Christoph, I hate these problems, they're always tough to work through,
and keytool doesn't make it any easier.
Did you use keytool to create your key and certificate request? If you
created the key and request outside of keytool, then keytool won't have
the private key and can't import the certificate.
In order to get your private key into the keystore, you need to use a
bit of Java code. See here: <http://www.agentbob.info/agentbob/79.html>
There's no need for you to import the CA's root certificate. It's
already there.
Good luck!
Mojo
--
Morris Jones
Monrovia, CA
http://www.whiteoaks.com
Old Town Astronomers http://www.otastro.org
Christoph Lechner wrote:
Hi all,
I've been trying hard to enable the SSL connector in TomCat for a few
days now. As I don't have very much experience with SSL, it's quite hard
for me to figure out what's going wrong.
I read a lot of different setup guides, but I'm getting the same error
messages all the time:
16:37:13,254 INFO [Http11BaseProtocol] Starting Coyote HTTP/1.1 on
http-0.0.0.0
-808016:37:13,338 INFO [ChannelSocket] JK: ajp13 listening on /0.0.0.0:8009
16:37:13,346 INFO [JkMain] Jk running ID=0 time=0/24
config=null16:37:13,360 INFO [Http11BaseProtocol] Starting Coyote
HTTP/1.1 on http-0.0.0.0
-844316:37:13,371 ERROR [PoolTcpEndpoint] Endpoint [SSL:
ServerSocket[addr=/0.0.0.0,p
ort=0,localport=8443]] ignored exception: java.net.SocketException: SSL
handshake errorjavax.net.ssl.SSLException: No available certificate or
key corresponds t
o the SSL cipher suites which are enabled.java.net.SocketException: SSL
handshake errorjavax.net.ssl.SSLException: No avai
lable certificate or key corresponds to the SSL cipher suites which are
enabled. at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:407)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.run(PoolTcpEndpoint.java:647)
at java.lang.Thread.run(Thread.java:595)
I've got a .crt file, a .csr file and a .key file for the domain and I
also got the root cert from the CA. So I tried to set it up in the
following way (output messages included):
---> Begin of keystore creation <---
ab-server1:~/ssl# keytool -import -trustcacerts -alias root -file
rapidssl_01.cer -keystore thekeystore
Enter keystore password: changeit
Certificate already exists in system-wide CA keystore under alias
<equifaxsecureglobalebusinessca1>
Do you still want to add it to your own keystore? [no]: yes
Certificate was added to keystore
ab-server1:~/ssl# keytool -import -trustcacerts -alias tomcat -file
www_mydomain_com.crt -keystore thekeystore
Enter keystore password: changeit
Certificate was added to keystore
ab-server1:~/ssl# keytool -list -keystore thekeystore
Enter keystore password: changeit
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
root, Aug 30, 2007, trustedCertEntry,
Certificate fingerprint (MD5):
8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
tomcat, Aug 30, 2007, trustedCertEntry,
Certificate fingerprint (MD5):
C4:6F:76:3F:5E:ED:33:04:F9:CB:0F:98:28:21:5D:D4
---> End of keystore creation <---
In server.xml file, I added:
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https" secure="true" clientAuth="false"
keystoreFile="/root/ssl/thekeystore"
keystorePass="changeit" sslProtocol = "TLS" />
OTOH I've tried a self-signed certificate and it worked.
What's my fault?
TIA
- C. Lechner
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Morris Jones
Monrovia, CA
http://www.whiteoaks.com
Old Town Astronomers http://www.otastro.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
