Use codesigning cert for SSL encryption
Hi!
I have implemented an applet client (running i an browser) to access a JBoss application server. I have some problems setting up the SSL encryption on the communication between the two.
The applet shall be downloadable from a web server, and shall therefore not have access to any other keystore than the default "cacerts" (that comes with the Java plugin).
I have therefore gotten a cert verifing my company, issued by CA Thawte. This cert is of type codesigning cert. I have verified that the Thawte CA cert used to sign my company's cert is indeed in the "cacerts" keystore.
By enabling "javax.net.debug" = "ssl" I get a lot of debug info. The error message looks like this (full execption below):
-> "Netscape cert type does not permit use for SSL server"
This message seems to me, like I can't use this type of cert for SSL encryption? Is this right? and if so, why not?
The funny thing is that if I give the applet access to the keystore containing my company's cert (private/public keys) by using
"javax.net.ssl.trustStore" = "some path"
it works! SSL encryption is enabled! Of cause this option is not acceptable in a production environment.
I am using J2SDK 1.4.2 and JBoss 3.2.1 with http-invoker.
Any help appreciated
ThanX.
- Chris
The full exception is:
keyStore is :
keyStore type is : jks
init keystore
init keymanager of type SunX509
trustStore is: /usr/java/j2sdk1.4.2/jre/lib/security/cacerts
trustStore type is : jks
init truststore
adding as trusted cert:
Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0xe49efdf33ae80ecfa5113e19a4240232
Valid from Mon Jan 29 01:00:00 CET 1996 until Thu Jan 08 00:59:59 CET 2004
adding as trusted cert:
Subject: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x1
Valid from Thu Aug 01 02:00:00 CEST 1996 until Fri Jan 01 00:59:59 CET 2021
adding as trusted cert:
Subject: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
Algorithm: RSA; Serial number: 0x2ad667e4e45fe5e576f3c98195eddc0
Valid from Wed Nov 09 01:00:00 CET 1994 until Fri Jan 08 00:59:59 CET 2010
adding as trusted cert:
Subject: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
Algorithm: RSA; Serial number: 0x20000bf
Valid from Wed May 17 16:01:00 CEST 2000 until Sun May 18 01:59:00 CEST 2025
adding as trusted cert:
Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
Algorithm: RSA; Serial number: 0x374ad243
Valid from Tue May 25 18:09:40 CEST 1999 until Sat May 25 18:39:40 CEST 2019
adding as trusted cert:
Subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Algorithm: RSA; Serial number: 0x20000b9
Valid from Fri May 12 20:46:00 CEST 2000 until Tue May 13 01:59:00 CEST 2025
adding as trusted cert:
Subject: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., O=Entrust.net, C=US
Issuer: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., O=Entrust.net, C=US
Algorithm: RSA; Serial number: 0x380391ee
Valid from Tue Oct 12 21:24:30 CEST 1999 until Sat Oct 12 21:54:30 CEST 2019
adding as trusted cert:
Subject: CN=Entrust.net Client Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits liab.), O=Entrust.net
Issuer: CN=Entrust.net Client Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits liab.), O=Entrust.net
Algorithm: RSA; Serial number: 0x389ef6e4
Valid from Mon Feb 07 17:16:40 CET 2000 until Fri Feb 07 17:46:40 CET 2020
adding as trusted cert:
Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Algorithm: RSA; Serial number: 0x1a5
Valid from Thu Aug 13 02:29:00 CEST 1998 until Tue Aug 14 01:59:00 CEST 2018
adding as trusted cert:
Subject: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x1
Valid from Thu Aug 01 02:00:00 CEST 1996 until Fri Jan 01 00:59:59 CET 2021
adding as trusted cert:
Subject: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
Issuer: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
Algorithm: RSA; Serial number: 0x3863b966
Valid from Fri Dec 24 18:50:51 CET 1999 until Tue Dec 24 19:20:51 CET 2019
adding as trusted cert:
