> no matter where I stashed that Root CA cert, my tests kept coming up with ssl > handshake/pkix errors.
The only place that matters is the system truststore. The Tomcat keystore mentioned in conf/server.xml has no bearing on this unless, of course, you're putting TC certs in the system key/truststore, $JAVA_HOME/jre/lib/security/cacerts. > I may have a clue about how I messed this up, but are there any helpful hints > for the general case? Best thing to do is an SSL trace from the CAS server side. (See "When All Else Fails" section of http://www.ja-sig.org/wiki/display/CASUM/SSL+Troubleshooting+and+Reference+Guide.) That will dump the list of trusted certs to STDOUT, catalina.out in the case of Tomcat, and you can see what certificate your client presents to CAS. It also dumps the path to the truststore it's currently using, which can help sanity check it's using what you _think_ it's using. Feel free to attach the trace if you'd like a second opinion. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
