Skip to main content

RE: Error resolving private key of certificate after moving Metro service to Tomcat 5.5

1 reply [Last post]
jollerbarn
Offline
Joined: 2009-05-24
Points: 0

This is still not resolved, am I the only unlucky soul stuck on Tomcat? :)

Mvh. Jesper Hvid

From: Jesper Hvid [mailto:jh@globeteam.com]
Sent: 13. januar 2011 12:17
To: users@metro.java.net
Subject: RE: Error resolving private key of certificate after moving Metro service to Tomcat 5.5

Any help? I'm getting desperate here :(

Rgds.
Jesper Hvid

From: Jesper Hvid [mailto:jh@globeteam.com]
Sent: 11. januar 2011 18:18
To: users@metro.java.net
Subject: Error resolving private key of certificate after moving Metro service to Tomcat 5.5

Hi,

First off, my environment details:

Netbeans 6.9

Metro 2.01 on tomcat 5.5.31
Java 1.6.0_21

I've moved an existing Metro service which works wonderfully well on Glassfish 3.01 to Tomcat. In that process I did the following.

1) Pointed Netbeans to my Tomcat service

2) Deployed the service on Tomcat

3) Tested that Tomcat can produce the WSDL for the service

After that I imported the service's certificate and private key into Tomcat's primary keystore using keytool -importkeystore:
\certs\server-keystore.jks

.. and after that I imported the trust store from my service into the Tomcat default trust store also using keytool -importkeystore:
\certs\server-truststore.jks

When calling the service I get this error (full trace below):
"No Matching private key for serial number 12159904349974740 and issuer name SERIALNUMBER=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O=GoDaddy.com\, Inc.,L=Scottsdale,S=Arizona,C=US found"

Now my service certificate's serial number is 0x2B335E5B4870D4 => 12159904349974740, so it matches what Metro is looking for. However, it still fails to find the certificate. Also, the isser of the service certificate is:
SN=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US which also matches.

In Netbeans I've pointed my service configuration to the keystore and trust store of tomcat as pointed out in the two screenshots attached. Also, I've attached the details of the alias "carlbro" certificate which matches the one that Metro is telling me it can't find.

To me it must be using the wrong keystore, but how do I make sure that's the issue?

Stacktrace:

<?xml version="1.0" encoding="UTF-8"?>

No Matching private key for serial number 12159904349974740 and issuer name SERIALNUMBER=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O=GoDaddy.com\, Inc.,L=Scottsdale,S=Arizona,C=US found

">

">

Mvh. Jesper Hvid

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
jollerbarn
Offline
Joined: 2009-05-24
Points: 0

I'm beginning more and more to think this is the issue. A request with a certificate with a more friendly issuer DN:

CN=TestCA, DC=testdomain, DC=local
155669893611988166967514

.. runs through without a hitch. I'm gonna see if I can change my client to use a different referencing method and I've also removed the WSDL's requirement of such:

Thanks,
Jesper Hvid

From: Jesper Hvid [mailto:jh@globeteam.com]
Sent: 2. februar 2011 22:11
To: users@metro.java.net
Subject: RE: Error resolving private key of certificate after moving Metro service to Tomcat 5.5

Another strange thing I've noticed is the error message:
No Matching private key for serial number 12159904349974740 and issuer name SERIALNUMBER=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O=GoDaddy.com\, Inc.,L=Scottsdale,S=Arizona,C=US found

The funny thing is, that the certificate's issuer is not the one printed. The certificate's issuer is:
SERIALNUMBER=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O=GoDaddy.com, Inc.,L = Scottsdale,S=Arizona,C=US
.. and the one printed is:
SERIALNUMBER=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O=GoDaddy.com\, Inc.,L=Scottsdale,S=Arizona,C=US

You'll notice that there is an added "\" after O=GoDaddy.com in the issuer printed.. maybe some kind of issuer string normalization is out of whack in Metro somewhere?

Thanks,
Jesper Hvid

From: Jesper Hvid [mailto:jh@globeteam.com]
Sent: 2. februar 2011 22:07
To: users@metro.java.net
Subject: RE: Error resolving private key of certificate after moving Metro service to Tomcat 5.5

Hi,

An update from my part in the hope that someone out there is still listening :)

The behavior I'm seeing now, is that my self-signed service certificate works whereas my "proper" godaddy-issued service certificate does not. The only real difference I see between the two certificates is that my self-signed certificate does not have a Subject Key Identifier, doesn't have a Key Usage and also doesn't have an actual chain as it's a pure leaf certificate.

I've attached public keys of the certificate that works and the certificate that does not.. I'm hoping one of you out there has the answer on-hand. I'm totally stumped as to why it locates certificate a) but not certificate b).

Thanks,
Jesper Hvid

From: Jesper Hvid
Sent: 1. februar 2011 00:54
To: Jesper Hvid; users@metro.java.net
Subject: RE: Error resolving private key of certificate after moving Metro service to Tomcat 5.5

This is still not resolved, am I the only unlucky soul stuck on Tomcat? :)

Mvh. Jesper Hvid

From: Jesper Hvid [mailto:jh@globeteam.com]
Sent: 13. januar 2011 12:17
To: users@metro.java.net
Subject: RE: Error resolving private key of certificate after moving Metro service to Tomcat 5.5

Any help? I'm getting desperate here :(

Rgds.
Jesper Hvid

From: Jesper Hvid [mailto:jh@globeteam.com]
Sent: 11. januar 2011 18:18
To: users@metro.java.net
Subject: Error resolving private key of certificate after moving Metro service to Tomcat 5.5

Hi,

First off, my environment details:

Netbeans 6.9

Metro 2.01 on tomcat 5.5.31
Java 1.6.0_21

I've moved an existing Metro service which works wonderfully well on Glassfish 3.01 to Tomcat. In that process I did the following.

1) Pointed Netbeans to my Tomcat service

2) Deployed the service on Tomcat

3) Tested that Tomcat can produce the WSDL for the service

After that I imported the service's certificate and private key into Tomcat's primary keystore using keytool -importkeystore:
\certs\server-keystore.jks

.. and after that I imported the trust store from my service into the Tomcat default trust store also using keytool -importkeystore:
\certs\server-truststore.jks

When calling the service I get this error (full trace below):
"No Matching private key for serial number 12159904349974740 and issuer name SERIALNUMBER=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O=GoDaddy.com\, Inc.,L=Scottsdale,S=Arizona,C=US found"

Now my service certificate's serial number is 0x2B335E5B4870D4 => 12159904349974740, so it matches what Metro is looking for. However, it still fails to find the certificate. Also, the isser of the service certificate is:
SN=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US which also matches.

In Netbeans I've pointed my service configuration to the keystore and trust store of tomcat as pointed out in the two screenshots attached. Also, I've attached the details of the alias "carlbro" certificate which matches the one that Metro is telling me it can't find.

To me it must be using the wrong keystore, but how do I make sure that's the issue?

Stacktrace:

<?xml version="1.0" encoding="UTF-8"?>

No Matching private key for serial number 12159904349974740 and issuer name SERIALNUMBER=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O=GoDaddy.com\, Inc.,L=Scottsdale,S=Arizona,C=US found

">

">

Mvh. Jesper Hvid