Subject: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x0
Valid from Mon Jan 01 01:00:00 CET 1996 until Fri Jan 01 00:59:59 CET 2021
adding as trusted cert:
Subject: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Issuer: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x325033cf50d156f35c81ad655c4fc825
Valid from Mon Jan 29 01:00:00 CET 1996 until Wed Jan 08 00:59:59 CET 2020
adding as trusted cert:
Subject: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x0
Valid from Mon Jan 01 01:00:00 CET 1996 until Fri Jan 01 00:59:59 CET 2021
adding as trusted cert:
Subject: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x0
Valid from Mon Jan 01 01:00:00 CET 1996 until Fri Jan 01 00:59:59 CET 2021
adding as trusted cert:
Subject: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Issuer: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Algorithm: RSA; Serial number: 0x1b6
Valid from Fri Aug 14 16:50:00 CEST 1998 until Thu Aug 15 01:59:00 CEST 2013
adding as trusted cert:
Subject: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
Issuer: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
Algorithm: RSA; Serial number: 0x1a3
Valid from Sat Feb 24 00:01:00 CET 1996 until Fri Feb 24 00:59:00 CET 2006
adding as trusted cert:
Subject: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Issuer: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0xba5ac94c053b92d6a7b6df4ed053920d
Valid from Mon Jan 29 01:00:00 CET 1996 until Thu Jan 08 00:59:59 CET 2004
adding as trusted cert:
Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.), O=Entrust.net
Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.), O=Entrust.net
Algorithm: RSA; Serial number: 0x389b113c
Valid from Fri Feb 04 18:20:00 CET 2000 until Tue Feb 04 18:50:00 CET 2020
init context
trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1063272795 bytes = { 200, 41, 212, 81, 50, 46, 166, 131, 2, 7, 19, 96, 56, 74, 143, 149, 231, 10, 143, 121, 63, 135, 54, 136, 6, 166, 9, 47 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
main, WRITE: TLSv1 Handshake, length = 73
main, WRITE: SSLv2 client hello message, length = 98
main, READ: TLSv1 Handshake, length = 1772
*** ServerHello, TLSv1
RandomCookie: GMT: 1063272795 bytes = { 105, 170, 14, 117, 169, 51, 242, 67, 230, 247, 123, 147, 165, 241, 231, 69, 135, 210, 105, 82, 188, 80, 238, 241, 241, 232, 100, 84 }
Session ID: {63, 96, 65, 91, 84, 175, 225, 96, 176, 221, 147, 94, 80, 197, 97, 33, 229, 44, 241, 241, 225, 250, 70, 184, 181, 194, 253, 85, 75, 166, 132, 20}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=NERA SATCOM AS, OU=Research and Development, O=NERA SATCOM AS, L=Oslo, ST=Oslo, C=NO
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
c6eea673 104e5537 90419256 aaf2dfab bd847a37 3a123258 f309f711 329215c7
13599182 b107c56e c01b528d a241c944 035fa2c1 94b23c05 4faf8f6c a4b2ff58
60c3203d d8071874 d3c17ed7 cd00c880 8a5fb8aa 61a6fedf adf279bd c1da310d
3d840444 f64fe148 faed0294 1fd8aa61 1c9fbb44 8b2c39fa f5cf985b 8f27e74b
Validity: [From: Fri Sep 05 09:31:13 CEST 2003,
To: Sat Sep 04 09:31:13 CEST 2004]
Issuer: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
SerialNumber: [ 3d2cff]
Certificate Extensions: 6
[1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
Object Signing
]
[2]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.thawte.com/ThawteServerCA.crl]
]]
[3]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[DNSName: www.nera.no]]
[4]: ObjectId: 2.5.29.4 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 16 30 14 30 0E 30 0C 06 0A 2B 06 01 04 01 82 ..0.0.0...+.....
0010: 37 02 01 16 03 02 07 80 7.......
[5]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
[1.3.6.1.5.5.7.3.3, 1.3.6.1.4.1.311.2.1.22]]
[6]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [MD5withRSA]
Signature:
0000: 96 9B DA 1E A0 A8 BC 72 2F 9A E4 C2 64 38 2F AE .......r/...d8/.
0010: 0D AE 55 8F 7B 86 E5 C6 98 0B 26 AA AB 4F 50 1C ..U.......&..OP.
0020: 85 18 D2 C9 6F 38 A1 CC DF 52 CD 5B 5A 0B 25 BD ....o8...R.[Z.%.
