?
Solved

keytool, IIS and SSL cert

Posted on 2006-05-03
16
Medium Priority
?
1,858 Views
Last Modified: 2010-05-19
I created a cert on II6 (win2003) by using selfssl.exe. This worked fine and automatically attached the cert in my IIS, so now i can run all my asp pages over ssl successfully. However there is one piece of my webapp that uses Java to request an ASP page over SSL. But this request breaks with the following error:

"sun.security.validator.ValidatorException: No trusted certificate found"

I have read a few sites that describe "keytool.exe" and its usages. I found mine here: C:\Program Files\Java\j2re1.4.2_01\bin\keytool.exe

I have 2 problems:

(1) I would have expected that, after running selfssl.exe, that a .cer file would have been created someplace. It wasn't. All the .cer files I can find are a month or more old, back from when I was experimenting with different cert-creation tools. Does selfssl.exe not create a .cer file? Should I look for some other kind of cert file?

(2) I'm a bit confused about exactly which cmd-line args I should be passing to keytool.

Summary: Need to know the easiest way to resolve the java error: "sun.security.validator.ValidatorException: No trusted certificate found"
0
Comment
Question by:SweatCoder
  • 7
  • 6
  • 2
15 Comments
 
LVL 11

Expert Comment

by:WelkinMaze
ID: 16600960
0
 
LVL 11

Author Comment

by:SweatCoder
ID: 16601039
I've looked through a bunch of stuff like that, from many sites. I'm to the point that I need specifics rather than a horde of links to read through. (I can search EE and Google....but I need specific answers to the question in my post.)

Thanks.
0
 
LVL 12

Assisted Solution

by:Mazaraat
Mazaraat earned 400 total points
ID: 16601524
Do you get the security alert message when you view your site using https://localhost ?

here is how to export the certificate, and how to import the certificate into trusted:

http://technet2.microsoft.com/WindowsServer/en/Library/ad336dc5-2d48-4c6e-a837-c810b666020a1033.mspx

Create an mmc to access certificates:

http://technet2.microsoft.com/WindowsServer/en/Library/ad336dc5-2d48-4c6e-a837-c810b666020a1033.mspx
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 11

Author Comment

by:SweatCoder
ID: 16601588
Yes, I get security alert.

both links go to the same place. it references steps, but which tool do i use to perform these steps? how do i access the certs through mmc?
0
 
LVL 11

Accepted Solution

by:
WelkinMaze earned 1600 total points
ID: 16603477
How to import the server sertificate into JSSE trusted store.

Use the following syntax:
keytool.exe -import -alias <your_host_name> -file server.crt -keystore TrustedServers.certs -storepass neutriNo2QQ

<your_host_name> -  have to replaced with name of the host on which your web server is running (most likely your PC name)
The files server.crt and TrustedServers.certs must be in the same directory where this command is executed or they have to be specified with their full name (the absolute path).

0
 
LVL 11

Author Comment

by:SweatCoder
ID: 16605150
WelkinMaze, I ran the selfssl.exe tool that comes with IIS 6 option pack, and it creates a cert that works fine.

Then I ran:

keytool -import -alias atlantis1 -file c:\ProjectDox.cer -keystore truststore
Enter keystore password:  mypass <ENTER>

Then the cmd-shell spit out:

Owner: CN=ATLANTIS1
Issuer: CN=ATLANTIS1
Serial number: -19175652bdc974fbc10c1e5b5e5ce65
Valid from: Wed May 03 12:39:14 MDT 2006 until: Thu May 03 12:39:14 MDT 2007
Certificate fingerprints:
         MD5:  3D:4A:3E:94:6F:4E:80:56:3B:A4:D0:08:C9:6C:A5:59
         SHA1: D0:30:E3:DB:D5:E7:7F:45:33:C2:45:48:3B:8E:7B:EE:32:EF:71:75
Trust this certificate? [no]:  yes <ENTER>
Certificate was added to keystore

But when my java app (sitting on atlantis1) calls a web page over https (also sitting on atlantis1), I still get "sun.security.validator.ValidatorException: No trusted certificate found".

I don't understand the "TrustedServers.certs" file. What is it and where do I get it? And what is "-storepass neutriNo2QQ"? This looks custom for your business. What should I put there?
0
 
LVL 11

Assisted Solution

by:WelkinMaze
WelkinMaze earned 1600 total points
ID: 16607045
Is it working if you try only with these options:
keytool -import -alias atlantis1 -file c:\ProjectDox.cer
0
 
LVL 11

Author Comment

by:SweatCoder
ID: 16607141
That keytool command runs successfully, but I still get the java cert error.
0
 
LVL 11

Author Comment

by:SweatCoder
ID: 16607172
Clarification: I still get the java cert error when java requests an https page.
0
 
LVL 11

Expert Comment

by:WelkinMaze
ID: 16607174
I haven't use this for quite some time. Maybe you have to tell java where the keystore with the certificates is.
For example if "truststore" is the keystore generated from your previous try with this command "keytool -import -alias atlantis1 -file c:\ProjectDox.cer -keystore truststore" to specify the path to this "truststore" file so the java knows where to find it.
0
 
LVL 11

Author Comment

by:SweatCoder
ID: 16607198
Are you saying "truststore" should be an actual path? as in:

keytool -import -alias atlantis1 -file c:\ProjectDox.cer -keystore c:\ProjectDox.cer

??
0
 
LVL 12

Expert Comment

by:Mazaraat
ID: 16607262
Before closing issue, run a memory test on the server, It could be the RAM is going bad...

http://www.memtest86.com/

When you reboot the server does it show you the temperature? how about when you go into the bios, I have seen where the processor was overheating and just crashing.
0
 
LVL 11

Expert Comment

by:WelkinMaze
ID: 16607464
truststore has to be the file name for the key store if you use -keystore option
If the -keystore option is not specified then the key store is created at some default location - for example in your home directory
0
 
LVL 11

Expert Comment

by:WelkinMaze
ID: 16607702
You may need to add the following lines in java:

String myStoreType = "JKS";
String myStorePassword = "changeit"; //if you have one

System.setProperty("javax.net.ssl.keyStoreType",myStoreType);
System.setProperty("javax.net.ssl.keyStore",myStore); //the path to the keystore
System.setProperty("javax.net.ssl.keyStorePassword",myStorePassword);
0
 
LVL 11

Author Comment

by:SweatCoder
ID: 16845087
I tried all suggestions and never got any of it to work on my server, but wanted to award points anyway. I got put on a different project but will be back to this one in a few weeks.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article is the first of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article explains our test automation goals. Then rationale is given for the tools we use to a…
In this post we will learn how to make Android Gesture Tutorial and give different functionality whenever a user Touch or Scroll android screen.
Viewers learn about the “for” loop and how it works in Java. By comparing it to the while loop learned before, viewers can make the transition easily. You will learn about the formatting of the for loop as we write a program that prints even numbers…
Viewers will learn about basic arrays, how to declare them, and how to use them. Introduction and definition: Declare an array and cover the syntax of declaring them: Initialize every index in the created array: Example/Features of a basic arr…
Suggested Courses
Course of the Month15 days, 9 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question