-
1. Re: Jboss Presenting JNLP file or Tomcat - Certificate Error Browser
on a deployment that has tomcat and jboss installed.
What do you mean? you have 2 servers on the same box?
-
2. Re: Jboss Presenting JNLP file or Tomcat - Certificate Error Browser
Hi Jean-Frederic,
Yes - we have a Tomcat server installed and a jboss deployment installed too - each has their own keystore.
Thanks and regards,
Richard.
-
3. Re: Jboss Presenting JNLP file or Tomcat - Certificate Error Browser
Using the same IP and 2 different key sets won't work except you create the keys for that (alt_names in the certificates).
What is the error?
-
4. Re: Jboss Presenting JNLP file or Tomcat - Certificate Error Browser
Hi Jean-Frederic,
Thanks for the reply.
Apologies - should have explained further - port 8443 Tomcat is listening, port 8880 jboss is listening.
The error is that the IE9 does not accept the certificate, and you get the warning. For apache, the directive is in httpd.conf to set up the Intermediate and Root CA certificates, but for some reason, jboss is not presenting to the web browser the Root, and Intermediate certificate to the browser.
I am assuming it is the keystore set up specifically for jboss that is the issue. There are no error messages in jboss logs - the certificate and keystore are being read by jboss. The private key and keystore have the same password, and the certificate alias is tomcat.
I am really frustrated with this, but it could be something very simple. I am assuming that if the keystore includes the root and intermediate aswell as the main certificate, that jboss presents these to the browser when you try and access the jnlp file from jboss.
Thanks and regards,
Shadmeister.
-
5. Re: Jboss Presenting JNLP file or Tomcat - Certificate Error Browser
you should have the same on tomcat and jboss, correct?
I think you have something wrong in the trusttore in tomcat and jboss, usually I debug that using openssl.
-
6. Re: Jboss Presenting JNLP file or Tomcat - Certificate Error Browser
Hi Jean-Frederic,
Thanks for the reply.
Yes - i have the same for Tomcat and jboss - each has their own keystore. Since they are java based - cacerts has system-wide access - so when i add the root certificate to the jboss keystore, it reports it is already in the system wide keystore.
Any pointers as what it could be ?. Should i remove the root CA from the truststore (cacerts) and leave the root CA in Tomcat and jboss truststore only ?
Thanks and regards,
Shadmeister.
-
7. Re: Jboss Presenting JNLP file or Tomcat - Certificate Error Browser
Hi All,
I resolved the issue. If you have the CA signed server certificate, CA signed intermediate certificate, and CA signed root certificate, you have to concatenate the intermediate with the root, in that order, then create a p12 export to create the java keystore.
server.crt Your server certificate from the CA
server.key Your server.key from the Certificate Signing Request
ca-inter-cert.crt Your intermediate certificate from the CA
ca-root-cert.crt Your root certificate from the CA
So the commands would be :
Concatenate the intermediate and root certificate:
# cat ca-inter-cert.crt ca-root-cert.crt > chain.crt
Create the exported certificate chain :
# openssl pkcs12 -export -chain -inkey server.key -in ca-server-cert.crt -name "server" -CAfile chain.crt -out temp.p12
Create your java keystore
# keytool -importkeystore -srckeystore temp.p12 -srcstoretype pkcs12 -srcalias server -destkeystore java.keystore -deststoretype jks -destalias jboss-server
You will be asked for passwords, so you will need to note them down when you create them.
Regards,
Shadmeister.