[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using "keytool" to create security certificates for OpenLDAP

Thanks for the details Jon.

I tried what you suggested -- adding CA.pem to the client's truststore
- but I get the same error - "SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate
found"

I even tried adding the server.pem file to the truststore but that
didn't help of course. Is there any other system property that needs
to be set apart from:
       System.setProperty("javax.net.ssl.truststore",
"C:\\temp\\truststore.jks");

Thanks,
Safdar


On Sat, 26 Mar 2005 21:06:32 -0600, Jon Roberts <jon@jonanddeb.net> wrote:
> Safdar Kureishy wrote:
> > 1) I'm on a Windows machine,
> 
> So sorry.
> 
> > and in the OpenLDAP installation
> > directory ("c:\Program Files\OpenLDAP"), I actually see several "SSL"
> > related files.
> 
> Personally, I wouldn't trust the certs unless you put them there or know
> who did.
> 
> > Could you tell me which is which, and which I should
> > add to the truststore on the client?
> > - serverkey.pem
> 
> As it says, the server's key file. Keep this one private through very
> limited permissions.
> 
> > - server.pem
> 
> The server cert. This is expressed in the handshake.
> 
> > - CA.pem
> 
> Put this one in the client truststore. This is the certificate for your
> local Certificate Authority. Like Verisign or Thawte, only much cheaper
> and not universally known or accepted.
> 
> > - cakey.pem
> 
> You should probably keep this one pretty private as well.
> 
> > - ca.srl
> 
> You've heard of google, right? I actually wasn't familiar with this file
> extension, but a twenty second google search on 'ssl .srl' got me this
> pat explanation:
> 
> "The content of file.srl is a two digit number. eg. 00; it's incremented
> when the CA issues a certificate"
> 
> > 2) I actually tried adding "server.pem" to my client's truststore
> > using keytool, and it seems that it got added (it gets listed with the
> > -list option)
> 
> So now you at least know for a fact you can import .pem format files
> into Java stores.
> 
> > but when I do the following with JLDAP to conenct to
> > the OpenLDAP server, I get an LDAPException with a root message:
> > "sun.security.validator.ValidatorException: No trusted certificate
> > found".
> 
> The client gets this cert anyway in the handshake; it doesn't belong in
> the truststore (you are confusing keystores and truststores). In other
> words, the reason you're told the server's cert isn't *trusted* is that
> the JRE doesn't recognize the certificate authority from whence it came.
> That's why you need your local CA certificate in the client's CA truststore.
> 
> Jon Roberts
> www.mentata.com
>