[Date Prev][Date Next]
Re: Using "keytool" to create security certificates for OpenLDAP
Seems this thread has gone off-topic. Discussions of these
issues seems more suitable for a list about "keytool" and
"truststore". Thanks, Kurt
At 11:33 AM 3/28/2005, Safdar Kureishy wrote:
>Thanks for the details Jon.
>I tried what you suggested -- adding CA.pem to the client's truststore
>- but I get the same error - "SSLHandshakeException:
>sun.security.validator.ValidatorException: No trusted certificate
>I even tried adding the server.pem file to the truststore but that
>didn't help of course. Is there any other system property that needs
>to be set apart from:
>On Sat, 26 Mar 2005 21:06:32 -0600, Jon Roberts <firstname.lastname@example.org> wrote:
>> Safdar Kureishy wrote:
>> > 1) I'm on a Windows machine,
>> So sorry.
>> > and in the OpenLDAP installation
>> > directory ("c:\Program Files\OpenLDAP"), I actually see several "SSL"
>> > related files.
>> Personally, I wouldn't trust the certs unless you put them there or know
>> who did.
>> > Could you tell me which is which, and which I should
>> > add to the truststore on the client?
>> > - serverkey.pem
>> As it says, the server's key file. Keep this one private through very
>> limited permissions.
>> > - server.pem
>> The server cert. This is expressed in the handshake.
>> > - CA.pem
>> Put this one in the client truststore. This is the certificate for your
>> local Certificate Authority. Like Verisign or Thawte, only much cheaper
>> and not universally known or accepted.
>> > - cakey.pem
>> You should probably keep this one pretty private as well.
>> > - ca.srl
>> You've heard of google, right? I actually wasn't familiar with this file
>> extension, but a twenty second google search on 'ssl .srl' got me this
>> pat explanation:
>> "The content of file.srl is a two digit number. eg. 00; it's incremented
>> when the CA issues a certificate"
>> > 2) I actually tried adding "server.pem" to my client's truststore
>> > using keytool, and it seems that it got added (it gets listed with the
>> > -list option)
>> So now you at least know for a fact you can import .pem format files
>> into Java stores.
>> > but when I do the following with JLDAP to conenct to
>> > the OpenLDAP server, I get an LDAPException with a root message:
>> > "sun.security.validator.ValidatorException: No trusted certificate
>> > found".
>> The client gets this cert anyway in the handshake; it doesn't belong in
>> the truststore (you are confusing keystores and truststores). In other
>> words, the reason you're told the server's cert isn't *trusted* is that
>> the JRE doesn't recognize the certificate authority from whence it came.
>> That's why you need your local CA certificate in the client's CA truststore.
>> Jon Roberts