-1

I am an java developer not an web server/IT infra guy so i dont know wether I am asking this question correctly or not, So i apologies if I am wrong somewhere.

Previously we are having an spring web application deployed on Glassfish server later on we decided to apply SSL certificate to it and our IT infra team installed certificate on Glassfish server. after this whenever we tried to acces out website on browser like say Mozila This showing me this screen:

enter image description here

When I Click "I understand the risk" then only its get start working. But I dont think this is the right. Oher sites which having SSL never asks me like this. Is there anything that we are missing?

Another thing I want to mention I have java desktop application in which I pass URL (https://com.app.com/applicationName/execute/doAction) to DefaultHttpClient then its giving me error peer not authenticated (I posted same question on StackOverFlow) so to solve this I imported .cer file into java keystore where the desktop application is running and after this error is resolved. Is this the correct to install .cer file on each server/java that wants to hti URL

suppose in feuture if someother production server needs to hit this URL to pass data then again we need to import .cer file to that server's jre? I tried with pass other URL which working on SSL they dont need to import there .cer in my jre.

Community
  • 1
user1372488
  • 121
  • 1
  • 1
  • 9

1 Answers1

1

The problem here is two-fold:

  • You need to ensure that the certificate you are using can be verified from the server certificate (the one you expose) to the root CA. In Java application servers, this usually means that you use a keystore to store the private key and the matching server certificate, and a truststore to store CAs (certificate authorities). This CAs can be third-party CAs in the case of a purchased certificate, or private CAs.

  • On the client side, the browser will attempt to walk all the chain of trust from the exposed server cert to the signing CA, and will try to find that CA in its own trustore. If that CA is not already in the browser truststore (the usual case being a self-signed certificate, or a private CA), you will receive a warning (connection untrusted).

To understand in more depth how does this work, review the Wikipedia article on PKI.

dawud
  • 15,096
  • 3
  • 42
  • 61