This week's book giveaways are in the Java EE and JavaScript forums.
We're giving away four copies each of The Java EE 7 Tutorial Volume 1 or Volume 2(winners choice) and jQuery UI in Action and have the authors on-line!
See this thread and this one for details.
The moose likes Tomcat and the fly likes Importing Certificate into JAVA Keystore Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Importing Certificate into JAVA Keystore" Watch "Importing Certificate into JAVA Keystore" New topic
Author

Importing Certificate into JAVA Keystore

Stephen Stone
Greenhorn

Joined: Nov 18, 2009
Posts: 9
Hi.

I have an IDM instance setup.

I am currently trying to configure and set-up an LDAP Resource.

During the configuration, I got the error :


"Could not connect to the LDAP server "api.csc.fi". ==> javax.naming.CommunicationException: simple bind failed: api.csc.fi:636"



Upon extensive research (on Tomcat websites, as well as Forums), I got the notion that I needed to import the ldapCertificate into my JAVA Keystore, otherwise it would be impossible for IDM to successfully connect to LDAP.

I am using Apache Tomcat as my application server. I was able to locate several online documents which explained how to import a trusted certificate into the Keystore (unfortunately, these documents seem to give several different solutions to the same problem).

Eventually, I decided to use the following command at my command-prompt :


keytool -importcert -alias abc -file ABCCA.cer (where "abc" is the alias)



The import was successful.


However, I am still getting the same error on my LDAP configuration.

Am I doing something wrong? Is there something ELSE I need to do ?

Any help will be greatly appreciated.


Best regards,

Stephen

Svein Erik Løvland
Greenhorn

Joined: Nov 13, 2009
Posts: 8

Are you certain that it was the correct keystore to the JRE which your tomcat-server uses?
Stephen Stone
Greenhorn

Joined: Nov 18, 2009
Posts: 9
Yes, I think it was.

I mean, I followed all the instructions given in the Tomcat Documentation.

Of course, it's possible that I was in the wrong directory (in which case, which directory is the correct one?)


If I imported the Certificate into the wrong place, how would I go about removing it from there, so I can import it into the right place?

Or should I simply go ahead and create my own NEW keystore?

I also noticed just now that, BEFORE importing the Certificate itself, I was supposed to import some kind of TRUST CHAIN certificate,

I have searched everywhere, but can't find any proper instructions for doing this.

Any tips?


Thanks

Svein Erik Løvland
Greenhorn

Joined: Nov 13, 2009
Posts: 8

C:\Program Files\Java\jdk1.6.0_15\jre\lib\security\cacerts <-- my/default Java Keystore, I've imported a cert there.

and my $JAVA_HOME is pointing to C:\Program Files\Java\jdk1.6.0_15

If you are deploying to a tomcat instance managed by an IDE for example, you should check which JRE that instance is running in, and import to the correct corresponding keystore.

I don't know if this is best practice, but it worked for me. (System administrators probably know some better way to manage keystores, eg. remove/add/invalidate certs etc.)
Stephen Stone
Greenhorn

Joined: Nov 18, 2009
Posts: 9
I have just one question: how do I remove (or delete) that certificate that I imported already?

Thanks

Stephen Stone
Greenhorn

Joined: Nov 18, 2009
Posts: 9
Ok, I've been able to delete the Certificate from the keystore

One thing I do not understand though, is this : when I was IMPORTING the certificate, I did not specify any particular KEYSTORE.

I simply used the command : keytool -importcert -alias <alias> -file <certificate name>


As I understand, this is how to import a Certificate from a file.


I assumed that this certificate went into the DEFAULT keystore. (Or didn't it??)

Because, when I was deleting the certificate, I realized that there is ANOTHER location which is the actual keystore itself (denoted by ".keystore" )

Now, I am totally confused. WHERE do I really need to import the Certificate?

And, do I need to first inport a TRUST certificate ?

Stephen Stone
Greenhorn

Joined: Nov 18, 2009
Posts: 9

My JAVA folder has 3 different locations which contain the command "KEYTOOL"

I don't even know which of them is supposed to hold the certificate.

Yesterday, just to be on the safe side, I imported my certificate into ALL 3 locations (under 3 different aliases)

Still did not work.

Then I found yet another command online which says that, it's not enough to import the certificate into keystore. It needs to be imported directly into the CACERT file.

But, it does not say HOW this should be done!!


To make matters even worse, I found yet another "advice" in Tomcat's documentation, saying : before importing the certificate, you need to first import a so-called TRUST CHAIN.

In some places, it says you need this trust chain if the certificate was applied for by yourself.

In some places, it does not mention the trust chain at all, if you already trust the certificate.


So, what exactly is the CORRECT way to do this?

And what is the right command???


is it : keytool -import -file tomcatCert.crt -trustcacerts -alias tomcat -keystore c:/apps/jdk/jre/lib/security/cacerts -storepass changeit

or is it : keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_chain_certificate>


or : keytool -import -alias tomcat -keystore <your_keystore_filename> -file <your_certificate_filename>

or : keytool -importcert -alias abc -file ABCCA.cer



Which is it ???

And what is the difference between KEYSTORE and CACERT ???


I am just so confused!!
Stephen Stone
Greenhorn

Joined: Nov 18, 2009
Posts: 9

I got the LDAP connection working on my IDM.

"Test Connection Succeeded"


However, when I try to create a new User on the LDAP Resource, I get the following error :


javax.naming.CommunicationException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target



Does anyone have an idea what this could mean?

Thanks
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Importing Certificate into JAVA Keystore