Regd. SSL Exception in Java [Security:090477]Certificate chain received from was not trusted causing SSL handshake failure
<Jan 28, 2008 12:21:14 PM CST> <Error> <HTTP> <BEA-101017> <[weblogic.servlet.internal.WebAppServletContext@eccbb35a - name: '/', context-path: ''] Root cause of ServletException. [Security:090477]Certificate chain received from - was not trusted causing SSL handshake failure.
        at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Lcom.certicom.tls.interfaceimpl.AlertEvent;)V(Unknown Source)
        at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Lcom.certicom.tls.record.alert.Alert;)Lcom.certicom.tls.interfaceimpl.AlertEvent;(Unknown Source)
        at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Lcom.certicom.tls.record.alert.Alert;)V(Unknown Source)
        at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(II)V(Unknown Source)
        at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Lcom.certicom.tls.record.handshake.HandshakeMessage;)V(Unknown Source)
        Truncated. see log file for complete stacktrace
Let me give u a overview of our problem.
Actually we renewed our SSL certificate from VeriSign for this year 2008 ok.
We have enabled SSL in our Apache webserver.  
With our new certificate our Webserver is able to talk to Appserver (i.e weblogic) using SSL meaning we are able to see all the dynamic content from  webpages.
But when we click on PDF (which is used a report in our application) its throwing the above error.
We actually use Bigfaceless 3rd party tool for the PDF generation.
To add to the confusion VeriSign has changed their Common Name (Issued By: CN) which makes me to think is causing this error but not very sure how to solve this.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

> To add to the confusion VeriSign has changed their Common Name (Issued By: CN) which makes me to think is causing this error but not very sure how to solve this.

The error says the issuing authority of the certificate is not genuine. You should use the original certificate.
I've run into this issue before.
The problem is that your appserver's keystore of trusted authorities does not contain a copy of Northwestern's public key as a trusted authority.  This often happens when entitites sign their own keys instead of using one of the major trust signors (such as Verisign or Thawte).

You see, when you purchase Weblogic it comes with a keystore that has the latest keys from those agencies.  Anyone attempting to send you their public key generally is signed by one of these major agencies, so the "signor" is listed as Verisign, and you have a copy of Verisign's public key and it is listed as trusted, so everything works.

When companies self-sign their own certs you need to manually add that cert into the keystore weblogic is using for trusted authorities.  (if you're ok with that - you're basically trusting Northwestern to sign keys).

Doing so isn't terribly difficult.  The hard part is getting Northwestern's key in a format that the keystore understands.  Get a copy of Northwestern's public key in PEM format.

Find the keystore weblogic is using as its trusted keystore.  It's in different locations depending on the version of Weblogic you use.  I didn't see your weblogic version listed, so the best way for you to figure that out on your own would be to open the console and find the managed server (or admin server if you are deploying apps to that... which you shouldn't be in production) that's running the application.  

In the server settings there should be a tab that says "keystores" or "security".. something like that.  On that page it will tell you if you're using Weblogic's demo keystore or a custom one.  If you have never touched this seciton of Weblogic chances are you're using the demo keystore (but you shouldn't use that in production!!).  At any rate, there will be a path to whatever TRUSTED keystore you are using.  Don't confuse that with the path to the IDENTITY keystore - only your private key is stored in there.

In my dev system, using Weblogic 10, that path to my trusted keystore is here:   C:/bea10/wlserver_10.0/server\lib\DemoTrust.jks

That .jks file is a keystore.  You need to import into that keystore the public key for Northwestern.

In order to import into a keystore you need the passphrase for that keystore.  I think the passphrase for the demo trust keystore is:  DemoTrustKeyStorePassPhrase
If you're using a custom trust keystore you need to get the password to it before you can perform anything else.

To import Northwestern's public key into the keystore as a trusted Root Certificate Authority:
(replace <> data with your own)

<YOUR_JDK_HOME>\bin\keytool -import -noprompt -v -trustcacerts -alias <ALIAS_YOU_CHOOSE> -file <LOCAL_PATH_TO_NORTHWESTERN'S_.pem_FILE>.pem -keystore <LOCAL_PATH_TO_WEBLOGIC'S_TRUSTED_KEYSTORE>.jks  -storepass <PASSWORD_TO_TRUSTED_KEYSTORE>

Yout must do this for all managed servers that run the application if it's run in a cluster. May also need to do it on the admin server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Hi - yes sorry but I object.   I've run into that exact issue before and outlined what he needs to do to fix it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java App Servers

From novice to tech pro — start learning today.