• Post Reply Bookmark Topic Watch Topic
  • New Topic

SSL issues with cacerts (-trustcacerts option)

Sriram Venkat
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm having an interesting problem with SSL.

Here is some background information.

We're having a WLS server, on top of which is sitting an Aqualogic Server.

The clients have to hit our Aqualogic servers first, their requests are routed
to the weblogic tier and from there onwards some requests are forwarded to other services downstream of the weblogic tier.

So we have SSL certs on both tiers. I followed the steps below to get my identity and trust keystores.

-I create a publickey/pvt keypair using

keytool -genkey -alias abccert -keyalg RSA -keysize 2048 -keypass KeyPass -keystore ./identity.jks -storepass StorePass

-I create the CSR using

keytool -certreq -alias abccert -sigalg "MD5withRSA" -file ./identitycertreq.pem
-keypass KeyPass -keystore ./espprod.jks -storepass StorePass

-I submit identitycertreq.pem for signing and get back the signed certificate and the root CA certificate from the CA.

-I import the root CA certificate into the keystore "identity.jks"

keytool -import -v -noprompt -trustcacerts -alias rootcacertificate -file CA_2048.crt -keystore identity.jks -storepass StorePass

-I import signed certificate into the same keystore "identity.jks"

keytool -import -v -alias abccert -file identitycertreq.pem -keystore identity.jks -keypass MyKeyPass -storepass StorePass

-I simultaneously create and import the trusted certificate (I got that from my browser hitting the website who's cert I need to trust)

keytool -import -alias downstreamservices -file downstreamservices.cer - keystore trust.jks -storepass StorePass

-For better intra cluster communication, I import the identity certs of other managed servers into the trust.jks keystore.

using the keytool -list -keystore trust.jks/identity.jks confirms that all of the above has worked. All certs are present in the respective keystores.

Now, I use the console on both Aqualogic and Weblogic tiers to specify that I wish to move from demoidentity and demotrust to my custom identity and trust

Testing shows me that the managed server logs correctly pull info from the custom keystores.
However, when I check the logs for the services, I find that it's saying that it cannot pull trusteds sources/cannot find trusted sources.

This is confirmed in testing.

The workaround is that I imported the downstreamservices.cer into the cacerts file in jdk/jre/lib/security. Now it works!

so what is my trust store? is it cacerts or is it trust.jks? if it is cacerts, why is it pulling from cacerts and not my trust.jks

I narrowed it down to using the -trustcacerts option when I imported the root CA certificate into the keystore "identity.jks"

But all the trustcacerts option is supposed to do is have a list of DN's that are trusted. My understanding is that is used only as an additional source
for trusted certificates (after the trust.jks).

What options do I have to narrow this down further?

all help will be appreciated.
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!