First post, hopefully this is the appropriate forum category for this question.
I inherited an old application written in EJB that is running on JRun4. JRun4 serves the content - which is to say that we do not have Apache, IIS, or similar in front of it. The application is used internally only, and is not visible from outside the firewall at all. The web content contains identifiable information, and so we are trying to get the application to use SSL.
Internal to my organization we use Active Directory Certificate Services for applications that are internal only, and we have an internal signing certificate that is distributed to all workstations that is also used to sign all internal signing requests. Obviously this signing certificate is not part of Java's trust chain. I do not have access to the signing key, so I'm emulating as best as I can using OpenSSL. The idea is to create a signing authority and get that to work with JRun4. Since I have full control of the chain, I can experiment quickly to see what works.
I have not been able to get past "Peer not authenticated". My understanding is that the error message is caused when Java can't find the CA public key. However, I've added it every place I can think of, and I still get the error.
Here are my steps, bearing in mind that I'm just trying to come to grips with how to get this to work so I know what to do on the production server:
1) I compiled OpenSSL 1.0.1j from source using MinGW.
2) I used the configuration and steps from ssl - How do you sign OpenSSL Certificate Signing Requests with your Certification Authority? for creating a CA.
3) The CA is on a separate device from where I'm running JRun.
4) I have JRun copied - but not installed - on a workstation at C:\JRun4.
5) Java 6 is installed at C:\Programs\jdk1.6.0 on my workstation. (Side note, I can't get JRun to work with newer Java versions, it complains about the jvm.dll)
6) I generated a fresh keystore in C:\JRun4\lib with the password "changeit".
7) I generated a signing request from that keystore.
8) I copied the .csr over to the other workstation and signed it.
9) I copied the signed key and the CA key from the other workstation back to the JRun workstation.
10) I first imported the CA key into four places - C:\Programs\jdk1.6.0\lib\security\cacerts , C:\Programs\jdk1.6.0\jre\lib\security\cacerts , C:\JRun4\lib\keystore , and C:\JRun4\lib\trustStore .
11) I imported the signed key into C:\JRun4\lib\keystore , after which SSL would start without error, but I got the "Peer not authenticated" error.
12) In desperation, I copied the signed key into the other three locations, even though I was pretty sure that wouldn't help.
What am I missing?
Please feel free to ask for more details, I didn't want to bog down an already long post with lots of irrelevant data.