Hello,

I have a customer who wants to use their own root and wildcard
certificate for the User Application server. Untill now they have been
using a self-signed certificate with no problems. I've followed this
guide: http://tinyurl.com/nkh2q53 - and creating the keystore, importing
the root and wildcard certificate runs smooth, and even running the
"keytool -list -v -alias idm -keystore idm.keystore" to check whether
the keystore is as it should be, shows this output:


Code:
--------------------

Alias name: ltk
Creation date: May 27, 2013
Entry type: trustedCertEntry

Owner: CN=*.ltk.dk, O=*.ltk.dk, OU=Domain Control Validated, C=DK
Issuer: CN=GlobalSign Domain Validation CA, O=GlobalSign nv-sa, OU=Domain Validation CA, C=BE
Serial number: 100000000012baa28c1d0
Valid from: Thu Oct 14 11:30:38 CEST 2010 until: Wed Oct 14 11:30:34 CEST 2015
Certificate fingerprints:
MD5: CB:19:C2:A44:098:25:E2:77:18:0A:86:B9:FAB
SHA1: B2:1B:5B:C6:CE:F8:5C:15:CA:4B:E6:C4:30:C0:3D:0C:8E :C0:25:8B
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 15 66 70 34 EB 25 8C 96 63 DA F7 76 C1 F8 85 A6 .fp4.%..c..v....
0010: 84 76 12 2D .v.-
]
]

#3: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://secure.globalsign.net/cacert/dvhe1.crt]
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.globalsign.net/DomainVal1.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.4146.1.10]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 25 68 74 74 70 3A 2F 2F 77 77 77 2E 67 6C 6F .%http://www.glo
0010: 62 61 6C 73 69 67 6E 2E 6E 65 74 2F 72 65 70 6F balsign.net/repo
0020: 73 69 74 6F 72 79 2F sitory/

]] ]
]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
1.3.6.1.4.1.311.10.3.3
]

#7: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

#8: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL client
SSL server
]

#9: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 36 12 4E 9E 71 C4 26 41 F1 FA F1 29 4C BF 17 A4 6.N.q.&A...)L...
0010: 53 28 B6 EB S(..
]

]

#10: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.ltk.dk
DNSName: ltk.dk
]

--------------------


It seems to me that it is as it should be. After rebooting the JBoss
server, and go to the website, https://ip:8543/IDM - the certificate is
not trusted, as seen here: http://postimg.org/image/xtqz5varz/full/

It should not say ltk in issued to and issued by, it should say
something like issued to: GlobalSign Domain Validation CA and Issued by:
GlobalSign Root CA. The "ltk" is from the information I typed in when I
created the keystore.

Anyone know whats wrong?


--
jacmarpet
------------------------------------------------------------------------
jacmarpet's Profile: https://forums.netiq.com/member.php?userid=415
View this thread: https://forums.netiq.com/showthread.php?t=47832