Sure, at that point you've only handled one half of the handshake. You gotta find the corresponding command to install or 'present' the client cert now...
----- Original Message ----- From: "David Patricola" <david.patric...@jefferson.edu> To: openssl-users@openssl.org Sent: Wednesday, March 30, 2011 9:32:36 AM Subject: RE: Truststore or Cacerts file? Ok, I’ve modified my import as follows: E:\JRun4\jre\bin>keytool -importcert -alias dca –file E:\Jrun4\jre\lib\security\root.crt -keystore E:\Jrun4\jre\lib\security\cacerts But I still get a failed connection connecting: “ org.postgresql.util.PSQLException: The connection attempt failed.” Looks like it’s back to trolling other message lists! Thanks for your help, guys. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Lou Picciano Sent: Wednesday, March 30, 2011 8:55 AM To: openssl-users@openssl.org Subject: Re: Truststore or Cacerts file? David, You may get some ambiguous answers to - ultimately - a PG question on the SSL list... Yes, in a _standard_ PostgreSQL SSL setting, in which libpq is reading the certs from _default_ positions, the root.crt, postgresql.crt and postgresql.key are all in the same 'folder'. (I believce you are on Windows? in which case this folder is %APPDATA%/postgresql/) But your mileage varies when you do this from Java - You've switched from gasoline to 'flex-fuel'; caffeine, to be specific! One thing which looks wrong to me about the command you quote - below - is that you appear to be installing your 'user' cert (postgresql.crt) into the CAcerts store. This would not make sense. Lou Picciano ----- Original Message ----- From: "David Patricola" <david.patric...@jefferson.edu> To: "Tomas Gustavsson" <to...@primekey.se>, openssl-users@openssl.org Sent: Wednesday, March 30, 2011 8:43:38 AM Subject: RE: Truststore or Cacerts file? Do the other two stay in the same folder as root.crt, but only root.crt actually gets installed in the cacerts file? -----Original Message----- From: Tomas Gustavsson [mailto:to...@primekey.se] Sent: Wednesday, March 30, 2011 3:49 AM To: openssl-users@openssl.org Cc: David Patricola Subject: Re: Truststore or Cacerts file? CA certificates, i.e. root.crt goes in to the cacerts file. Cheers, Tomas ---- http://www.ejbca.org/ On 03/29/2011 09:26 PM, David Patricola wrote: > I've found plenty of google results but I am having a disconnect with > the install. My server has it's own server.crt, server.key and root.crt > files. My desktop (which I connect successfully to) has postgresql.crt, > postgresql.key and the same root.crt, which I used to securely connect > via pgAdmin just fine. So, I'm using those 3 same files on my machine > and copying them to the other client machine. > > Every tutorial I go to shows me to insert a .crt file into the cacerts > keystore. Which .crt I don't know because all examples use generic > examples. And me knowing zero about Java doesn't help so I'm using > everything I read as gospel. This is what I've done so far: > > E:\JRun4\jre\bin>keytool -importcert -alias dca -file > C:\dcacerts\postgresql.crt -keystore E:\Jrun4\jre\lib\security\cacerts > > So the question is, what did I miss? > > And, what is PG East? > > ------------------------------------------------------------------------ > > *From:*owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] *On Behalf Of *Lou Picciano > *Sent:* Tuesday, March 29, 2011 2:58 PM > *To:* openssl-users@openssl.org > *Subject:* Re: Truststore or Cacerts file? > > David, > > We've had to do this a couple of times for a handful of our Java > developer clients - as I recall, we googled our way to the solution > pretty easily... > > But, from the wording of your message, it sound like you may be > conflating a couple of different things. > > The certificate and key will be unique to the server, and for each > client. The way to think about it: The 'key' file is the unique identity > for each 'entity' in your environment, from which all else flows. > > The 'root' certificate may well be common to all entities; sounds like > this is the case you are setting up. > > You may then specify - if your design dictates it - that each client > certificate be _signed_ by the same root certificate. There are a few > permutations in there, to be thought about. > > What you would _not_ be doing is using the same key(s) and cert(s) on > both server and client(s). > > Did not see you at PG East last week? > > Lou Picciano > > > ----- Original Message ----- > From: "David Patricola" <david.patric...@jefferson.edu> > To: openssl-users@openssl.org > Sent: Tuesday, March 29, 2011 1:16:03 PM > Subject: Truststore or Cacerts file? > > I have a postgres server running in SSL, and set up the self-signed > certificates and key on this box as well. I need to install these > certificates on a client Java box's (actually running ColdFusion 8) > keystore. Out of postgresql.crt, root.crt and postresql.key, which files > do I store? And do they go into the default cacerts file or create a > truststore? > > *David Patricola*| Senior Cold Fusion Developer| Web Applications & > Services| JeffersonInformation Technologies > > *Thomas Jefferson Universtiy*| Philadelphia, PA| 215.503.1715 (Office) > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
