0

I am trying to enable SSL on a project on Netbeans IDE and using Glassfish application Server.

For the SSL; i followed the procedure below.

  1. Generated a keystore > keytool -genkey -alias client_keystore -keyalg RSA -keystore client_keystore.jks -keysize 2048
  2. Generated a CSR > keytool -certreq -alias client_keystore -file yourcsrname.csr -keystore client_keystore.jks
  3. Submitted the CSR to another party.
  4. Received three .pem certificates from the party. I converted the .pem to .crt as openssl x509 -outform der -in your-cert.pem -out your-cert.crt
  5. Importing the certs to my keystore as below;

keytool -import -trustcacerts -alias intermediate -file GoDaddy_Intermediate.crt -keystore client_keystore.jks

keytool -import -trustcacerts -alias root -file GoDaddy_Root.crt -keystore client_keystore.jks

keytool -import -trustcacerts -alias BizSwitch -file BizSwitch.crt -keystore client_keystore.jks

  1. Import the keystore to the default glassfish keystore >keytool -importkeystore -srckeystore ~/Downloads/ipay/client_keystore.jks -destkeystore keystore.jks
  2. Restarted glassfish server.

I am not sure if that's all but I am getting the sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target exception.

On restarting, from the glassfish logs I do not see the certificates being loaded as well.

Am I missing something?

3 Answers3

0

Is your keystore in the folder /domains/domain1/config?

Looks like glassfish does not point to the correct keystore, as you correctly imported the certs.

Hans Schreuder
  • 745
  • 5
  • 10
  • Yes, the keystore is in /configs directory. ....I can not get around why it does not. –  Dec 18 '17 at 10:54
0

Yous should also import the cert into the JVM's truststore...

Reference: Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?

Tobi Tiggers
  • 442
  • 3
  • 14
0

You created the keypair entry under alias client_keystore so you need to import your server cert to that alias and entry. Assuming BizSwitch is your server's name, you need to -importcert -file BizSwitch.crt -alias client_keystore -keystore client_keystore.jks. If you get it correct the output from that command should be Certificate reply was installed NOT Certificate was added. (The latter is correct for separate CA certs, but not the server cert.)

Also, you didn't need to convert to DER. keytool (or more exactly CertificateFactory) has been able to read PEM certs for more than a decade, and even PEM-with-comments since j7 circa 2012. (This is not the case for some other crypto objects like private keys.)

dave_thompson_085
  • 34,712
  • 6
  • 50
  • 70