1

I have Java application running on two different servers. On the 1st server while the application is trying to insert a X.509 certificate to NSS keystore it is getting the following error:

Failed to store public key certificate in keystore. Cause: Could not create trust object
 java.security.ProviderException: Could not create trust object
        at sun.security.pkcs11.Secmod$TrustAttributes.<init>(Secmod.java:658)
        at sun.security.pkcs11.Secmod$Module.setTrust(Secmod.java:529)
        at sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1045)
        at sun.security.pkcs11.P11KeyStore.engineSetCertificateEntry(P11KeyStore.java:516)
        at java.security.KeyStore.setCertificateEntry(Unknown Source)

Using certutil to list the NSS DB entry I can see the certificate entry, but the trust flag says "CTu,Cu,Cu".

On the 2nd server, inserting a X.509 certificate to NSS keystore doesn't throw the same exception. It is working fine and using certutil I can see the certificate entry, and the trust flag says: "CT,C,C".

My questions:

  1. Why on the 1st server inserting a X.509 certificate threw an exception?
  2. What cause the trust flag to be different between the two certificate? The X.509 certificate is imported thru the same API.

Both servers are running Java 8u121. Thank you.

Petaluma007
  • 41
  • 1
  • 4
  • Is the root certificate on both servers? – Daniel W. Nov 22 '22 at 22:11
  • Why do I need a root certificate on both servers? The X.509 certificate is a self-signed certificate with a private key generated using the same provider (SunPKCS11-NSS). If I need a root certificate on the server, where do I place the root certificate, in the PKCS11 keystore? – Petaluma007 Nov 23 '22 at 01:23
  • Can you try to dig a few more details, compare versions, try `--verbose` commands, seek logfiles with more information. I am not used to creating certificates with anything other than openssl... – Daniel W. Nov 24 '22 at 01:54
  • @DanielW. thank you for your response. All servers are running the same Java version (8u121), same Tomcat version, but each has different NSS library version. At this point I am not sure if NSS library version is causing the issue as the server with older and newer version of NSS are working fine. Servers without exception: nss.x86_64 3.44.0-4.el7 nss.x86_64 3.79.0-1.el7_9 Server with exception: nss.x86_64 3.67.0-4.el7_9 – Petaluma007 Nov 28 '22 at 01:21
  • I have tried enabling debug log for pkcs11keystore and sunpkcs11 when starting the application, but nothing helps. -Djava.security.debug=sunpkcs11 -Djava.security.debug=pkcs11keystore I also attempted to copy the NSS DB from the server that is not working to another server that is working to see if the issue is reproduced. But the issue isn't reproducible. – Petaluma007 Nov 28 '22 at 01:21
  • Maybe they differ in how Java is setup? Stupid idea but, did you compare environment variables on the systems? Maybe something is missing. – Daniel W. Nov 28 '22 at 19:29

0 Answers0