I'm not too familiar with Jboss, is it within tomcat?  If so, what does
your server.xml connector snippplet look like? 

-----Original Message-----
From: Robert Hall [mailto:[EMAIL PROTECTED] 
Sent: Monday, April 12, 2004 8:06 PM
To: Tomcat Users List
Subject: Re: help needed - keytool import of CA certs

Arthur,

Thanks for the reply.  Yes, the hostname.crt file is a signed
certificate.
I've tried importing both with and without the -trustcacerts parameter,
the imports are successful, but I get the following exception in
JBoss-3.2.3/Tomcat-4.1.29:

16:23:59,561 ERROR [PoolTcpEndpoint] Endpoint [SSL: 
ServerSocket[addr=/0.0.0.0,port=0,localport=8753]] ignored exception: 
java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException:

No available certificate
corresponds to the SSL cipher suites which are enabled.
java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException:

No available certificate
corresponds to the SSL cipher suites which are enabled.
        at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocke
tFactory.java:152)
        at 
org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.
java:387)
        at 
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:56
9)
        at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool
.java:677)
        at java.lang.Thread.run(Thread.java:536)

Thanks,
Robert

D'Alessandro, Arthur wrote:

>Robert,
>First thing, tomcat looks for the users home folder of whom is running
>tomcat for .keystore, if this is not available, or you wish to move the
>keystore, you can state so in the Connector within server.xml
>
>Another thing, the password defaults to 'changeit', if you wish to have
>an alternative password, you will need to specify again within the
>connector element.
>
>Third, you appear to be using the trustcacerts, is the cert you specify
>in hostname.crt the CA root cert (local CA) or the signed certificate?
>>From your description, I assume it is the signed valid cert from
>Verisign.
>
>Off the top of my head, I don't remember the need for the
>'-trustcacerts'
>
>This is a good site that may help as well:
>http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html
> 
>
>-----Original Message-----
>From: Robert Hall [mailto:[EMAIL PROTECTED] 
>Sent: Monday, April 12, 2004 6:56 PM
>To: Tomcat Users List
>Subject: help needed - keytool import of CA certs
>
>I've been floundering for too many hours/days having ventured into the
>java/keytool/keystore/CAcert realm for the first time to produce a
>CA signed certificate for JBoss/Tomcat.
>
>We have a Verisign/RSA cert, hostname.crt that produces the following
>when
>imported using 'keytool':
>
>$ keytool -import -trustcacerts -file hostname.crt -keystore 
>hostname.keystore
>Enter keystore password:  secret
>Owner: CN=hostname.berkeley.edu, OU=MY-ORG-UNIT, O="University of 
>California, Berkeley", L=Berkeley, ST=California, C=US
>Issuer: OU=Secure Server Certification Authority, O="RSA Data Security,

>Inc.", C=US
>Serial number: 63ba7416f9d061ad65db8b61554bd8c3
>Valid from: Wed Aug 13 17:00:00 PDT 2003 until: Fri Aug 13 16:59:59 PDT
>2004
>Certificate fingerprints:
>         MD5:  05:A7:B1:17:6B:C2:0B:FA:9A:B9:80:22:6A:B0:96:6B
>         SHA1:
>B9:34:D0:58:C4:9C:01:CD:C1:05:D9:FD:C1:D1:45:43:E3:6C:17:1A
>Trust this certificate? [no]:  yes
>Certificate was added to keystore
>
>And if you're still reading, some questions:
>
>1. Should the "Trust this certificate?" prompt appear if a
corresponding
>
>CA cert entry
>    exists in $JAVA_HOME/jre/lib/security/cacerts ?
>
>2.  Is it necessary to go through the CSR (Certificate Signing Request)

>process when
>     you already have a server cert file?
>
>3. What else is needed in addition to an existing server cert file if 
>you don't have to go
>    through the CSR process?
>
>Thanks,
>Robert
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>  
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to