• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1890
  • Last Modified:

keytool, IIS and SSL cert

I created a cert on II6 (win2003) by using selfssl.exe. This worked fine and automatically attached the cert in my IIS, so now i can run all my asp pages over ssl successfully. However there is one piece of my webapp that uses Java to request an ASP page over SSL. But this request breaks with the following error:

"sun.security.validator.ValidatorException: No trusted certificate found"

I have read a few sites that describe "keytool.exe" and its usages. I found mine here: C:\Program Files\Java\j2re1.4.2_01\bin\keytool.exe

I have 2 problems:

(1) I would have expected that, after running selfssl.exe, that a .cer file would have been created someplace. It wasn't. All the .cer files I can find are a month or more old, back from when I was experimenting with different cert-creation tools. Does selfssl.exe not create a .cer file? Should I look for some other kind of cert file?

(2) I'm a bit confused about exactly which cmd-line args I should be passing to keytool.

Summary: Need to know the easiest way to resolve the java error: "sun.security.validator.ValidatorException: No trusted certificate found"
0
SweatCoder
Asked:
SweatCoder
  • 7
  • 6
  • 2
3 Solutions
 
WelkinMazeCommented:
0
 
SweatCoderAuthor Commented:
I've looked through a bunch of stuff like that, from many sites. I'm to the point that I need specifics rather than a horde of links to read through. (I can search EE and Google....but I need specific answers to the question in my post.)

Thanks.
0
 
MazaraatCommented:
Do you get the security alert message when you view your site using https://localhost ?

here is how to export the certificate, and how to import the certificate into trusted:

http://technet2.microsoft.com/WindowsServer/en/Library/ad336dc5-2d48-4c6e-a837-c810b666020a1033.mspx

Create an mmc to access certificates:

http://technet2.microsoft.com/WindowsServer/en/Library/ad336dc5-2d48-4c6e-a837-c810b666020a1033.mspx
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
SweatCoderAuthor Commented:
Yes, I get security alert.

both links go to the same place. it references steps, but which tool do i use to perform these steps? how do i access the certs through mmc?
0
 
WelkinMazeCommented:
How to import the server sertificate into JSSE trusted store.

Use the following syntax:
keytool.exe -import -alias <your_host_name> -file server.crt -keystore TrustedServers.certs -storepass neutriNo2QQ

<your_host_name> -  have to replaced with name of the host on which your web server is running (most likely your PC name)
The files server.crt and TrustedServers.certs must be in the same directory where this command is executed or they have to be specified with their full name (the absolute path).

0
 
SweatCoderAuthor Commented:
WelkinMaze, I ran the selfssl.exe tool that comes with IIS 6 option pack, and it creates a cert that works fine.

Then I ran:

keytool -import -alias atlantis1 -file c:\ProjectDox.cer -keystore truststore
Enter keystore password:  mypass <ENTER>

Then the cmd-shell spit out:

Owner: CN=ATLANTIS1
Issuer: CN=ATLANTIS1
Serial number: -19175652bdc974fbc10c1e5b5e5ce65
Valid from: Wed May 03 12:39:14 MDT 2006 until: Thu May 03 12:39:14 MDT 2007
Certificate fingerprints:
         MD5:  3D:4A:3E:94:6F:4E:80:56:3B:A4:D0:08:C9:6C:A5:59
         SHA1: D0:30:E3:DB:D5:E7:7F:45:33:C2:45:48:3B:8E:7B:EE:32:EF:71:75
Trust this certificate? [no]:  yes <ENTER>
Certificate was added to keystore

But when my java app (sitting on atlantis1) calls a web page over https (also sitting on atlantis1), I still get "sun.security.validator.ValidatorException: No trusted certificate found".

I don't understand the "TrustedServers.certs" file. What is it and where do I get it? And what is "-storepass neutriNo2QQ"? This looks custom for your business. What should I put there?
0
 
WelkinMazeCommented:
Is it working if you try only with these options:
keytool -import -alias atlantis1 -file c:\ProjectDox.cer
0
 
SweatCoderAuthor Commented:
That keytool command runs successfully, but I still get the java cert error.
0
 
SweatCoderAuthor Commented:
Clarification: I still get the java cert error when java requests an https page.
0
 
WelkinMazeCommented:
I haven't use this for quite some time. Maybe you have to tell java where the keystore with the certificates is.
For example if "truststore" is the keystore generated from your previous try with this command "keytool -import -alias atlantis1 -file c:\ProjectDox.cer -keystore truststore" to specify the path to this "truststore" file so the java knows where to find it.
0
 
SweatCoderAuthor Commented:
Are you saying "truststore" should be an actual path? as in:

keytool -import -alias atlantis1 -file c:\ProjectDox.cer -keystore c:\ProjectDox.cer

??
0
 
MazaraatCommented:
Before closing issue, run a memory test on the server, It could be the RAM is going bad...

http://www.memtest86.com/

When you reboot the server does it show you the temperature? how about when you go into the bios, I have seen where the processor was overheating and just crashing.
0
 
WelkinMazeCommented:
truststore has to be the file name for the key store if you use -keystore option
If the -keystore option is not specified then the key store is created at some default location - for example in your home directory
0
 
WelkinMazeCommented:
You may need to add the following lines in java:

String myStoreType = "JKS";
String myStorePassword = "changeit"; //if you have one

System.setProperty("javax.net.ssl.keyStoreType",myStoreType);
System.setProperty("javax.net.ssl.keyStore",myStore); //the path to the keystore
System.setProperty("javax.net.ssl.keyStorePassword",myStorePassword);
0
 
SweatCoderAuthor Commented:
I tried all suggestions and never got any of it to work on my server, but wanted to award points anyway. I got put on a different project but will be back to this one in a few weeks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 7
  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now