I am having trouble setting up SSL for our solution. I got a free 14 day trial certificate from Verisign, since the keytool that comes with the JRE trusts certificates from Verisign. I followed the intructions here: http://www.servoy.com/generic.jsp?mt=396&taxonomy_id=572
My experience is the same as the post linked to above, but I am already using a certificate that is trusted by default by the JRE. The instructions on Verisign’s web site for setting up SSL are very complicated and badly written.
Can anyone tell me what steps need to be performed that aren’t mentioned in the instructions in the first link above?
Do you get the same error as the other post? Because that’s really saying that the JDK does not trust a certificate in the chain (probably the root cert). Parties like verisign may have multiple different roots.
You can check which certs are in your JDK using keytool:
Yes, I get the same error as the second link I posted. I am using the JRE, not the JDK. Does that make a difference? The solution runs fine with only the JRE.
I tried ```
keytool -list -keystore C:\Program Files\Java\jre1.5.0_05\lib\security\cacerts
My name is Jonathan, and I am actually a VeriSign Technical Support Rep. I apologize for the difficulty that you are having installing the trial certificate.
You will receive the keytool error: Failed to establish chain from reply error if you do not import BOTH the trial intermediate and the trial root CA certificates into your keystore prior to importing the trial SSL certificate. The trial SSL certificate is only used for testing purposes, and is not signed by a valid root certificate. For this reason, keytool will not automatically trust this certificate, or the certificates that it signs. The Trial Root and the Trial Intermediate both need to be imported into the keysote establish the certificate chain, first.
They are localted at the bottom of the page, underneath Trial CA Certificates
Please keep in mind that you only need to import the root certficiate for when importing the trial certificate. Our full time certificates are signed by a valid root certificate, so the root does not need to be pre-installed in your trust store.
Thanks for your post, Jonathan. I went to the second link you posted and saved the text provided for the root and intermediate certificate files into .cer files called intermediateCA.cer and rootCA.cer. Then, I imported those .cer files into my keystore with
Notice that I used a different alias for each of the two imports, root and root2. They were also different than the alias I used to generate my keystore file.
Then I imported the certificate I got from Verisign with
I put my keystore file in my \server\conf folder. I had to enter an absolute path in the Servoy admin page (and it had to be in quotes because there are spaces). If I tried to use a relative path, Servoy would not start.
Now servoy is running and the Servoy admin page says SSL initialized ok, but my web site and solution are still using http, not https. What else do I need to do?
Yes, I get a “Page cannot be displayed” alert. I never specified an https port, so I assume it’s using 443.
I ran the command in your last post. It listed all the certs and they all appear to be ok. It lists 4 entries. It should actually be 3, but I accidentally added the trial root cert twice. The entry for my SSL cert has a certificate chain length of 3.
I just thought of something. I created my keystore with the domain name of my web site as the common name, but I have been testing SSL on a copy of the website running on my own PC using http://localhost.
Will I only get the web site to use https if I access the web site using the domain name in the keystore?
Solved. Here’s what I needed to do. A quick Google search turned up http://www.servoyguy.com/knowledge_base/servoy_application_server/how_do_i_enable_https_on_servoy_webclient_for_ssl_for_port_
I did what the link above says and now SSL is working.
One catch: the port specified in the link above is 8443. I think that’s a typo. I used 443 instead.
Whenever I change a url on my web site from http://…. to https://…, my browser gives me a warning that the certificate and the web site url do not match. This is normal and to be expected because I created my keystore using my web site’s domain name and I am testing it on my PC using http://localhost instead. Once I move everything to my main server, I won’t get any warnings.
adamk:
Thanks for your post, Jonathan. I went to the second link you posted and saved the text provided for the root and intermediate certificate files into .cer files called intermediateCA.cer and rootCA.cer. Then, I imported those .cer files into my keystore with
Notice that I used a different alias for each of the two imports, root and root2. They were also different than the alias I used to generate my keystore file.
Then I imported the certificate I got from Verisign with
I put my keystore file in my \server\conf folder. I had to enter an absolute path in the Servoy admin page (and it had to be in quotes because there are spaces). If I tried to use a relative path, Servoy would not start.
Now servoy is running and the Servoy admin page says SSL initialized ok, but my web site and solution are still using http, not https. What else do I need to do?
I did like Adam described.
I used also root2 like he did, otherwise I got error
But when I retried step 4 of the Servoy manual (adding my own certificate), then same error about ‘chain reply’ still occurs.
So there is still something wrong.
Is there some update of the part of the manual available?
I really don’t know anything about certificates, but I have to use it because my customer forces me.
If you’re getting a chain reply error, it’s because you haven’t yet imported one or more certificates that you need.
Are you using a trial certificate or one that has been paid for? What certificate authority did you get your certificate from? Trial certs usually require you to import an extra certificate before you can import the real one.
This command show you what certificates your keytool will accept.