untrusted server cert chain
Dear java experts,
By using JSSE, I can connect the web server A in SSL if the server use Versign Cert. However, it will display the following exception when I connect web server B which use CyberTrust (www.baltimore.com) Cert. It seems no problem when i use browser to connect server B. Should I add cybertrust cert in client side?
I didn't install JSSE in both servers. Could you give me some suggestions to solve the problem?
Thanks.
Rgds,
George
issuer != subject DN
main, SEND SSL v3.1 ALERT: fatal, description = certificate_unknown
main, WRITE: SSL v3.1 Alert, length = 2
javax.net.ssl.SSLException: untrusted server cert chain
yes, import the server cert on client side using the keytool command and then see if the error goes away..
keytool -import -alias mycert -file whatever.cer -keystore cacerts
By default, only the certs that's imported into jre/lib/cacerts file are checked for validation (jdk1.3)
> Dear java experts,
>
> By using JSSE, I can connect the web server A in SSL
> if the server use Versign Cert. However, it will
> display the following exception when I connect web
> server B which use CyberTrust (www.baltimore.com)
> Cert. It seems no problem when i use browser to
> connect server B. Should I add cybertrust cert in
> client side?
> I didn't install JSSE in both servers. Could you give
> me some suggestions to solve the problem?
>
> Thanks.
>
> Rgds,
> George
>
>
> issuer != subject DN
> main, SEND SSL v3.1 ALERT: fatal, description =
> certificate_unknown
> main, WRITE: SSL v3.1 Alert, length = 2
> javax.net.ssl.SSLException: untrusted server cert
> chain
When using jsse on the client side such as an applet or a java app, the default keystore "cacerts" will be used to check if the cert receiving from the server is valid.
Check if you can find CyberTrust in the keystore by using the "keytool" command. If not there, CyberTrust is not included in cacerts, jsse will fail handshaking and throw "unstrusted server cert chain".
If CyberTrust is included in cacerts, then check if the CyberTrust cert received from the server is valid, especially the expiration date.
If the exception is thrown on a valid cert from the server, you can try the following to resolve it:
1)Import the cert from CyberTrust into local keystore
on each client's machine where you expect jsse to run.
2)Provide your own trust manager to validate the cert from the server. The trust manager is included as part of your applet/app and must be installed before jsse handshaking
Hope it helps.
Huan
hloh at 2007-6-29 8:52:40 >
Thanks, it works if i create a new keystore file
However, I can't import new cert into
c:\jdk1.3\jre\lib\security\cacerts becoz the password is incorrect and throw the following exception:
Enter keystore password:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
Can anyone what's the default password in jdk1.3 lib?
Hi george, Default password is "changeit".Hope it might help you.Regards,Anil.Techncial Support Engineer.
How can i change the password for keystore?
Thanks,
George
C:\ServerCert>keytool -keypasswd -v -keypass changeit -new gsn123 -keystore c:\jdk1.3\jre\lib\security\cacerts
Enter keystore password: changeit
keytool error: java.lang.Exception: Alias <mykey> does not exist
Hi George,
Run the below code to change the password .
C:\JRE_HOME\lib\security\cacerts>keytool -alias keyname -genkey
It will ask Enter the Password:(Type) changeit
( and press enter) then it will prompt some other questions, fill all the details.Pleas try by doing like this.
Hope this might help you.
Regards,
Anil.
Technical Support Engineer.
Dear Anil,
Thanks your suggestions. However, -genkey is used to generate a new key pair. I want to change the exisiting password "changeit" to new password "abc123" in jre\lib\security\cacerts" file. Could you tell me?
It's one of methods to solve "untrust server cert". It's a static method and it's required to add cert in each clients. It's not feasible. Could you tell me how to do it dynamically (in coding, e.g. addtrustmaanger?) . Thanks a lot.
> Hi George,
>
> Run the below code to change the password .
> C:\JRE_HOME\lib\security\cacerts>keytool -alias
> keyname -genkey
>
> It will ask Enter the Password:(Type) changeit
> ( and press enter) then it will prompt some other
> questions, fill all the details.Pleas try by doing
> like this.
>
> Hope this might help you.
>
> Regards,
> Anil.
> Technical Support Engineer.
> I want to change the exisiting password "changeit" http://java.sun.com/j2se/1.3/docs/tooldocs/tools.html#securitykeytool -storepasswd -storepass changeit -new abc123 -keystore cacerts a.
One starts wondering...Do these so called support engineers (some of then any way) from Sun Microsystems really read the posed question before deciding to answer ?!!Are they even really from Sun Microsystems ?Do they even understand the question ?
Please post the solution..if the problem is solved...so that others can use it.. Thanks!!
Isn't avbentem's reply above a solution ?It works for me.
Hello Experts,
Noone in this group seems to follow the idea that maybe you do not want to go to some site
and download a file with the appropriate cert info.
When I "view" the cert info (in Netscape 4.7) from say www.etrade.com when you press the login button to activate a server side https session I can see what appears to be Verisign class 3 cert information.
(See below)
Now...I want to "cut & paste" whatever I can from this window as parameters into the keytool command.
Does anyone know how to do this?
If not can someone provide me with a link to get this cert from versign?
<paste follows from window>
-
This Certificate belongs to:
trading.etrade.com
Global Information Security
E-Trade Group Inc.
Alpharetta, Georgia, US
This Certificate was issued by:
www.verisign.com/CPS Incorp.by Ref. LIABILITY
LTD.(c)97 VeriSign
VeriSign International Server CA - Class 3
VeriSign, Inc.
VeriSign Trust Network
Serial Number: 0C:6C:6D:A5:40:44:42:3B:CC:CE:E3:79:25:27:EA:93
This Certificate is valid from Wed Feb 21, 2001 to Fri Feb 22, 2002
Certificate Fingerprint:
EA:C6:A0:41:38:F8:B0:EE:85:33:97:A0:E2:35:9E:05
-
<end of paste>
Any ideas?
Thanks!
Hi All,My error log is as follows.+++++++++++++++++++++++keytool error: java.lang.Exception: Certificate not imported, alias <carootcert> already exists+++++++++++++++++++++++Advise...
Hi,
There is a certificate with alias name "carootcert" is already imported, try importing the new certificate with different alias name
For example,
keytool -keystore C:\jdk1.3.1_07\jre\lib\security\cacerts
-alias mycert -import -file C:\myclient.cer
"mycert" is the new alias name.
I hope this will help you....
Thumilan.
Any solution on this? Can you share?
I fixed the "untrusted server cert chain" error with 2 options:
- Switch to a java environment of which the keystore contains the required CA certificate. For example, my https program works with java,v1.4.2, but not with v1.3.1_02.
To view a list of keys and trusted certificates in a java keystore,
> keytool -v -list -keystore JAVA_HOME/jre/lib/security/cacerts
- Or obtain the certificate from the CA web site directly, and then import it into the java keystore,
# keytool -import -alias aAliasName -trustcacerts -file ***.cer -keystore JAVA_HOME/jre/lib/security/cacerts
I believe the certificate which is a public key can be also saved from a browser, like IE, although Mozilla/Netscape does not have the option to save it to a local file.
Hope this helps others.
Hi This is a good example. http://www.infy.com/knowledge_capital/thought-papers/usingHTTPwith_java.pdf
