dictate who is and who is not trusted on the web via these certificates.
It's a great racket.

 Yesterday, just to be on the safe side, I imported my certificate into
 ALL 3 locations (under 3 different aliases)

The real question was which keystore you were operating on. From the
'keytool' manual page:


Each keytool command has a -keystore option for specifying the name and
location of the persistent keystore file for the keystore managed by
keytool. The keystore is by default stored in a file named .keystore
in the user's home directory, as determined by the user.home system
property.


So, do you have a file in ~/.keystore? If so, it's likely to be the
place where all the certificates you are (re-)importing are going. You
need to configure this keystore to be the one that is used for your JNDI
connection. How are you configuring your JNDI resource? Please post the
configuration (minus any passwords, of course) and tell us where that
configuration appears.

 Then I found yet another command online which says that, it's not enough
 to import the certificate into keystore.  It needs to be imported
 directly into the CACERT file.

That sounds like malarkey.

 To make matters even worse, I found yet another advice in Tomcat's
 documentation, saying : before importing the certificate, you need to
 first import a so-called TRUST CHAIN.

That may be possible. See... the big guys like VeriSign don't have just
a single certificate/key that they use to sign your certificate(s): they
have dozens. That is, in the tree of trust, there are many branches.
There are many reasons for that which I won't go into, here. Basically,
VeriSign's top-level cert (and they have more than one) trusts
VeriSign's mid-level certs, which in turn trust VeriSign's lowest-level
cert, which trusts you.

If you want the JVM to trust your certificate, you need to provide your
certificate (duh!) plus the 2 intervening (chain) certificates to
bridge the chain of trust from your cert to the top-level VeriSign cert
that ships with the JVM.

 In some places, it says you need this trust chain if the certificate was
 applied for by yourself.

That statement is a bit ambiguous.

 is it:
 *keytool -import -file tomcatCert.crt -trustcacerts
 -alias tomcat -keystore c:/apps/jdk/jre/lib/security/cacerts -storepass
 changeit*
 
 or is it  :   * keytool -import -alias root -keystore
 your_keystore_filename -trustcacerts -file
 filename_of_the_chain_certificate*

It's both, or neither :)

Usually, you don't want to modify the keystore that came with the JVM
(that's c:/apps/jdk/jre/lib/security/cacerts). Why? Because if you
upgrade your JVM, then you're trusted certs will appear to vanish
because the new JVM ships with a new cacerts file which doesn't include
your changes.

What would be best is something like this (the \s in here are a
*NIX-style command continues on the next line convention... they are
not intended to be actually entered on the command line, but indicate
that you shouldn't press ENTER at the end of each line of text):

keytool -import  \
-file chain-1-cert.crt   \
-trustcacerts\
-alias chain-1   \
-keystore path\to\my\keystore

(then enter the password when prompted)

This will import one of the chain certificates you may need to import
for whoever signed your certificate. Who did sign it, by the way? Repeat
that command for each chain certificate you have to import.

Now, import your own certificate:
keytool -import  \
-file your-cert.crt  \
-trustcacerts\
-alias my-jndi-certificate   \
-keystore path\to\my\keystore

(then enter the password when prompted)

This should get all your necessary certificates in one place: the file
indicated by path\to\my\keystore. Please let us know where you intend to
place this file.

Now, to actually /use/ that keystore depends on how you are configuring
your JNDI resource. Once we see that, we can help you point your
configuration at this file.

 And what is the 

RE: Importing CERTIFICATE into Java Keystore

[Stephen .]

Chris,

thank you for your reply.

And thank you so much for taking the time and trouble to explain all this to me.

I really don't know much about JNDI.  I don't even know where and how it is 
configured. 

But, I am going to try your suggestions, and see if it works out.

If you want, I could keep you posted on this.

Thanks again.


Regards

Stephen





 Date: Thu, 19 Nov 2009 15:22:07 -0500
 From: ch...@christopherschultz.net
 To: marr...@hotmail.com
 CC: users@tomcat.apache.org
 Subject: Re: Importing CERTIFICATE  into Java Keystore
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Stephen,
 
 On 11/19/2009 2:42 AM, Stephen . wrote:
  My JAVA folder has 3 different locations which contain the command KEYTOOL
  
  I don't even know which of them is supposed to hold the certificate.
 
