 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / First Aid / June 2008X.509 cert not exporting CA chain?
Hi, Got an X.509 certificate from Thawte. Manipulated it as described here: http://www.dallaway.com/acad/webstart/, so that now the CA reply is in my "keystore.ks". When I tell Tomcat to use this as my keystore, it loads and everything, BUT it shows as "self signed" - no mention that the cert comes from Thawte, which kinds of defeat the purpose... See https://66.166.204.121:8443/managementtool/ for the exact message. Anything wrong with the way I did the certificate request / import / export? Thanks, > Hi, > Got an X.509 certificate from Thawte. [quoted text clipped - 10 lines] > > Thanks, An SSL cert is not the same as a code signing cert. To avoid a browser warning on connection to 66.166.204.121 , you need a certificate with the CN field set to 66.166.204.121.  SignatureDave Miller Java Web Hosting at: http://www.cheap-jsp-hosting.com/ >> Hi, >> Got an X.509 certificate from Thawte. [quoted text clipped - 14 lines] > warning on connection to 66.166.204.121 , you need a certificate with > the CN field set to 66.166.204.121. I currently don't care about the CN thing. What bothers me right now is the (non-existent) cert path. C:\Program Files\Java\jre1.6.0_05\bin>keytool -printcert -file my.cert.clean Certificate[1]: Owner: EMAILADDRESS=ran.shenhar@mobixell.com, CN=Ran Shenhar, GIVENNAME=Ran, SURNAME=Shenhar Issuer: CN=Thawte Personal Freemail Issuing CA, O=Thawte Consulting (Pty) Ltd., C=ZA >>> Hi, >>> Got an X.509 certificate from Thawte. [quoted text clipped - 25 lines] > (Pty) Ltd., > C=ZA The chain has to extend from the CA to the end point for there to be valid CA verified session. The end point is the "CN thing". SignatureDave Miller Java Web Hosting at: http://www.cheap-jsp-hosting.com/ >>>> Hi, >>>> Got an X.509 certificate from Thawte. [quoted text clipped - 27 lines] > The chain has to extend from the CA to the end point for there to be > valid CA verified session. The end point is the "CN thing". Thanks - there were 2 certs, so I deleted one. openssl s_client -connect 66.166.204.121:8443 -showcerts CONNECTED(00000003) depth=2 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Freemail CA/emailAddress=personal-freemail@thawte.com verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/SN=Shenhar/GN=Ran/CN=Ran Shenhar/emailAddress=ran.shenhar@mobixell.com i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte Personal Freemail Issuing CA <snipped> FF3 gives me Error code: sec_error_untrusted_issuer, IE7 won't even connect. Any ideas? > FF3 gives me Error code: sec_error_untrusted_issuer, IE7 won't even > connect. > Any ideas? Firefox is reading the certificate properly and as issued. It will only accept it with an exception because the cert was issued to Ran Shenbar and is being served by 66.166.204.121 . One last try to help you understand after which you're on your own. You go to enter a foreign country. You get to immigration control and you give them a valid passport, issued by a sovereign nation (i.e. England) but it was issued to your friend not to you. The immigration control officer takes a look at the passport, takes a look at you and says "this passport isn't valid" (meaning for_you). You can argue all you want about the fact that England is a sovereign nation and that they legitimately issued the passport but, in terms of getting entrance for you to a foreign country, it's_not_a_valid_passport. Until you get the "CN thing" corrected, using your cert is like trying to use a friend's passport - it_will_not_work (without exceptions). Best of luck with your project. SignatureDave Miller Java Web Hosting at: http://www.cheap-jsp-hosting.com/ >> FF3 gives me Error code: sec_error_untrusted_issuer, IE7 won't even >> connect. [quoted text clipped - 18 lines] > > Best of luck with your project. Dave, Many thanks for your help so far. I do understand what you're saying, and I don't care about the cert being "not for me" or that it requires an exception - I just care about WHICH exception. This is just a test for me - can I get the cert path recognized and verify the cert is from a known CA. I'm totally aware that it will fail afterwards. However, as I understand it right now, and perhaps I'm wrong here, it fails on the cert path - and I'm puzzled why is that so... Thanks, --Ran Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.