Keystore and cacerts update

251 views
Skip to first unread message

Michaël COINDEAU

unread,
Jun 3, 2019, 10:29:19 AM6/3/19
to Payara Forum
Hi,

We're experiencing issues with certificates on our domain and it seem that our cert chain is out of date.

The cacerts.jks and keystore.jks file are original versions from Payara4 (when we created the domain, in july 2017). We upgraded the appserver to 5.191 but kept the domain files.
How do we update thoses files, is it possible to blindly overwrite the files with the jks bundled in 5.191 distribution or is there another way to "upgrade" the cert chain ?

ondrej....@gmail.com

unread,
Jun 3, 2019, 6:13:57 PM6/3/19
to Michaël COINDEAU, Payara Forum

If you don't have any custom keys in those files then yes, you can just copy keystore.jks and cacerts.jks from a default 5.192 domain.

 

Ondrej Mihalyi

--
You received this message because you are subscribed to the Google Groups "Payara Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to payara-forum...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/payara-forum/a55ad3c6-d931-4dac-b1ea-f37900d74b79%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

 

Michaël COINDEAU

unread,
Jun 4, 2019, 5:11:35 AM6/4/19
to Payara Forum
Thanks for your answer, I spent a few hours yesturday on this issue, considering I had secure-admin activated. I solved it this way:
  • Had 2 certificates with the server machine name (aliases were glassfish_instance and s1as), so I thought I had to migrate them from my old jks filescacerts. Was it necessary ?
  • Opened the old cacerts.jks with KeyStore Explorer, exported glassfish_instance and s1as caroots as .cer files.
  • Opened the 5.192 cacerts.jks, removed the 2 caroots and imported them with the same aliases.
  • On the domain, overwriten the old cacerts.jks with the "patched" 5.192 one, and change its password to match the domain password:
keytool -storepasswd -new MYDOMAINPASSWORD -keystore cacerts.jks -storepass changeit
  • The keystore.jks remains unchanged
  • Restarted the domain.
-> No more warnings @startup about expired certificates, and the "unable to find valid certification path to requested target" error I had when using httpclient on https targets with LetsEncrypt Cerificates went away, :yatta:

I'm far from my usual skills so I might have done extra/unnecessary steps, wanted to share my experience and know if I fixed it in an "heretic" way ; )

Ondro Mihályi

unread,
Jul 5, 2019, 6:50:17 PM7/5/19
to Payara Forum
Hi Michael,

I'm glad you were able to resolve your issues. I'm not sure if it was needed to migrate those 2 certificates. If you were using generate or self-signed certificates before then it wasn't necessary. If you were using certificates issues by an authority then it was needed. But the best practice is to install such certificates under a different alias in the key store, so I assume this wasn't the case.

The steps you did make sense. There's no support in Payara Server to help modifying the certificate stores so it can only be done manually. You can use either the keytool command or any other external application like Keystore Explorer.

All the best,
Ondro
Reply all
Reply to author
Forward
0 new messages