The below is to document the procedures to import Server certs into the JVM.
This is to avoid exceptions like the below one:
Exception Message: sun.security.validator.ValidatorException: PKIX path building failed
The above is specifically showing an issue with the certification path that should be included in the JVM cacerts.
For info about the JVM certificate files please check this URL :
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#X509TrustManager
Steps :
1- Acquire the needed server certificate from the server URL if possible by exporting it from Firefox.
Please make sure you are getting all the certificate path exported.
This would mean that you may need to export root cert, intermediate cert and the leaf server cert.
Would be better to obtain the cert from the server support team, would be much better if possible.
2-Import Certs:
/opt/jdk1.6.0_26/bin/keytool -keystore cacerts -storepass changeit -import -trustcacerts -v -alias RSAV2 -file /tmp/RSAV2.cer
The above inserts an intermediate cert signed by RSA cert. authority and importing it with the user defined alias RSAV2.
You might need to import all the certs defined in the server cert path.
3- List Certs:
/opt/jdk1.6.0_26/bin/keytool -keystore cacerts -storepass changeit -list
You should be able to see the certs that you have imported in the list along with the date the cert was imported.
Also below is a very useful link for doing SSL cert and key debuging in case you are setting up the server and creating a certificate.
http://www.sslshopper.com/article-most-common-openssl-commands.html
This is to avoid exceptions like the below one:
Exception Message: sun.security.validator.ValidatorException: PKIX path building failed
The above is specifically showing an issue with the certification path that should be included in the JVM cacerts.
For info about the JVM certificate files please check this URL :
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#X509TrustManager
Steps :
1- Acquire the needed server certificate from the server URL if possible by exporting it from Firefox.
Please make sure you are getting all the certificate path exported.
This would mean that you may need to export root cert, intermediate cert and the leaf server cert.
Would be better to obtain the cert from the server support team, would be much better if possible.
2-Import Certs:
/opt/jdk1.6.0_26/bin/keytool -keystore cacerts -storepass changeit -import -trustcacerts -v -alias RSAV2 -file /tmp/RSAV2.cer
The above inserts an intermediate cert signed by RSA cert. authority and importing it with the user defined alias RSAV2.
You might need to import all the certs defined in the server cert path.
3- List Certs:
/opt/jdk1.6.0_26/bin/keytool -keystore cacerts -storepass changeit -list
You should be able to see the certs that you have imported in the list along with the date the cert was imported.
Also below is a very useful link for doing SSL cert and key debuging in case you are setting up the server and creating a certificate.
http://www.sslshopper.com/article-most-common-openssl-commands.html
No comments:
Post a Comment