 None of those hold any certificates: they are just programs that operate
 on files called keystores. A keystore is a specially-formatted file
 that contains one or more certificates and keys. You can create a new
 one or use an existing one.
 
 Typically, your JVM has a system-level keystore installed that contains
 all of the special top-level certificates from the big guys like
 VeriSign and Thawte. That allows your JVM to trust certificates signed
 by those certificate authorities. X.509 (which is what all this stuff is
 defined as) is built on a tree of trust where a small number of
 implicitly-trusted entities (VeriSign, Thawte, etc.) are allowed to
 dictate who is and who is not trusted on the web via these certificates.
 It's a great racket.
 
  Yesterday, just to be on the safe side, I imported my certificate into
  ALL 3 locations (under 3 different aliases)
 
 The real question was which keystore you were operating on. From the
 'keytool' manual page:
 
 
 Each keytool command has a -keystore option for specifying the name and
 location of the persistent keystore file for the keystore managed by
 keytool. The keystore is by default stored in a file named .keystore
 in the user's home directory, as determined by the user.home system
 property.
 
 
 So, do you have a file in ~/.keystore? If so, it's likely to be the
 place where all the certificates you are (re-)importing are going. You
 need to configure this keystore to be the one that is used for your JNDI
 connection. How are you configuring your JNDI resource? Please post the
 configuration (minus any passwords, of course) and tell us where that
 configuration appears.
 
  Then I found yet another command online which says that, it's not enough
  to import the certificate into keystore.  It needs to be imported
  directly into the CACERT file.
 
 That sounds like malarkey.
 
  To make matters even worse, I found yet another advice in Tomcat's
  documentation, saying : before importing the certificate, you need to
  first import a so-called TRUST CHAIN.
 
 That may be possible. See... the big guys like VeriSign don't have just
 a single certificate/key that they use to sign your certificate(s): they
 have dozens. That is, in the tree of trust, there are many branches.
 There are many reasons for that which I won't go into, here. Basically,
 VeriSign's top-level cert (and they have more than one) trusts
 VeriSign's mid-level certs, which in turn trust VeriSign's lowest-level
 cert, which trusts you.
 
 If you want the JVM to trust your certificate, you need to provide your
 certificate (duh!) plus the 2 intervening (chain) certificates to
 bridge the chain of trust from your cert to the top-level VeriSign cert
 that ships with the JVM.
 
  In some places, it says you need this trust chain if the certificate was
  applied for by yourself.
 
 That statement is a bit ambiguous.
 
  is it:
  *keytool -import -file tomcatCert.crt -trustcacerts
  -alias tomcat -keystore c:/apps/jdk/jre/lib/security/cacerts -storepass
  changeit*
  
  or is it  :   * keytool -import -alias root -keystore
  your_keystore_filename -trustcacerts -file
  filename_of_the_chain_certificate*
 
 It's both, or neither :)
 
 Usually, you don't want to modify the keystore that came with the JVM
 (that's c:/apps/jdk/jre/lib/security/cacerts). Why? Because if you
 upgrade your JVM, then you're trusted certs will appear to vanish
 because the new JVM ships with a new cacerts file which doesn't include
 your changes.
 
 What would be best is something like this (the \s in here are a
 *NIX-style command continues on the next line convention... they are
 not intended to be actually entered on the command line, but indicate
 that you shouldn't press ENTER at the end of each line of text):
 
 keytool -import  \
 -file chain-1-cert.crt   \
 -trustcacerts\
 -alias chain-1   \
 -keystore path\to\my\keystore
 
 (then enter the password when prompted)
 
 This will import one of the chain certificates you may need to import
 for whoever signed your certificate. Who did sign it, by the way? Repeat
 that command for each

Importing CERTIFICATE into Java Keystore

[Stephen .]

Hi.

I have an IDM instance setup. 

I am currently trying to configure and set-up an LDAP Resource.

