RE: Certificate is not signed by a trusted certificate authority - java error

["Pete Helgren" <pete@xxxxxxxxxx>]

Mike, we had an internal e-mail that dealt with a customer who had a
certificate in IIS which they had to export to have Tomcat recognize it.
These are the instructions which may or may not help but perhaps give you a
clue:

Export the certificate from IIS as follows:

Start Internet Services Manager on your 2000 Server
Open the default web site properties (or a virtual directory?s properties,
if the certificate is associated with that)
Click the Directory Security tab
Click ?View Certificate?
Click the Details tab
Click ?Copy to File?
In the wizard, choose ?Yes, export the private key?
Choose PKCS #12 format without the strong protection (an IIS thing only)
Assign a private key password (example: secret1)
Pick a destination file ? like \win2k\mycert.pfx

A keystore file must already exist in order to move the certificate in the
pfx file to the Java keystore file.  If you don?t already have one, here?s
how you can create a keystore file:

cd \j2sdk1.4.2\bin
keytool ?genkey ?alias junk ?keyalg RSA ?keystore \tomcat\keystore
Example of a password to assign when prompted: secret2

Here?s how to copy the pfx file to the keystore file:

Copy the attached files to \j2sdk1.4.2\bin
cd \j2sdk1.4.2\bin
java keymove pkcs12 \win2k\mycert.pfx secret1 jks \tomcat\keystore secret2

If you created a ?junk? key pair just to build the keystore file, you can
get rid of it by doing the following:

cd \j2sdk1.4.2\bin
keytool ?delete ?alias junk ?keystore \tomcat\keystore


Once that is done, the \tomcat\keystore file can be referenced in Tomcat?s
server.xml configuration in the 8443 connector?s XML tag/attributes.  An
example of that is:

    <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->

    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
              port="8443" minProcessors="5" maxProcessors="75"
              enableLookups="true"
              acceptCount="100" debug="0" scheme="https" secure="true"
              useURIValidationHack="false" disableUploadTimeout="true">
      <Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
               clientAuth="false" protocol="TLS"
               keystoreFile="c:\Tomcat\keystore"
               keystorePass="secret2"/>
    </Connector>


Not sure what server you are running but this might get the "creative
juices" flowing.

Pete Helgren
Timp Tech/Ed Tech Labs



> -----Original Message-----
> From: midrange-l-bounces@xxxxxxxxxxxx
> [mailto:midrange-l-bounces@xxxxxxxxxxxx]On Behalf Of Wills, Mike N. (TC)
> Sent: Tuesday, November 11, 2003 10:49 AM
> To: Midrange Systems Technical Discussion
> Subject: Certificate is not signed by a trusted certificate authority -
> java error
>
>
> I am posting it here to hopefully get a quicker response. I have received
> none so far from either java list.
>
> I am trying to connect to an internal SSL site with java and keep
> on getting
> this error:
> com.taylor.docgate.DocgateException: DocgateDAOAImpl.Login.IOException:
> javax.net.ssl.SSLHandshakeException: Certificate is not signed by
> a trusted
> certificate authority.
>
> How do get java to accept our SSL site as a trusted site? We do
> have a "root
> certificate" for the company.
>
> What we are beginning to think is that java is either not using the right
> cacerts file or it doesn't like the new entry in the file. Can
> anyone at all
> help me out?
>
> Mike Wills
> Lawson Programmer/Administrator
> Taylor Corporation
> Email: mnwills AT taylorcorpNOSPAM DOT com
> AIM: iSeriesCodePoet
> _______________________________________________
> This is the Midrange Systems Technical Discussion (MIDRANGE-L)
> mailing list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
>