Table of Contents
The GridShib CA Jar file (GridShibCA-<version>.jar) contains a set of CA certificates that it uses to validate the https connection back to the web server from which it was launched. If the CA certificate used to sign your web server's certificate is not in the shipped jar, your users will either see an error like the following (or with version 0.4.0 or later of the GridShib-CA be prompted to proceed):
Fatal Error: IO Error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
To correct this, you will need to add the CA for your web server certificate to the GridShib-CA jar file and then re-sign the jar file with a local signing credential. For the signing credential, any X.509 certificate and private key will do, though you want one with sufficiently long-live so that you don't have to re-sign the jar often (i.e. don't use a short-lived certificate from MyProxy or KCA, but a certificate with a year's lifetime).
For this process, you will need:
The following java applications: keytool, jar, jarsigner
Your CA certificate in PEM format.
A signing credential to sign the new jar with your Webserver's CA.
The openssl application to convert your signing credential to PKCS12 format.
A number of java applications echo passwords to the screen as they are typed, so be aware of this as you proceed and be wary of doing this process in a public place.
All of these commands assume you are running in the directory created by GridShibCA tarball (typically "gridshib-ca-0.3.0-alpha/" or something similar).
Convert the credential you will use to sign the new jar to PKCS12 format. In this case it is assumed the credential is in your ~/.globus directory with the default names (usercert.pem for the certificate and userkey.pem for the key) - if not you will need to adjust the following command accordingly. The first password you will be prompted for is the existing password for your private key. The second (and third) password you will be prompted for is a new password you create to protect the PKCS12 store (you can reuse your current private key password if you wish).
% openssl pkcs12 -export -in ~/.globus/usercert.pem -inkey ~/.globus/userkey.pem -name default -out mycred.pkcs12 Enter pass phrase for /Users/vwelch/.globus/userkey.pem: Enter Export Password: Verifying - Enter Export Password:
Now add your CA certificate to the trustStore that comes with the GridShib CA distribution. This command assumes your CA certificate is in a PEM formatted file called "myca-cert.0". The storepass is not used for anything, but has to be supplied to keytool, so a dummy value ("abcef") is used.
% keytool -import -keystore resources/trustStore -noprompt -alias "MyCA" -storepass abcdef -file myca-cert.0 Certificate was added to keystore
You can repeat this step as needed to add multiple CA certificates (in case you want to use the same jar with multiple web servers), you just need to use a unique argument to -alias for each CA certificate.
Now update the GridShibCA jar file with the updated trust store.
% mv GridShibCA-0-5-1.jar GridShibCA-0-5-1.jar.modified % jar uf GridShibCA-0-5-1.jar.modified resources/trustStore
Now resign the jar with the PKCS12 store you created in step two. Use the password you created in step two (the "Export Password").
% jarsigner -keystore mycred.pkcs12 -storetype pkcs12 -signedjar GridShibCA-0-5-1.jar GridShibCA-0-5-1.jar.modified default Enter Passphrase for keystore: