0 Replies Latest reply on Sep 11, 2003 4:32 AM by kristiane

    Use codesigning cert for SSL encryption

    kristiane Newbie

      Hi!

      I have implemented an applet client (running i an browser) to access a JBoss application server. I have some problems setting up the SSL encryption on the communication between the two.

      The applet shall be downloadable from a web server, and shall therefore not have access to any other keystore than the default "cacerts" (that comes with the Java plugin).

      I have therefore gotten a cert verifing my company, issued by CA Thawte. This cert is of type codesigning cert. I have verified that the Thawte CA cert used to sign my company's cert is indeed in the "cacerts" keystore.

      By enabling "javax.net.debug" = "ssl" I get a lot of debug info. The error message looks like this (full execption below):
      -> "Netscape cert type does not permit use for SSL server"
      This message seems to me, like I can't use this type of cert for SSL encryption? Is this right? and if so, why not?

      The funny thing is that if I give the applet access to the keystore containing my company's cert (private/public keys) by using
      "javax.net.ssl.trustStore" = "some path"
      it works! SSL encryption is enabled! Of cause this option is not acceptable in a production environment.

      I am using J2SDK 1.4.2 and JBoss 3.2.1 with http-invoker.

      Any help appreciated

      ThanX.
      - Chris

      The full exception is:
      keyStore is :
      keyStore type is : jks
      init keystore
      init keymanager of type SunX509
      trustStore is: /usr/java/j2sdk1.4.2/jre/lib/security/cacerts
      trustStore type is : jks
      init truststore
      adding as trusted cert:
      Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
      Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
      Algorithm: RSA; Serial number: 0xe49efdf33ae80ecfa5113e19a4240232
      Valid from Mon Jan 29 01:00:00 CET 1996 until Thu Jan 08 00:59:59 CET 2004

      adding as trusted cert:
      Subject: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
      Issuer: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
      Algorithm: RSA; Serial number: 0x1
      Valid from Thu Aug 01 02:00:00 CEST 1996 until Fri Jan 01 00:59:59 CET 2021

      adding as trusted cert:
      Subject: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
      Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
      Algorithm: RSA; Serial number: 0x2ad667e4e45fe5e576f3c98195eddc0
      Valid from Wed Nov 09 01:00:00 CET 1994 until Fri Jan 08 00:59:59 CET 2010

      adding as trusted cert:
      Subject: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
      Issuer: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
      Algorithm: RSA; Serial number: 0x20000bf
      Valid from Wed May 17 16:01:00 CEST 2000 until Sun May 18 01:59:00 CEST 2025

      adding as trusted cert:
      Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
      Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
      Algorithm: RSA; Serial number: 0x374ad243
      Valid from Tue May 25 18:09:40 CEST 1999 until Sat May 25 18:39:40 CEST 2019

      adding as trusted cert:
      Subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
      Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
      Algorithm: RSA; Serial number: 0x20000b9
      Valid from Fri May 12 20:46:00 CEST 2000 until Tue May 13 01:59:00 CEST 2025

      adding as trusted cert:
      Subject: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., O=Entrust.net, C=US
      Issuer: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., O=Entrust.net, C=US
      Algorithm: RSA; Serial number: 0x380391ee
      Valid from Tue Oct 12 21:24:30 CEST 1999 until Sat Oct 12 21:54:30 CEST 2019

      adding as trusted cert:
      Subject: CN=Entrust.net Client Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits liab.), O=Entrust.net
      Issuer: CN=Entrust.net Client Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits liab.), O=Entrust.net
      Algorithm: RSA; Serial number: 0x389ef6e4
      Valid from Mon Feb 07 17:16:40 CET 2000 until Fri Feb 07 17:46:40 CET 2020

      adding as trusted cert:
      Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
      Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
      Algorithm: RSA; Serial number: 0x1a5
      Valid from Thu Aug 13 02:29:00 CEST 1998 until Tue Aug 14 01:59:00 CEST 2018

      adding as trusted cert:
      Subject: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
      Issuer: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
      Algorithm: RSA; Serial number: 0x1
      Valid from Thu Aug 01 02:00:00 CEST 1996 until Fri Jan 01 00:59:59 CET 2021

      adding as trusted cert:
      Subject: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
      Issuer: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
      Algorithm: RSA; Serial number: 0x3863b966
      Valid from Fri Dec 24 18:50:51 CET 1999 until Tue Dec 24 19:20:51 CET 2019

      adding as trusted cert:
      Subject: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
      Issuer: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
      Algorithm: RSA; Serial number: 0x0
      Valid from Mon Jan 01 01:00:00 CET 1996 until Fri Jan 01 00:59:59 CET 2021

      adding as trusted cert:
      Subject: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
      Issuer: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
      Algorithm: RSA; Serial number: 0x325033cf50d156f35c81ad655c4fc825
      Valid from Mon Jan 29 01:00:00 CET 1996 until Wed Jan 08 00:59:59 CET 2020

      adding as trusted cert:
      Subject: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
      Issuer: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
      Algorithm: RSA; Serial number: 0x0
      Valid from Mon Jan 01 01:00:00 CET 1996 until Fri Jan 01 00:59:59 CET 2021