During the configuration, I got the error :


Could not connect to the LDAP server api.csc.fi. == 
javax.naming.CommunicationException: simple bind failed: api.csc.fi:636



Upon extensive research (on Tomcat websites, as well as Forums), I got
the notion that I needed to import the ldapCertificate into my JAVA
Keystore, otherwise it would be impossible for IDM to successfully
connect to LDAP.



I am using Apache Tomcat as my application server. I was able to locate
several online documents which explained how to import a trusted
certificate into the Keystore (unfortunately, these documents seem to
give several different solutions to the same problem).



Eventually, I decided to use the following command at my command-prompt :





 keytool -importcert -alias abc -file ABCCA.cer (where abc is the alias)



The import was successful. 


However, I am still getting the same error on my LDAP configuration.

Am I doing something wrong?  Is there something ELSE I need to do ?


Best regards,

Stephen
  
_
Windows Live Hotmail: Your friends can get your Facebook updates, right from 
Hotmail®.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009

Re: Importing CERTIFICATE into Java Keystore

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Stephen,

On 11/18/2009 3:26 AM, Stephen . wrote:

  keytool -importcert -alias abc -file ABCCA.cer (where abc is the alias)

You need to make sure that the keystore file you used to import the
certificate is also the keystore used by the LDAP resource.

Do you know what keystore into which you imported your cert?
Do you know what keystore is being used by the LDAP resource?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAksEUlEACgkQ9CaO5/Lv0PCpogCcDEhSp2nvPErskak6mbdkpJqR
PD8AnjglMawq8ag9j3YTh9HefruQ4oLY
=TR5G
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Importing CERTIFICATE into Java Keystore

[Stephen .]

Thanks for your response,

No, I don't know any of these things.  This is why I am so confused!!   

My JAVA folder has 3 different locations which contain the command KEYTOOL

I don't even know which of them is supposed to hold the certificate.

Yesterday, just to be on the safe side, I imported my certificate into ALL 3 
locations (under 3 different aliases)

Still did not work.

Then I found yet another command online which says that, it's not enough to 
import the certificate into keystore.  It needs to be imported directly into 
the CACERT file.

But, it does not say HOW this should be done!!


To make matters even worse, I found yet another advice in Tomcat's 
documentation, saying : before importing the certificate, you need to first 
import a so-called TRUST CHAIN. 

In some places, it says you need this trust chain if the certificate was 
applied for by yourself. 

In some places, it does not mention the trust chain at all, if you already 
trust the certificate.


So, what exactly is the CORRECT way to do this?

And what is the right command???


is it  :   keytool -import -file tomcatCert.crt -trustcacerts -alias tomcat 
-keystore c:/apps/jdk/jre/lib/security/cacerts -storepass changeit

or is it  :keytool -import -alias root -keystore your_keystore_filename 
-trustcacerts -file filename_of_the_chain_certificate

or : keytool -import -alias tomcat -keystore your_keystore_filename -file 
your_certificate_filename

or :  keytool -importcert -alias abc -file ABCCA.cer



Which is it ???

And what is the difference between KEYSTORE and CACERT 


I am just so confused!!







 Date: Wed, 18 Nov 2009 15:00:17 -0500
 From: ch...@christopherschultz.net
 To: users@tomcat.apache.org
 Subject: Re: Importing CERTIFICATE  into Java Keystore
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Stephen,
 
 On 11/18/2009 3:26 AM, Stephen . wrote:
 
   keytool -importcert -alias abc -file ABCCA.cer (where abc is the 
  alias)
 
 You need to make sure that the keystore file you used to import the
 certificate is also the keystore used by the LDAP resource.
 
 Do you know what keystore into which you imported your cert?
 Do you know what keystore is being used by the LDAP resource?
 
 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.10 (MingW32)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
 iEYEARECAAYFAksEUlEACgkQ9CaO5/Lv0PCpogCcDEhSp2nvPErskak6mbdkpJqR
 PD8AnjglMawq8ag9j3YTh9HefruQ4oLY
 =TR5G
 -END PGP SIGNATURE-
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  
_
Windows Live: Keep your friends up to date with what you do online.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010