certificate not trusted even though I imported it

[Neil]

Hello:

I have two servers that I want to set up to communicate using an
SSLSocket.

On the first server (cbs1), I did the following commands to generate a
self-signed certificate:

keytool -genkey -alias cbs1 -keyalg RSA -keystore cbs1.keystore -dname
"cn=cbs1.jammconsulting.com" -validity 3560 -keypass [pass] -storepass
[pass]

keytool -selfcert -alias cbs1 -keystore cbs1.keystore -keypass [pass]
-storepass [pass]

keytool -export -alias cbs1 -file cbs1.crt -keystore cbs1.keystore
-storepass [pass]

On the second server (cbs2), I did these commands to generate a
self-signed cert:

keytool -genkey -alias cbs2 -keyalg RSA -keystore cbs2.keystore -dname
"cn=cbs2.jammconsulting.com" -validity 3560 -keypass [pass] -storepass
[pass]

keytool -selfcert -alias cbs2 -keystore cbs2.keystore -keypass [pass]
-storepass [pass]

keytool -export -alias cbs2 -file cbs2.crt -keystore cbs2.keystore
-storepass [pass]

After that, I copied the crt files from the servers to the other and
imported cbs2's cert into the cacerts file on cbs1 (I did this from the
security directory of the jre):
keytool -import -alias cbs2 -file /root/sequoia/config/cbs2.crt
-keystore cacerts -storepass changeit

Similarly, I imported the crt file from cbs1 into the cacerts file of
cbs2:
keytool -import -alias cbs1 -file /root/sequoia/config/cbs1.crt
-keystore cacerts -storepass changeit

But, when I run my app, I get this error:

javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:622)
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at java.iutputStream.write(OutputStream.java:58)
...

Any ideas why the ssl socket is not liking the certificates even though
I signed them and imported the public keys into the cacerts file for
the JRE?

Thanks,
Neil

 

[ohaya]

Hello:

I have two servers that I want to set up to communicate using an
SSLSocket.

On the first server (cbs1), I did the following commands to generate a
self-signed certificate:

keytool -genkey -alias cbs1 -keyalg RSA -keystore cbs1.keystore -dname
"cn=cbs1.jammconsulting.com" -validity 3560 -keypass [pass] -storepass
[pass]

keytool -selfcert -alias cbs1 -keystore cbs1.keystore -keypass [pass]
-storepass [pass]

keytool -export -alias cbs1 -file cbs1.crt -keystore cbs1.keystore
-storepass [pass]

On the second server (cbs2), I did these commands to generate a
self-signed cert:

keytool -genkey -alias cbs2 -keyalg RSA -keystore cbs2.keystore -dname
"cn=cbs2.jammconsulting.com" -validity 3560 -keypass [pass] -storepass
[pass]

keytool -selfcert -alias cbs2 -keystore cbs2.keystore -keypass [pass]
-storepass [pass]

keytool -export -alias cbs2 -file cbs2.crt -keystore cbs2.keystore
-storepass [pass]

After that, I copied the crt files from the servers to the other and
imported cbs2's cert into the cacerts file on cbs1 (I did this from the
security directory of the jre):
keytool -import -alias cbs2 -file /root/sequoia/config/cbs2.crt
-keystore cacerts -storepass changeit

Similarly, I imported the crt file from cbs1 into the cacerts file of
cbs2:
keytool -import -alias cbs1 -file /root/sequoia/config/cbs1.crt
-keystore cacerts -storepass changeit

But, when I run my app, I get this error:

javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:622)
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at java.iutputStream.write(OutputStream.java:58)
...

Any ideas why the ssl socket is not liking the certificates even though
I signed them and imported the public keys into the cacerts file for
the JRE?

Thanks,
Neil

Hi,

It's been awhile since I've had to work with this stuff, but on the
"keytool -import" command line, don't you have to include a parameter
like "-trustcacerts" in order that the imported CA cert is marked as such?

Jim

 

[Neil]

Jim:

I think you were correct.

Thank you,
Neil