Expired certificate in Enterprise Server truststore (Issue 6852796)

Description

One of the authority certificates in the Enterprise Server truststore expired on January 7, 2010. The certificate is cacerts.jks. An error message is generated on startup indicating that the certificate has expired:

Version: V1
  Subject: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
  Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2

  Key:  SunPKCS11-Solaris RSA public key, 1000 bits (id 17891456, session object)
  modulus: 
  public exponent: 
  Validity: [From: Tue Nov 08 19:00:00 GMT-05:00 1994,
               To: Thu Jan 07 18:59:59 GMT-05:00 2010]
  Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
  SerialNumber: [    02ad667e 4e45fe5e 576f3c98 195eddc0]

For more information, see Issue report.

Workaround

The expired authority certificate was removed in update 18 of Java SE 6. It will also be removed from the Enterprise Server truststore in a future update.

You can ignore the error messages and use the update, or you can eliminate the error messages. To stop receiving the error messages, use keytool to remove the certificate from the Enterprise Server truststore:

=> cd domains/domainX/config
=> cp cacerts.jks cacerts.jks.save
=> keytool -delete -keystore cacerts.jks -alias verisignserverca
Enter keystore password:

To prevent the expired certificate from reappearing in subsequently created domains, the certificate should also be removed from the template truststore:

=> cd glassfish/lib/templates
=> cp cacerts.jks cacerts.jks.save
=> keytool -delete -keystore cacerts.jks -alias verisignserverca
Enter keystore password:

For more information about the keystore password, see the information about master passwords and keystores in Authentication in Sun GlassFish Enterprise Server v3 Administration Guide.