Skip to main content


1 reply [Last post]
Joined: 2009-09-23

Well I got thrown this one as the one guy left. Here is the scenario. Glassfish V2 running on Ubuntu 8.10 server. We need SSL, and the 1st guy did 1/2 the work and got the cert but never installed it. So I both need to install the cert as well as don't have the password. I am sure the issuer can re-issue the cert, but really stuck and could use some prof' help. I am looking at URL, and the self signed is still there. I tried to delete using;
keytool -delete -alias s1as -keystore keystore.jks and get prompted for a pw which we don't have. I also have a folder which has the .csr, the .cert and a trustedroot.crt.

That's it, so to someone who know linux for a few good years and not even 5 minutes on glassfish, what is the best 1st step in getting this cert imported/installed?

** update **

I looked a little further on importing it, used the new folder with the new cert and got the following;

keytool -import -v -alias slas -file glassfish_temp/wfgfcert.cert -keystore glassfish_temp/keystore.jks
Enter keystore password:
Certificate already exists in keystore under alias
Do you still want to add it? [no]:

Now I remember playing a little on the dev box, and trying to import but it 'broke' glassfish so I had to revert. But, I guess, that is where it was left off. So I want to remove the self-signed, but import the wfgfcert one, so should I simply say Yes and try to 'start from scratch' with this?

******************* UPDATE #2: *******************
Well, nice the 28 people viewed, but not one can help?

I went ahead, looked more and using the keytool, did the above and said yes. Then on the admin gui under;
configuration/default-config/HTTP-Listeners/http-listener-2/SSL I saw the original s1as, changed it to slas (the original is the number 1, the 2nd is the letter l) and restarted which broke glassfish with the error;

Caused by: LifecycleException: PWC3985: Protocol handler initialization failed: PWC5330: Alias name slas does not identify a key entry. I did fix it by changing the domain.xml file and put the original alias back.

So stepping back, this is what I want to do, I don't see why this should be tough.

A former employee created and paid for a real cert so I have both the .csr and .cert which were named wfgfcert. I am not sure what if anything was done via import, etc. If I goto the SSL port now, it shows untrusted with the self signed. I tried to delete the slas key using the keytool but it asks for a password which I don't have.

So, with ALL the above, basically how can I remove the self signed, and simply install the wfgfcert?

Again, thanks.

******************* Update 3 *************************

Boy, I think I will start a new thread as this is getting boring, and the others who read prob won't re-read! Anyway, I might be getting closer, who knows, well you guys do, as I don't! Well I tested the keystore.jks file and the password failed, so took the other and this one worked on the check (I won't show all due to space), but I can now do this;
keytool -list -keystore keystore.jks -alias slas -v
Enter keystore password:
Alias name: slas
Creation date: Oct 27, 2009
Entry type: trustedCertEntry

Owner: CN=mydomainhere, OU=Domain Control Validated - RapidSSL(R), OU=See (c)09, OU=GT06273877, O=mydomainhere, C=US
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Serial number: d0b49
Valid from: Tue Sep 22 14:26:12 EDT 2009 until: Sat Sep 24 16:38:06 EDT 2011

There is also a cacerts.jks file which seems to get loaded and the same command;
keytool -list -keystore cacerts.jks -v (this has no password) works also;
Alias name: equifaxsecureebusinessca2
Creation date: Jul 18, 2003
Entry type: trustedCertEntry

Owner: OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
Issuer: OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
Serial number: 3770cfb5
Valid from: Wed Jun 23 08:14:45 EDT 1999 until: Sun Jun 23 08:14:45 EDT 2019
Certificate fingerprints:
MD5: AA:BF:BF:64:97:DA:98:1D:6F:C6:08:3A:95:70:33:CA
SHA1: 39:4F:F6:85:0B:06:BE:52:E5:18:56:CC:10:E1:80:E8:82:B3:85:CC
Signature algorithm name: SHA1withRSA
Version: 3

I remember something he said a while ago about adding a trusted root. Well, anyway, after restarting with these .jks files, I get this in the HUGE log file;
Caused by: java.lang.IllegalStateException: Keystore was tampered with, or password was incorrect

which is what I get if I try the keystore check with the wrong password.

So... where is the password for the keystore.jks file stored as it looks like when that cert was added into the keystore.jks file it (glassfish) doesn't have the password so it cant load the cert. So where does that get added/etc.

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Joined: 2009-09-23

No help, so starting over.