[Webinar] Streamline your web hosting managementRegister Today


Regd. SSL Exception in Java

Posted on 2008-02-01
Medium Priority
Last Modified: 2013-12-10
javax.net.ssl.SSLKeyException: [Security:090477]Certificate chain received from was not trusted causing SSL handshake failure
<Jan 28, 2008 12:21:14 PM CST> <Error> <HTTP> <BEA-101017> <[weblogic.servlet.internal.WebAppServletContext@eccbb35a - name: '/', context-path: ''] Root cause of ServletException.
javax.net.ssl.SSLKeyException: [Security:090477]Certificate chain received from snuper.northwestern.edu - was not trusted causing SSL handshake failure.
        at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Lcom.certicom.tls.interfaceimpl.AlertEvent;)V(Unknown Source)
        at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Lcom.certicom.tls.record.alert.Alert;)Lcom.certicom.tls.interfaceimpl.AlertEvent;(Unknown Source)
        at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Lcom.certicom.tls.record.alert.Alert;)V(Unknown Source)
        at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(II)V(Unknown Source)
        at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Lcom.certicom.tls.record.handshake.HandshakeMessage;)V(Unknown Source)
        Truncated. see log file for complete stacktrace
Let me give u a overview of our problem.
Actually we renewed our SSL certificate from VeriSign for this year 2008 ok.
We have enabled SSL in our Apache webserver.  
With our new certificate our Webserver is able to talk to Appserver (i.e weblogic) using SSL meaning we are able to see all the dynamic content from  webpages.
But when we click on PDF (which is used a report in our application) its throwing the above error.
We actually use Bigfaceless 3rd party tool for the PDF generation.
To add to the confusion VeriSign has changed their Common Name (Issued By: CN) which makes me to think is causing this error but not very sure how to solve this.
Question by:razik2781
  • 2
LVL 23

Expert Comment

ID: 20811647
> To add to the confusion VeriSign has changed their Common Name (Issued By: CN) which makes me to think is causing this error but not very sure how to solve this.

The error says the issuing authority of the certificate is not genuine. You should use the original certificate.

Accepted Solution

Becky earned 2000 total points
ID: 22091177
I've run into this issue before.
The problem is that your appserver's keystore of trusted authorities does not contain a copy of Northwestern's public key as a trusted authority.  This often happens when entitites sign their own keys instead of using one of the major trust signors (such as Verisign or Thawte).

You see, when you purchase Weblogic it comes with a keystore that has the latest keys from those agencies.  Anyone attempting to send you their public key generally is signed by one of these major agencies, so the "signor" is listed as Verisign, and you have a copy of Verisign's public key and it is listed as trusted, so everything works.

When companies self-sign their own certs you need to manually add that cert into the keystore weblogic is using for trusted authorities.  (if you're ok with that - you're basically trusting Northwestern to sign keys).

Doing so isn't terribly difficult.  The hard part is getting Northwestern's key in a format that the keystore understands.  Get a copy of Northwestern's public key in PEM format.

Find the keystore weblogic is using as its trusted keystore.  It's in different locations depending on the version of Weblogic you use.  I didn't see your weblogic version listed, so the best way for you to figure that out on your own would be to open the console and find the managed server (or admin server if you are deploying apps to that... which you shouldn't be in production) that's running the application.  

In the server settings there should be a tab that says "keystores" or "security".. something like that.  On that page it will tell you if you're using Weblogic's demo keystore or a custom one.  If you have never touched this seciton of Weblogic chances are you're using the demo keystore (but you shouldn't use that in production!!).  At any rate, there will be a path to whatever TRUSTED keystore you are using.  Don't confuse that with the path to the IDENTITY keystore - only your private key is stored in there.

In my dev system, using Weblogic 10, that path to my trusted keystore is here:   C:/bea10/wlserver_10.0/server\lib\DemoTrust.jks

That .jks file is a keystore.  You need to import into that keystore the public key for Northwestern.

In order to import into a keystore you need the passphrase for that keystore.  I think the passphrase for the demo trust keystore is:  DemoTrustKeyStorePassPhrase
If you're using a custom trust keystore you need to get the password to it before you can perform anything else.

To import Northwestern's public key into the keystore as a trusted Root Certificate Authority:
(replace <> data with your own)

<YOUR_JDK_HOME>\bin\keytool -import -noprompt -v -trustcacerts -alias <ALIAS_YOU_CHOOSE> -file <LOCAL_PATH_TO_NORTHWESTERN'S_.pem_FILE>.pem -keystore <LOCAL_PATH_TO_WEBLOGIC'S_TRUSTED_KEYSTORE>.jks  -storepass <PASSWORD_TO_TRUSTED_KEYSTORE>

Yout must do this for all managed servers that run the application if it's run in a cluster. May also need to do it on the admin server.

Expert Comment

ID: 23036625
Hi - yes sorry but I object.   I've run into that exact issue before and outlined what he needs to do to fix it.

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For beginner Java programmers or at least those new to the Eclipse IDE, the following tutorial will show some (four) ways in which you can import your Java projects to your Eclipse workbench. Introduction While learning Java can be done with…
Java Flight Recorder and Java Mission Control together create a complete tool chain to continuously collect low level and detailed runtime information enabling after-the-fact incident analysis. Java Flight Recorder is a profiling and event collectio…
Viewers will learn about arithmetic and Boolean expressions in Java and the logical operators used to create Boolean expressions. We will cover the symbols used for arithmetic expressions and define each logical operator and how to use them in Boole…
This video teaches viewers about errors in exception handling.
Suggested Courses
Course of the Month11 days, 9 hours left to enroll

640 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question