I'm not too familiar with Jboss, is it within tomcat? If so, what does your server.xml connector snippplet look like?
-----Original Message----- From: Robert Hall [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 8:06 PM To: Tomcat Users List Subject: Re: help needed - keytool import of CA certs Arthur, Thanks for the reply. Yes, the hostname.crt file is a signed certificate. I've tried importing both with and without the -trustcacerts parameter, the imports are successful, but I get the following exception in JBoss-3.2.3/Tomcat-4.1.29: 16:23:59,561 ERROR [PoolTcpEndpoint] Endpoint [SSL: ServerSocket[addr=/0.0.0.0,port=0,localport=8753]] ignored exception: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocke tFactory.java:152) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint. java:387) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:56 9) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool .java:677) at java.lang.Thread.run(Thread.java:536) Thanks, Robert D'Alessandro, Arthur wrote: >Robert, >First thing, tomcat looks for the users home folder of whom is running >tomcat for .keystore, if this is not available, or you wish to move the >keystore, you can state so in the Connector within server.xml > >Another thing, the password defaults to 'changeit', if you wish to have >an alternative password, you will need to specify again within the >connector element. > >Third, you appear to be using the trustcacerts, is the cert you specify >in hostname.crt the CA root cert (local CA) or the signed certificate? >>From your description, I assume it is the signed valid cert from >Verisign. > >Off the top of my head, I don't remember the need for the >'-trustcacerts' > >This is a good site that may help as well: >http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html > > >-----Original Message----- >From: Robert Hall [mailto:[EMAIL PROTECTED] >Sent: Monday, April 12, 2004 6:56 PM >To: Tomcat Users List >Subject: help needed - keytool import of CA certs > >I've been floundering for too many hours/days having ventured into the >java/keytool/keystore/CAcert realm for the first time to produce a >CA signed certificate for JBoss/Tomcat. > >We have a Verisign/RSA cert, hostname.crt that produces the following >when >imported using 'keytool': > >$ keytool -import -trustcacerts -file hostname.crt -keystore >hostname.keystore >Enter keystore password: secret >Owner: CN=hostname.berkeley.edu, OU=MY-ORG-UNIT, O="University of >California, Berkeley", L=Berkeley, ST=California, C=US >Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, >Inc.", C=US >Serial number: 63ba7416f9d061ad65db8b61554bd8c3 >Valid from: Wed Aug 13 17:00:00 PDT 2003 until: Fri Aug 13 16:59:59 PDT >2004 >Certificate fingerprints: > MD5: 05:A7:B1:17:6B:C2:0B:FA:9A:B9:80:22:6A:B0:96:6B > SHA1: >B9:34:D0:58:C4:9C:01:CD:C1:05:D9:FD:C1:D1:45:43:E3:6C:17:1A >Trust this certificate? [no]: yes >Certificate was added to keystore > >And if you're still reading, some questions: > >1. Should the "Trust this certificate?" prompt appear if a corresponding > >CA cert entry > exists in $JAVA_HOME/jre/lib/security/cacerts ? > >2. Is it necessary to go through the CSR (Certificate Signing Request) >process when > you already have a server cert file? > >3. What else is needed in addition to an existing server cert file if >you don't have to go > through the CSR process? > >Thanks, >Robert > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
