Greetings, I am trying to import an openssl key from a third party certificate authority, Geotrust (Equifax). I have used these keys successfully in an apache installation.
So, I followed the key import process described for Tomcat on the Geotrust web site - http://www.geotrust.com/resources/install/jakarta_tomcat.htm However, tomcat 5.0.18 throws an exeception when I start up the HTTP/SSL listener: SSL handshake error - javax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. Environment: 1) JDK 1.4.1_02 on Linux 2.4 kernel 2) Tomcat 5.0.18 3) OpenSSL 0.9.7a What I did: 1) Convert CAs cert and our server root cert (i.e., our domain public key) to binary (DED) format. 2) Import converted binary keys into a new java keystore (using keytool). 3) Add path to keystore.kdb file in tomcat server.xml, restart tomcat. Below are the specific commands (and output) I used to import keys and configure Tomcat. I have been using the PEM version of these keys in apache 2.x with no problems. I have contacted Geotrust and they do not seem to have an answer. Other posts to this list mostly show folks trying to set up SSL using their own CA certs. What have I missed? I appreciate any suggestions. Thanks Jeff ------------------- details --------------------- 1) Convert pem keys to binary format: $ openssl x509 -in geotrustca.pem -inform PEM -outform DED -out geotrustca.crt $ openssl x509 -in mydomain.com.pem -inform PEM -outform DED -out mydomain.crt 2) Import binary keys into a new Java key store. I used Tomcat's default keystore password setting 'changeit'. Here's the commands and output: 2a) Geotrust root certificate: $ keytool -import -alias geotrustca -keystore /etc/cert/mydomain.kdb -file /etc/cert/geotrustca.crt Enter keystore password: changeit Owner: OU=Equifax Secure Certificate Authority, O=Equifax, C=US Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US Serial number: 35def4cf Valid from: Sat Aug 22 10:41:51 MDT 1998 until: Wed Aug 22 10:41:51 MDT 2018 Certificate fingerprints: MD5: 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4 SHA1: D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A Trust this certificate? [no]: yes Certificate was added to keystore 2b) Server root key (our public key): $ keytool -import -alias tomcat -keystore /etc/cert/mydomain.kdb -file /etc/cert/mydomain.crt Enter keystore password: changeit Certificate was added to keystore 2c) Here's the list of my keystore. $ keytool -list -keystore /etc/cert/mydomain.kdb Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries tomcat, Mar 9, 2004, trustedCertEntry, Certificate fingerprint (MD5): 1B:AE:BF:96:6C:3C:0A:C3:AE:3E:5A:46:94:CF:AF:0B geotrustca, Mar 9, 2004, trustedCertEntry, Certificate fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4 3) Update server.xml. Note we are using Tomcat 5, so the directive for the SSL connector syntax is different from that shown on the Geotrust web site instructions. Compared to the default connector parameters, I added the keystoreFile parameter to point to my kdb file created in step 2. <Connector port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/etc/cert/mydomain.kdb" /> When I enable the SSL connector in my server.conf file and restart tomcat, logs show this exception: Mar 9, 2004 5:59:55 AM org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket SEVERE: Endpoint [SSL: ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=8443]] ignored exception: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:154) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:387) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:557) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683) at java.lang.Thread.run(Thread.java:536) Mar 9, 2004 5:59:55 AM org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket WARNING: Reinitializing ServerSocket __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
