On Tue, Jul 24, 2012 at 8:46 AM, Benjamin Davis <[email protected] > wrote:
> Hey Matt, > > You are barking up my tree with this one! At work, our apps use SSL and > most of the time the certificates are self-signed, so I am very used to > seeing the PKIX path error. :) > Awesome. Glad someone can help me get the cobwebs out. Since all our stuff is behind a firewall I don't have to do SSL often so it's been a while. > So, a question on the site you are trying to connect to. Is the > certificate self-signed or is it signed by someone else? > It's a Verisign certificate which is why I was a bit surprised it didn't "just work." In Chrome when I get the cert info I see this (the cert is working fine in the browser, by the way): The identity of this website has been verified by VeriSign Class 3 Secure Server CA - G3. But there's also an intermediate certificate involved in the chain, so who knows. I thought even thought it's verisign and should work it'd just be easier to import the certs and be done with it. > The certificate needs to be imported into the file called cacerts. On > Windows, this is found in jre6/lib/security. I would think that it would > be similar on Linux. My favorite tool to work with certificates is > Portecle (http://portecle.sourceforge.net/). There are plenty of command > line tools as well. If the site is self-signed, then you just need to > import the public key certificate into the keystore. If the site is not > self-signed, then you need each public key certificate in the key chain > since one signs another. > Thanks -- I was just using the keytool but I'll check out Portecle. In my case there is a main cert and an intermediate cert, and with those in place and configured in Apache it's working fine when I hit it in a browser. One thing I'm unclear on, in Apache you point to the key file in addition to the two cert files. Do I need to do anything with the key file on the Java side? > > then you will need to restart Tomcat > Good point -- definitely did that. Other weird thing is I didn't get errors when I imported the certs, but I don't see them in the list when I do a list using keytool either. Let me know how this goes! I've had my share of trying to diagnose SSL > issues! :) > Thanks -- I'll poke around a bit more and will definitely write up a little howto when I'm done. Appreciate the help! Matt -- Matthew Woodward [email protected] http://blog.mattwoodward.com identi.ca / Twitter: @mpwoodward Please do not send me proprietary file formats such as Word, PowerPoint, etc. as attachments. http://www.gnu.org/philosophy/no-word-attachments.html -- online documentation: http://openbd.org/manual/ http://groups.google.com/group/openbd?hl=en