      adding as trusted cert:
      Subject: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
      Issuer: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
      Algorithm: RSA; Serial number: 0x0
      Valid from Mon Jan 01 01:00:00 CET 1996 until Fri Jan 01 00:59:59 CET 2021

      adding as trusted cert:
      Subject: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
      Issuer: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
      Algorithm: RSA; Serial number: 0x1b6
      Valid from Fri Aug 14 16:50:00 CEST 1998 until Thu Aug 15 01:59:00 CEST 2013

      adding as trusted cert:
      Subject: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
      Issuer: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
      Algorithm: RSA; Serial number: 0x1a3
      Valid from Sat Feb 24 00:01:00 CET 1996 until Fri Feb 24 00:59:00 CET 2006

      adding as trusted cert:
      Subject: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
      Issuer: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
      Algorithm: RSA; Serial number: 0xba5ac94c053b92d6a7b6df4ed053920d
      Valid from Mon Jan 29 01:00:00 CET 1996 until Thu Jan 08 00:59:59 CET 2004

      adding as trusted cert:
      Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.), O=Entrust.net
      Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.), O=Entrust.net
      Algorithm: RSA; Serial number: 0x389b113c
      Valid from Fri Feb 04 18:20:00 CET 2000 until Tue Feb 04 18:50:00 CET 2020

      init context
      trigger seeding of SecureRandom
      done seeding SecureRandom
      %% No cached client session
      *** ClientHello, TLSv1
      RandomCookie: GMT: 1063272795 bytes = { 200, 41, 212, 81, 50, 46, 166, 131, 2, 7, 19, 96, 56, 74, 143, 149, 231, 10, 143, 121, 63, 135, 54, 136, 6, 166, 9, 47 }
      Session ID: {}
      Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
      Compression Methods: { 0 }
      ***
      main, WRITE: TLSv1 Handshake, length = 73
      main, WRITE: SSLv2 client hello message, length = 98
      main, READ: TLSv1 Handshake, length = 1772
      *** ServerHello, TLSv1
      RandomCookie: GMT: 1063272795 bytes = { 105, 170, 14, 117, 169, 51, 242, 67, 230, 247, 123, 147, 165, 241, 231, 69, 135, 210, 105, 82, 188, 80, 238, 241, 241, 232, 100, 84 }
      Session ID: {63, 96, 65, 91, 84, 175, 225, 96, 176, 221, 147, 94, 80, 197, 97, 33, 229, 44, 241, 241, 225, 250, 70, 184, 181, 194, 253, 85, 75, 166, 132, 20}
      Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
      Compression Method: 0
      ***
      %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
      ** SSL_RSA_WITH_RC4_128_MD5
      *** Certificate chain
      chain [0] = [
      [
      Version: V3
      Subject: CN=NERA SATCOM AS, OU=Research and Development, O=NERA SATCOM AS, L=Oslo, ST=Oslo, C=NO
      Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

      Key: SunJSSE RSA public key:
      public exponent:
      010001
      modulus:
      c6eea673 104e5537 90419256 aaf2dfab bd847a37 3a123258 f309f711 329215c7
      13599182 b107c56e c01b528d a241c944 035fa2c1 94b23c05 4faf8f6c a4b2ff58
      60c3203d d8071874 d3c17ed7 cd00c880 8a5fb8aa 61a6fedf adf279bd c1da310d
      3d840444 f64fe148 faed0294 1fd8aa61 1c9fbb44 8b2c39fa f5cf985b 8f27e74b
      Validity: [From: Fri Sep 05 09:31:13 CEST 2003,
      To: Sat Sep 04 09:31:13 CEST 2004]
      Issuer: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
      SerialNumber: [ 3d2cff]

      Certificate Extensions: 6
      [1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
      NetscapeCertType [
      Object Signing
      ]

      [2]: ObjectId: 2.5.29.31 Criticality=false
      CRLDistributionPoints [
      [DistributionPoint:
      [URIName: http://crl.thawte.com/ThawteServerCA.crl]
      ]]

      [3]: ObjectId: 2.5.29.17 Criticality=false
      SubjectAlternativeName [
      [DNSName: www.nera.no]]

      [4]: ObjectId: 2.5.29.4 Criticality=false
      Extension unknown: DER encoded OCTET string =
      0000: 04 16 30 14 30 0E 30 0C 06 0A 2B 06 01 04 01 82 ..0.0.0...+.....
      0010: 37 02 01 16 03 02 07 80 7.......


