certificate not trusted even though I imported it

N

Neil

Hello:

I have two servers that I want to set up to communicate using an
SSLSocket.

On the first server (cbs1), I did the following commands to generate a
self-signed certificate:

keytool -genkey -alias cbs1 -keyalg RSA -keystore cbs1.keystore -dname
"cn=cbs1.jammconsulting.com" -validity 3560 -keypass [pass] -storepass
[pass]

keytool -selfcert -alias cbs1 -keystore cbs1.keystore -keypass [pass]
-storepass [pass]

keytool -export -alias cbs1 -file cbs1.crt -keystore cbs1.keystore
-storepass [pass]

On the second server (cbs2), I did these commands to generate a
self-signed cert:

keytool -genkey -alias cbs2 -keyalg RSA -keystore cbs2.keystore -dname
"cn=cbs2.jammconsulting.com" -validity 3560 -keypass [pass] -storepass
[pass]

keytool -selfcert -alias cbs2 -keystore cbs2.keystore -keypass [pass]
-storepass [pass]

keytool -export -alias cbs2 -file cbs2.crt -keystore cbs2.keystore
-storepass [pass]

After that, I copied the crt files from the servers to the other and
imported cbs2's cert into the cacerts file on cbs1 (I did this from the
security directory of the jre):
keytool -import -alias cbs2 -file /root/sequoia/config/cbs2.crt
-keystore cacerts -storepass changeit

Similarly, I imported the crt file from cbs1 into the cacerts file of
cbs2:
keytool -import -alias cbs1 -file /root/sequoia/config/cbs1.crt
-keystore cacerts -storepass changeit

But, when I run my app, I get this error:

javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:622)
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at java.io_OutputStream.write(OutputStream.java:58)
...

Any ideas why the ssl socket is not liking the certificates even though
I signed them and imported the public keys into the cacerts file for
the JRE?

Thanks,
Neil
 
O

ohaya

Neil said:
Hello:

I have two servers that I want to set up to communicate using an
SSLSocket.

On the first server (cbs1), I did the following commands to generate a
self-signed certificate:

keytool -genkey -alias cbs1 -keyalg RSA -keystore cbs1.keystore -dname
"cn=cbs1.jammconsulting.com" -validity 3560 -keypass [pass] -storepass
[pass]

keytool -selfcert -alias cbs1 -keystore cbs1.keystore -keypass [pass]
-storepass [pass]

keytool -export -alias cbs1 -file cbs1.crt -keystore cbs1.keystore
-storepass [pass]

On the second server (cbs2), I did these commands to generate a
self-signed cert:

keytool -genkey -alias cbs2 -keyalg RSA -keystore cbs2.keystore -dname
"cn=cbs2.jammconsulting.com" -validity 3560 -keypass [pass] -storepass
[pass]

keytool -selfcert -alias cbs2 -keystore cbs2.keystore -keypass [pass]
-storepass [pass]

keytool -export -alias cbs2 -file cbs2.crt -keystore cbs2.keystore
-storepass [pass]

After that, I copied the crt files from the servers to the other and
imported cbs2's cert into the cacerts file on cbs1 (I did this from the
security directory of the jre):
keytool -import -alias cbs2 -file /root/sequoia/config/cbs2.crt
-keystore cacerts -storepass changeit

Similarly, I imported the crt file from cbs1 into the cacerts file of
cbs2:
keytool -import -alias cbs1 -file /root/sequoia/config/cbs1.crt
-keystore cacerts -storepass changeit

But, when I run my app, I get this error:

javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:622)
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at java.io_OutputStream.write(OutputStream.java:58)
...

Any ideas why the ssl socket is not liking the certificates even though
I signed them and imported the public keys into the cacerts file for
the JRE?

Thanks,
Neil


Hi,

It's been awhile since I've had to work with this stuff, but on the
"keytool -import" command line, don't you have to include a parameter
like "-trustcacerts" in order that the imported CA cert is marked as such?

Jim
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top