--Environment --Windows 10 Pro 64bit version 1909 - GitBash(mintty 3.1.0) - Payara Server 5.194
server.log
[2020-04-22T17:36:57.020+0900] [Payara 5.194] [?x??] [NCLS-SECURITY-05054] [javax.enterprise.system.security.ssl] [tid: _ThreadID=54 _ThreadName=admin-thread-pool::admin-listener(1)] [timeMillis: 1587544617020] [levelValue: 900] [[
The SSL certificate has expired: [
[
Version: V3
Subject: CN=Staat der Nederlanden Root CA - G2, O=Staat der Nederlanden, C=NL
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 4096 bits
modulus: 8051226021100838930438588........
public exponent: 65537
Validity: [From: Wed Mar 26 20:18:17 JST 2008,
To: Wed Mar 25 20:03:10 JST 2020]
Issuer: CN=Staat der Nederlanden Root CA - G2, O=Staat der Nederlanden, C=NL
SerialNumber: [ 98968c]
Certificate Extensions: 4
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
[2]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 31 68 74 74 70 3A 2F 2F 77 77 77 2E 70 6B 69 .1http://www.pki
0010: 6F 76 65 72 68 65 69 64 2E 6E 6C 2F 70 6F 6C 69 overheid.nl/poli
0020: 63 69 65 73 2F 72 6F 6F 74 2D 70 6F 6C 69 63 79 cies/root-policy
0030: 2D 47 32 -G2
]] ]
]
...abridgement...
What to do when SEC5054: Certificate has expired in Java EE GlassFish --Qiita
cacerts.jks?
The trust store (the "trust" store) stores only certificates that are trusted by the client. These certificates are CA root certificates, or self-signed certificates. When you install the logical host, you will find a truststore file named cacerts.jks in the following location: <c:\JavaCAPS>\appserver\domains<MyDomain>\config Keystore and Truststore (Java CAPS configuration with SSL support)
Even if I open cacerts.jks with an editor, I can't read it ... so I use the keytool utility.
Before you start To run the keytool utility, you need to configure your shell environment to include the J2SE / bin directory in your path. If not, you must specify the full path of the utility on the command line. Certificate Generation with keytool (Sun GlassFish Enterprise Server v3 Administration Guide)
$ java -version
java version "1.8.0_231"
Java(TM) SE Runtime Environment (build 1.8.0_231-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.231-b11, mixed mode)
It seems that information can be displayed with keytool -list -v -keystore cacerts.jks.
The -list command prints the MD5 fingerprint of the certificate by default. The -v option prints the certificate in a human-readable format. On the other hand, if the -rfc option is specified, the certificate is output using the output-capable encoding method. -storepass storepass Specify the password used to protect the integrity of the keystore. keytool-Key and certificate management tool
And the password information was introduced on the following site
Master password is "change it" What to do when SEC5054: Certificate has expired in Java EE GlassFish --Qiita
#If you output to the screen, a lot of information will be output, so if you want to output all, you should redirect to a file
$ keytool -list -v -keystore cacerts.jks -storepass changeit
alias: cert_92_ca_disig_root_r192
Created date: 2018/01/23
Entry type: trustedCertEntry
owner: CN=CA Disig Root R1, O=Disig a.s., L=Bratislava, C=SK
Issuer: CN=CA Disig Root R1, O=Disig a.s., L=Bratislava, C=SK
Serial number: c3039aee50906e28
Validity start date: Thu Jul 19 18:06:56 JST 2012 end date: Sat Jul 19 18:06:56 JST 2042
...abridgement...
#You need the "alias" and "expiration period" lines to see the expiration date, but you still see a fair amount
$ keytool -list -v -keystore cacerts.jks -storepass changeit | grep -e alias-e Validity period
alias: cert_115_staat_der_nederlanden_root_ca___g3115
Validity start date: Thu Nov 14 20:28:42 JST 2013 end date: Tue Nov 14 08:00:00 JST 2028
alias: ssl.comrootcertificationauthorityrsa
Validity start date: Sat Feb 13 02:39:39 JST 2016 end date: Wed Feb 13 02:39:39 JST 2041
alias: cert_21_xramp_global_ca_root21
...abridgement...
# 1. cacerts.Move to the directory with jks
$ cd /c/apps/payara5/glassfish/domains/domain1/config/
# 2. cacerts.Back up jks
$ cp cacerts.jks cacerts.jks.bak
$ ls -la | grep cacerts
-rw-r--r--1 ponsuke 1049089 380598 November 29 20:05 cacerts.jks
-rw-r--r--1 ponsuke 1049089 380598 April 23 13:29 cacerts.jks.bak
# 3.Grep aliases for information that has expired before 2020
$ keytool -list -v -keystore cacerts.jks -storepass changeit | grep -e alias-e Validity period| grep -B 1 201[0-9]$
alias: entrust2048ca
Validity start date: Sat Dec 25 02:50:51 JST 1999 End date: Wed Dec 25 03:20:51 JST 2019
# 4.Grep aliases for information that has expired in 2020
$ keytool -list -v -keystore cacerts.jks -storepass changeit | grep -e alias-e Validity period| grep -B 1 2020$
alias: staatdernederlandenrootca-g2
Validity start date: Wed Mar 26 20:18:17 JST 2008 end date: Wed Mar 25 20:03:10 JST 2020
--
alias: equifaxsecureebusinessca1
...abridgement...
# 5.Delete information that has expired before 2020
$ keytool -delete -keystore cacerts.jks -storepass changeit -alias entrust2048ca
# 6.Delete the most recently expired information that has expired in 2020
$ keytool -delete -keystore cacerts.jks -storepass changeit -alias staatdernederlandenrootca-g2
$ keytool -delete -keystore cacerts.jks -storepass changeit -alias equifaxsecureebusinessca1
...abridgement...
# 7.Restart Payara
$ asadmin restart-domain domain1
Successfully restarted the domain
Command restart-domain executed successfully.
# 8. server.Check the log to see if there is any expired information left
$ tail ../logs/server.log