0030: E2 3C EB 90 CA 93 21 E1 71 FC E1 97 7E 6B C0 0C .<....!.q....k..
0040: 60 F2 9D 59 08 43 25 E3 E4 9C 55 84 03 42 0F F3 `..Y.C%...U..B..
0050: CC 29 7D E2 0F B3 D5 15 76 A5 97 93 D6 7E D9 B4 .)......v.......
0060: F8 70 B6 A5 03 73 BE 71 BC 39 BE 0F 72 AC 5B 6B .p...s.q.9..r.[k
0070: F0 68 49 F3 34 DA 3D C4 89 5E C9 A2 FA 58 3F FC .hI.4.=..^...X?.
]
chain [1] = [
[
Version: V3
Subject: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
d3a4506e c8ff566b e6cf5db6 ea0c6875 47a2aac2 da8425fc a8f44751 da85b520
7494861e 0f75c9e9 0861f506 6d306e15 1902e952 c062db4d 999ee26a 0c4438cd
febee364 0970c5fe b16b29b6 2f49c83b d4270425 10972fe7 906dc028 4299d74c
43dec3f5 216d549f 5dc358e1 c0e4d95b b0b8dcb4 7bdf363a c2b56622 12d6870d
Validity: [From: Thu Aug 01 02:00:00 CEST 1996,
To: Fri Jan 01 00:59:59 CET 2021]
Issuer: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
SerialNumber: [ 01]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
]
Algorithm: [MD5withRSA]
Signature:
0000: 07 FA 4C 69 5C FB 95 CC 46 EE 85 83 4D 21 30 8E ..Li\...F...M!0.
0010: CA D9 A8 6F 49 1A E6 DA 51 E3 60 70 6C 84 61 11 ...oI...Q.`pl.a.
0020: A1 1A C8 48 3E 59 43 7D 4F 95 3D A1 8B B7 0B 62 ...H>YC.O.=....b
0030: 98 7A 75 8A DD 88 4E 4E 9E 40 DB A8 CC 32 74 B9 .zu...NN.@...2t.
0040: 6F 0D C6 E3 B3 44 0B D9 8A 6F 9A 29 9B 99 18 28 o....D...o.)...(
0050: 3B D1 E3 40 28 9A 5A 3C D5 B5 E7 20 1B 8B CA A4 ;..@(.Z<... ....
0060: AB 8D E9 51 D9 E2 4C 2C 59 A9 DA B9 B2 75 1B F6 ...Q..L,Y....u..
0070: 42 F2 EF C7 F2 18 F9 89 BC A3 FF 8A 23 2E 70 47 B...........#.pG
]
***
main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server
javax.naming.NamingException: Failed to retrieve Naming interface [Root exception is java.io.IOException]
at org.jboss.naming.HttpNamingContextFactory.getInitialContext(HttpNamingContextFactory.java:68)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:662)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
at javax.naming.InitialContext.init(InitialContext.java:219)
at javax.naming.InitialContext.(InitialContext.java:195)
at nera.mb.mms.rmi.MBJNDIConnection.(MBJNDIConnection.java:31)
at nera.mb.mms.MBClient.init(MBClient.java:112)
at nera.mb.mms.MBClient.main(MBClient.java:175)
Caused by: java.io.IOException
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:591)
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl.getInputStream(DashoA6275)
at org.jboss.naming.HttpNamingContextFactory.getNamingServer(HttpNamingContextFactory.java:110)
at org.jboss.naming.HttpNamingContextFactory.getInitialContext(HttpNamingContextFactory.java:64)
... 7 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
at sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA6275)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(DashoA6275)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:615)
at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:1446)
at java.net.URLConnection.getHeaderFieldInt(URLConnection.java:476)
at java.net.URLConnection.getContentLength(URLConnection.java:371)
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl.getContentLength(DashoA6275)
at org.jboss.naming.HttpNamingContextFactory.getNamingServer(HttpNamingContextFactory.java:106)
... 8 more
Caused by: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server
at sun.security.validator.EndEntityChecker.checkTLSServer(EndEntityChecker.java:246)
at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:103)
at sun.security.validator.Validator.validate(Validator.java:205)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(DashoA6275)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(DashoA6275)
... 22 more