Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / General / June 2008

Tip: Looking for answers? Try searching our database.

X.509 cert not exporting CA chain?

Thread view: 
Enable EMail AlertsStart New Thread
R@nsh! - 29 Jun 2008 15:18 GMT
Hi,
Got an X.509 certificate from Thawte.
Manipulated it as described here:
http://www.dallaway.com/acad/webstart/, so that now the CA reply is in
my "keystore.ks".
When I tell Tomcat to use this as my keystore, it loads and everything,
BUT it shows as "self signed" - no mention that the cert comes from
Thawte, which kinds of defeat the purpose...
See https://66.166.204.121:8443/managementtool/ for the exact message.

Anything wrong with the way I did the certificate request / import / export?

Thanks,
Reply to this Message
Ronny Schuetz - 29 Jun 2008 17:21 GMT
Hi,

> When I tell Tomcat to use this as my keystore, it loads and everything,
> BUT it shows as "self signed" - no mention that the cert comes from
> Thawte, which kinds of defeat the purpose...
> See https://66.166.204.121:8443/managementtool/ for the exact message.

Your server is definitely using a self-signed certificate:

openssl s_client -connect 66.166.204.121:8443 -showcerts
...
---
Certificate chain
 0 s:/C=US/ST=CA/L=Cupertino/O=Mobixell.com/OU=Mobixell/CN=Ran Shenhar
   i:/C=US/ST=CA/L=Cupertino/O=Mobixell.com/OU=Mobixell/CN=Ran Shenhar
...

Probably you need to specify the alias of the Thawte signed certificate
and key in the keystore somewhere in Tomcat to select the right
certificate to use.

Ronny
Reply to this Message
R@nsh! - 29 Jun 2008 18:24 GMT
> Hi,
>
[quoted text clipped - 18 lines]
>
> Ronny
That's my problem exactly...
The cert that was imported to the keystore reports:
C:\Program Files\Java\jre1.6.0_05\bin>keytool -printcert -file my.cert.clean
Certificate[1]:
Owner: EMAILADDRESS=ran.shenhar@mobixell.com, CN=Ran Shenhar,
GIVENNAME=Ran, SUR
NAME=Shenhar
Issuer: CN=Thawte Personal Freemail Issuing CA, O=Thawte Consulting
(Pty) Ltd.,
C=ZA
Reply to this Message
Ronny Schuetz - 29 Jun 2008 19:12 GMT
Hi,

> The cert that was imported to the keystore reports:
> C:\Program Files\Java\jre1.6.0_05\bin>keytool -printcert -file
[quoted text clipped - 6 lines]
> (Pty) Ltd.,
> C=ZA

Might be, but this is not the certificate used by Tomcat, as the subject
as well as the issuer shown by the openssl client are different from the
values shown by keytool. Either Tomcat is using a different keystore or
the keystore contains multiple certificates and Tomcat is using a wrong
one as identity certificate for whatever reason.

I'd recommend to use keytool to list the content of the keystore (-list
command) to check, if there are any other certificates and to find out
the alias of the Thawte signed certificate to compare this with the
Tomcat configuration.

Hope that helps,
Ronny
Reply to this Message
Ronny Schuetz - 29 Jun 2008 19:16 GMT
> I'd recommend to use keytool to list the content of the keystore (-list
> command) to check, if there are any other certificates and to find out
> the alias of the Thawte signed certificate to compare this with the
> Tomcat configuration.

Short add on, just in case: Might be that Tomcat needs to be restarted
to pick up the new configuration or new certificate.

Ronny
Reply to this Message
R@nsh! - 29 Jun 2008 22:54 GMT
> Hi,
>
[quoted text clipped - 22 lines]
> Hope that helps,
> Ronny

Thanks - there were indeed 2 certs, so I deleted one.
openssl s_client -connect 66.166.204.121:8443 -showcerts
CONNECTED(00000003)
depth=2 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte
Consulting/OU=Certification Services Division/CN=Thawte Personal
Freemail CA/emailAddress=personal-freemail@thawte.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/SN=Shenhar/GN=Ran/CN=Ran
Shenhar/emailAddress=ran.shenhar@mobixell.com
   i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte Personal Freemail
Issuing CA
<snipped>

FF3 gives me Error code: sec_error_untrusted_issuer, IE7 won't even connect.
Any ideas?
Reply to this Message
Ronny Schuetz - 30 Jun 2008 10:04 GMT
> Thanks - there were indeed 2 certs, so I deleted one.

No problem.

> openssl s_client -connect 66.166.204.121:8443 -showcerts
> CONNECTED(00000003)
[quoted text clipped - 14 lines]
> connect.
> Any ideas?

Yes. The certificate is not intended to be used as server certificate
but to encrypt/sign e-mails. So for example the server name is not in
the CN field of the certificate subject.

The certificate might be usable for code signing (which was as far as I
know your original intention), but not as server certificate.

So in case you need SSL connectivity, you need to obtain a server
certificate from for example Verisign or GoDaddy or so. In case you
don't need SSL, you can make your JavaWS application accessible via HTTP
and still use the Thawte certificate to sign the application code.

One additional note: Your Thawte certificate does not contain a key
usage or extended key usage extension which is usually used to specify
the purpose of the certificate, i.e. if you're allowed to use it for
client or server authentication (for SSL) or if you're allowed to use it
for code signing (for example for JavaWS). I don't know, if JavaWS
accepts it for code signing, you have to test that. There might be even
differences between Java 5 and Java 6, as for example Java 6 is
explicitly checking the code signing flag in the extended key usage
extension now as far as I know. As this extension is not present at all
it might work - or not.

Ronny
Reply to this Message
Aravind - 30 Jun 2008 11:02 GMT
Hi Ran,
Your requirement (SSL Certificate for HTTPS access to your web
application) is different from the one suggested in
http://www.dallaway.com/acad/webstart/.
http://www.dallaway.com/acad/webstart/ gives the instructions for
digitally signing a Java Web Start (JNLP) application, whereas your
requirement is to access your web application through HTTP over SSL
(HTTPS) connection.
For HTTPS connection to tomcat, you need to get a SSL Certificate as
opposed to Email Signer Certificate that you got from Thawte.

You may get a 14 day trial SSL Certificate from Verisign - http://www.verisign.com/
There are other Free SSL Certificate providers such as http://cert.startcom.org/.
However, Internet Explorer may not have the CA Root Certificate of
this provider and hence you may need to install the CA Root
certificate manually.

For more information on using the SSL Certificate with Tomcat, you can
refer to 'Installing a Certificate from a Certificate Authority'
section of http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

Hope this helps.

Regards,
Aravind. R

> Hi,
> Got an X.509 certificate from Thawte.
[quoted text clipped - 8 lines]
>
> Thanks,
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.