[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using "keytool" to create security certificates for OpenLDAP



Seems this thread has gone off-topic.  Discussions of these
issues seems more suitable for a list about "keytool" and
"truststore".  Thanks, Kurt

At 11:33 AM 3/28/2005, Safdar Kureishy wrote:
>Thanks for the details Jon.
>
>I tried what you suggested -- adding CA.pem to the client's truststore
>- but I get the same error - "SSLHandshakeException:
>sun.security.validator.ValidatorException: No trusted certificate
>found"
>
>I even tried adding the server.pem file to the truststore but that
>didn't help of course. Is there any other system property that needs
>to be set apart from:
>       System.setProperty("javax.net.ssl.truststore",
>"C:\\temp\\truststore.jks");
>
>Thanks,
>Safdar
>
>
>On Sat, 26 Mar 2005 21:06:32 -0600, Jon Roberts <jon@jonanddeb.net> wrote:
>> Safdar Kureishy wrote:
>> > 1) I'm on a Windows machine,
>> 
>> So sorry.
>> 
>> > and in the OpenLDAP installation
>> > directory ("c:\Program Files\OpenLDAP"), I actually see several "SSL"
>> > related files.
>> 
>> Personally, I wouldn't trust the certs unless you put them there or know
>> who did.
>> 
>> > Could you tell me which is which, and which I should
>> > add to the truststore on the client?
>> > - serverkey.pem
>> 
>> As it says, the server's key file. Keep this one private through very
>> limited permissions.
>> 
>> > - server.pem
>> 
>> The server cert. This is expressed in the handshake.
>> 
>> > - CA.pem
>> 
>> Put this one in the client truststore. This is the certificate for your
>> local Certificate Authority. Like Verisign or Thawte, only much cheaper
>> and not universally known or accepted.
>> 
>> > - cakey.pem
>> 
>> You should probably keep this one pretty private as well.
>> 
>> > - ca.srl
>> 
>> You've heard of google, right? I actually wasn't familiar with this file
>> extension, but a twenty second google search on 'ssl .srl' got me this
>> pat explanation:
>> 
>> "The content of file.srl is a two digit number. eg. 00; it's incremented
>> when the CA issues a certificate"
>> 
>> > 2) I actually tried adding "server.pem" to my client's truststore
>> > using keytool, and it seems that it got added (it gets listed with the
>> > -list option)
>> 
>> So now you at least know for a fact you can import .pem format files
>> into Java stores.
>> 
>> > but when I do the following with JLDAP to conenct to
>> > the OpenLDAP server, I get an LDAPException with a root message:
>> > "sun.security.validator.ValidatorException: No trusted certificate
>> > found".
>> 
>> The client gets this cert anyway in the handshake; it doesn't belong in
>> the truststore (you are confusing keystores and truststores). In other
>> words, the reason you're told the server's cert isn't *trusted* is that
>> the JRE doesn't recognize the certificate authority from whence it came.
>> That's why you need your local CA certificate in the client's CA truststore.
>> 
>> Jon Roberts
>> www.mentata.com
>>