On 07/26/2012 10:46 AM, Phil Daws wrote: > next hurdle am having problems with is trusting the back-end > certificate. We have our own PKI and issued certificates for the > back-end and front-end servers. I have updated the keystore > information in Tomcats server.xml including the PKCS12 password. On > CentOS there is no update-ca-certificates so where would Tomcat pull > the CA bundle details from ? > > When I connect to the front-end and attempt to sign in I see within > the back-end djigzo.log the following: > > 26 Jul 2012 04:31:05 | WARN EXCEPTION (org.mortbay.log) > [1310202490@qtp-649430934-0] javax.net.ssl.SSLHandshakeException: > Received fatal alert: certificate_unknown at > sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at [snip]
Java by default trusts all the trusted certificates stored in the cacerts JKS keystore. The Debian script update-ca-certificates reads a directory of certificates and updates the cacerts keystore using the keytool java tool. On RedHat/CentOS you can use keytool directly to add your own root to cacerts, On Ubuntu the default cacerts keystore can be found at ./usr/lib/jvm/java-6-openjdk-amd64/jre/lib/security/cacerts. I do not have a working CentOS at the moment so you should search for cacerts (as root). you can view all entries in the cacerts store with the following command: keytool -list -keystore /usr/lib/jvm/java-1.6.0-openjdk/jre/lib/security/cacerts The default password for the cacerts store is: changeit Importing a trusted cert can be done I think with: keytool -importcert -trustcacerts -alias your_alias -keystore /usr/lib/jvm/java-1.6.0-openjdk/jre/lib/security/cacerts -file <cert_file> Change the path to the cacerts file for your system, select an alias and specify the cert to import (note: I haven't tested this) Hope this helps. Kind regards, Martijn -- DJIGZO email encryption _______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users
