Sorry the long e-mail,
I'm trying to provise as much inormation as possible.
Someone else from my company generated a CA root certificate, a private key
and a certificate that was signed by the mentioned CA. We're using it in our
test environment with weblogic server and it works fine.
However, I'm trying to regenerate the certificates from scratch but I'm
having problems when I try to start the server. I would like to tell you
guys what am I doing and what kind of things are different from the current
certificates. Maybe you could help me to figure out what's wrong.
First, this is how I generate everything:
1. Create self signed root certificate
/usr/local/ssl/bin/openssl req -x509 \
-newkey rsa:512 -keyout ./demoCA/private/cakey.pem \
-out ./demoCA/cacert.pem -days 365
2. Create private key
/usr/local/ssl/bin/openssl genrsa -out skntKey.pem 512
3. Create certificate request
/usr/local/ssl/bin/openssl req -new -key skntKey.pem \
-out skntReq.pem -verbose
4. Sign the certificate request
/usr/local/ssl/bin/openssl ca -in skntReq.pem \
-out skntCert.pem -days 365
By the way, I have the ./demoCA directory and the necessary subdirectories
and files (index.txt and serial)
The certificates are generated but they don't work when I try to use them
with my weblogic server (version 6.1). When I start the weblogic server with
the current certificates (the certificates that work fine) I can see the
following message:
<Aug 16, 2001 11:06:14 AM EDT> <Info> <WebLogicServer> <Certificate co
ntents: 2 certificate(s):
fingerprint = ee8dae1fa03669a4bfa6fbaf2aab7227, not before = Sun Sep
24 03:51:49 EDT 2000, not after = Mon Sep 24 03:51:49 EDT 2001, holde
r = C=US SP=New York L=New York O=Sakonnet Technology, LLC CN=Alarik M
yrin [EMAIL PROTECTED] , issuer = C=US SP=New York L=New York O=Sa
konnet Technology -- CA CN=Alarik Myrin [EMAIL PROTECTED] , key =
modulus length=65 exponent length=3
fingerprint = c35822593edb68ae0b011ad6d97eddbd, not before = Sun Sep
24 03:51:15 EDT 2000, not after = Mon Sep 24 03:51:15 EDT 2001, holde
r = C=US SP=New York L=New York O=Sakonnet Technology -- CA CN=Alarik
Myrin [EMAIL PROTECTED] , issuer = C=US SP=New York L=New York O=S
akonnet Technology -- CA CN=Alarik Myrin [EMAIL PROTECTED] , key =
modulus length=65 exponent length=3
>
One thing: I noticed that the organization in the first loaded certificate
is different from the organization in the second certificate, which is the
CA certificate. When I try to create my certificates, if I specify different
organizations I have an error message.
Now, when I try to start the server using the certificates that I generated
following the steps presented above, I have the following message:
<Aug 16, 2001 11:21:58 AM EDT> <Alert> <WebLogicServer> <Inconsistent
security configuration, java.lang.Exception: Problem with X509 certifi
cate: fingerprint = 2fa1718d4242cf9ce8ccca47e6259877, not before = Thu
Aug 16 12:24:32 EDT 2001, not after = Fri Aug 16 12:24:32 EDT 2002, h
older = C=US SP=New York O=Sakonnet Technology, CA OU=Sakonnet Technol
ogy, LLC CN=PORKY [EMAIL PROTECTED] , issuer = C=US SP=New York L=N
ew York O=Sakonnet Technology, CA OU=Sakonnet Technology, CA CN=Andre
Mendonca [EMAIL PROTECTED] , key = modulus length=65 exponent leng
th=3, java.lang.Exception: Certificate expired or not yet valid: finge
rprint = 2fa1718d4242cf9ce8ccca47e6259877, not before = Thu Aug 16 12:
24:32 EDT 2001, not after = Fri Aug 16 12:24:32 EDT 2002, holder = C=U
S SP=New York O=Sakonnet Technology, CA OU=Sakonnet Technology, LLC CN
=PORKY [EMAIL PROTECTED] , issuer = C=US SP=New York L=New York O=S
akonnet Technology, CA OU=Sakonnet Technology, CA CN=Andre Mendonca Em
[EMAIL PROTECTED] , key = modulus length=65 exponent length=3>
java.lang.Exception: Problem with X509 certificate: fingerprint = 2fa1
718d4242cf9ce8ccca47e6259877, not before = Thu Aug 16 12:24:32 EDT 200
1, not after = Fri Aug 16 12:24:32 EDT 2002, holder = C=US SP=New York
O=Sakonnet Technology, CA OU=Sakonnet Technology, LLC CN=PORKY Email=
[EMAIL PROTECTED] , issuer = C=US SP=New York L=New York O=Sakonnet Techn
ology, CA OU=Sakonnet Technology, CA CN=Andre Mendonca Email=andre@skn
t.com , key = modulus length=65 exponent length=3, java.lang.Exceptio
n: Certificate expired or not yet valid: fingerprint = 2fa1718d4242cf9
ce8ccca47e6259877, not before = Thu Aug 16 12:24:32 EDT 2001, not afte
r = Fri Aug 16 12:24:32 EDT 2002, holder = C=US SP=New York O=Sakonnet
Technology, CA OU=Sakonnet Technology, LLC CN=PORKY Email=andre@sknt.
com , issuer = C=US SP=New York L=New York O=Sakonnet Technology, CA O
U=Sakonnet Technology, CA CN=Andre Mendonca [EMAIL PROTECTED] , key
= modulus length=65 exponent length=3
at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListe
nThread.java:290)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.jav
a:414)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.jav
a:300)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java
:1039)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:475)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:197)
at weblogic.Server.main(Server.java:35)
Notice that the organizations are the same in both certificates.
So, the first step would be to figure out whether I'm doing the right thing
generating the certificates. The person that created the first set of
certificates told me something about setting different names for the
organizations but I couldn't do that because of the error I got. Also, this
person will be unreachable for a while and right now I'm sort of running out
of ideas on how to do things differently.
I would appreciate any help.
Thanks in advance!
Regards,
---------------------------------
Andre Mendonca, Software Engineer
[EMAIL PROTECTED]
http://www.sknt.com
Sakonnet Technology, LLC
594 Broadway, Suite 1008
New York, NY 10012
Tel (212) 343-3170 x109
Fax (212) 343-3103
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