      [5]: ObjectId: 2.5.29.37 Criticality=false
      ExtendedKeyUsages [
      [1.3.6.1.5.5.7.3.3, 1.3.6.1.4.1.311.2.1.22]]

      [6]: ObjectId: 2.5.29.19 Criticality=true
      BasicConstraints:[
      CA:false
      PathLen: undefined
      ]

      ]
      Algorithm: [MD5withRSA]
      Signature:
      0000: 96 9B DA 1E A0 A8 BC 72 2F 9A E4 C2 64 38 2F AE .......r/...d8/.
      0010: 0D AE 55 8F 7B 86 E5 C6 98 0B 26 AA AB 4F 50 1C ..U.......&..OP.
      0020: 85 18 D2 C9 6F 38 A1 CC DF 52 CD 5B 5A 0B 25 BD ....o8...R.[Z.%.
      0030: E2 3C EB 90 CA 93 21 E1 71 FC E1 97 7E 6B C0 0C .<....!.q....k..
      0040: 60 F2 9D 59 08 43 25 E3 E4 9C 55 84 03 42 0F F3 `..Y.C%...U..B..
      0050: CC 29 7D E2 0F B3 D5 15 76 A5 97 93 D6 7E D9 B4 .)......v.......
      0060: F8 70 B6 A5 03 73 BE 71 BC 39 BE 0F 72 AC 5B 6B .p...s.q.9..r.[k
      0070: F0 68 49 F3 34 DA 3D C4 89 5E C9 A2 FA 58 3F FC .hI.4.=..^...X?.

      ]
      chain [1] = [
      [
      Version: V3
      Subject: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
      Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

      Key: SunJSSE RSA public key:
      public exponent:
      010001
      modulus:
      d3a4506e c8ff566b e6cf5db6 ea0c6875 47a2aac2 da8425fc a8f44751 da85b520
      7494861e 0f75c9e9 0861f506 6d306e15 1902e952 c062db4d 999ee26a 0c4438cd
      febee364 0970c5fe b16b29b6 2f49c83b d4270425 10972fe7 906dc028 4299d74c
      43dec3f5 216d549f 5dc358e1 c0e4d95b b0b8dcb4 7bdf363a c2b56622 12d6870d
      Validity: [From: Thu Aug 01 02:00:00 CEST 1996,
      To: Fri Jan 01 00:59:59 CET 2021]
      Issuer: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
      SerialNumber: [ 01]

      Certificate Extensions: 1
      [1]: ObjectId: 2.5.29.19 Criticality=true
      BasicConstraints:[
      CA:true
      PathLen:2147483647
      ]

      ]
      Algorithm: [MD5withRSA]
      Signature:
      0000: 07 FA 4C 69 5C FB 95 CC 46 EE 85 83 4D 21 30 8E ..Li\...F...M!0.
      0010: CA D9 A8 6F 49 1A E6 DA 51 E3 60 70 6C 84 61 11 ...oI...Q.`pl.a.
      0020: A1 1A C8 48 3E 59 43 7D 4F 95 3D A1 8B B7 0B 62 ...H>YC.O.=....b
      0030: 98 7A 75 8A DD 88 4E 4E 9E 40 DB A8 CC 32 74 B9 .zu...NN.@...2t.
      0040: 6F 0D C6 E3 B3 44 0B D9 8A 6F 9A 29 9B 99 18 28 o....D...o.)...(
      0050: 3B D1 E3 40 28 9A 5A 3C D5 B5 E7 20 1B 8B CA A4 ;..@(.Z<... ....
      0060: AB 8D E9 51 D9 E2 4C 2C 59 A9 DA B9 B2 75 1B F6 ...Q..L,Y....u..
      0070: 42 F2 EF C7 F2 18 F9 89 BC A3 FF 8A 23 2E 70 47 B...........#.pG

      ]
      ***
      main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
      main, WRITE: TLSv1 Alert, length = 2
      main, called closeSocket()
      main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server
      javax.naming.NamingException: Failed to retrieve Naming interface [Root exception is java.io.IOException]
      at org.jboss.naming.HttpNamingContextFactory.getInitialContext(HttpNamingContextFactory.java:68)
      at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:662)
      at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
      at javax.naming.InitialContext.init(InitialContext.java:219)
      at javax.naming.InitialContext.(InitialContext.java:195)
      at nera.mb.mms.rmi.MBJNDIConnection.(MBJNDIConnection.java:31)
      at nera.mb.mms.MBClient.init(MBClient.java:112)
      at nera.mb.mms.MBClient.main(MBClient.java:175)
      Caused by: java.io.IOException
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:591)
      at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl.getInputStream(DashoA6275)
      at org.jboss.naming.HttpNamingContextFactory.getNamingServer(HttpNamingContextFactory.java:110)
      at org.jboss.naming.HttpNamingContextFactory.getInitialContext(HttpNamingContextFactory.java:64)
      ... 7 more
      Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server
      at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
      at sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA6275)
      at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(DashoA6275)
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:615)
      at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:1446)
      at java.net.URLConnection.getHeaderFieldInt(URLConnection.java:476)
      at java.net.URLConnection.getContentLength(URLConnection.java:371)
      at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl.getContentLength(DashoA6275)
      at org.jboss.naming.HttpNamingContextFactory.getNamingServer(HttpNamingContextFactory.java:106)
      ... 8 more
      Caused by: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server
      at sun.security.validator.EndEntityChecker.checkTLSServer(EndEntityChecker.java:246)
      at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:103)
      at sun.security.validator.Validator.validate(Validator.java:205)
      at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(DashoA6275)
      at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(DashoA6275)
      ... 22 more