This is what we use to store our own CA signed certificate for CAS. This is on RHEL5, there is a slightly different form of the command for jdk 1.5.
keytool -importcert -file our_ca_cert.crt -keypass changeit -keystore /usr/java/jdk1.6.0_02/jre/lib/security/cacerts -storetype jks -storepass changeit We have Apache fronting our tomcat and providing ssl, so we also appended our own CA pem file /etc/pki/tls/certs/ca-bundle.crt, which also seems to be the right place to put it to ensure things such as curl can do the https thing properly. Hope this helps. Dale -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Jones Sent: Wednesday, 13 August 2008 3:54 a.m. To: Yale CAS mailing list Subject: CAS with signed certificate O.K. So this is really a Tomcat issue but I can't find an answer to the problem I'm encountering and I've been following the SSL how-to on the CAS pages. I have a Tomcat5.5 set-up that functions correctly with CAS when I use a self-signed certificate. So, I'm using the right keystore at least. I now have a server certificate that is signed by my organisation's own CA and our root CA certificate is self-signed. So I have imported the CA certificate using keytool thus (having moved the keystore file with the self-signed one in): keytool -import -alias root -file {path-to-CA-cert} -keystore /usr/share/tomcat5.5/.keystore -trustcacerts and then imported the signed server certificate thus: keytool -import -alias tomcat -file {path-to-CA-signed-server-cert} -keystore /usr/share/tomcat5.5/.keystore -trustcacerts I then read that the CA certificate should really go in the JVM's cacerts file thus: keytool -import -alias root -file {path-to-CA-cert} -keystore /usr/lib/jvm/java-6-sun/jre/lib/security/cacerts -trustcacerts and that is the right Java version being used. However, regardless of where the CA cert is I get the following error: SEVERE: Endpoint [SSL: ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=8443]] ignored exception: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocke tFactory.java:114) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint. java:408) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollow erWorkerThread.java:71) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool .java:689) at java.lang.Thread.run(Thread.java:619) Which is repeated loads of times until it runs out of file descriptors. Please can anyone see the error in what I've done with my certificates? Thanks -- Matthew Jones Interactive Data Managed Solutions Ltd ----------------------------------------------------------------------- Registered in England Company Number 3691868 Registered Office: Fitzroy House, 13-17 Epworth Street, London, EC2A 4DL Tel: +44 (0)1242 694133 | Fax: +44 (0)1242 694109 [EMAIL PROTECTED] http://www.interactivedata-ms.com/694133 _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
