You need to import the CA for your client-certs into your truststore file. Then you add the 'truststoreFile="/path/to/truststore"' to your Connector element in server.xml. After that, your browser should prompt you for any cert that you have that is signed by that CA.
"Jeffery Cann" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Greetings, > > I am trying to import an openssl key from a third > party certificate authority, Geotrust (Equifax). I > have used these keys successfully in an apache > installation. > > So, I followed the key import process described for > Tomcat on the Geotrust web site - > > http://www.geotrust.com/resources/install/jakarta_tomcat.htm > > However, tomcat 5.0.18 throws an exeception when I > start up the HTTP/SSL listener: > > SSL handshake error - javax.net.ssl.SSLException: No > available certificate corresponds to the SSL cipher > suites which are enabled. > > Environment: > 1) JDK 1.4.1_02 on Linux 2.4 kernel > 2) Tomcat 5.0.18 > 3) OpenSSL 0.9.7a > > What I did: > 1) Convert CAs cert and our server root cert (i.e., > our domain public key) to binary (DED) format. > > 2) Import converted binary keys into a new java > keystore (using keytool). > > 3) Add path to keystore.kdb file in tomcat server.xml, > restart tomcat. > > Below are the specific commands (and output) I used to > import keys and configure Tomcat. > > I have been using the PEM version of these keys in > apache 2.x with no problems. > > I have contacted Geotrust and they do not seem to have > an answer. Other posts to this list mostly show folks > trying to set up SSL using their own CA certs. > > What have I missed? I appreciate any suggestions. > > Thanks > Jeff > > ------------------- details --------------------- > 1) Convert pem keys to binary format: > > $ openssl x509 -in geotrustca.pem -inform PEM > -outform DED -out geotrustca.crt > > $ openssl x509 -in mydomain.com.pem -inform PEM > -outform DED -out mydomain.crt > > 2) Import binary keys into a new Java key store. I > used Tomcat's default keystore password setting > 'changeit'. Here's the commands and output: > > 2a) Geotrust root certificate: > $ keytool -import -alias geotrustca -keystore > /etc/cert/mydomain.kdb -file /etc/cert/geotrustca.crt > Enter keystore password: changeit > Owner: OU=Equifax Secure Certificate Authority, > O=Equifax, C=US > Issuer: OU=Equifax Secure Certificate Authority, > O=Equifax, C=US > Serial number: 35def4cf > Valid from: Sat Aug 22 10:41:51 MDT 1998 until: Wed > Aug 22 10:41:51 MDT 2018 > Certificate fingerprints: > MD5: > 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4 > SHA1: > D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A > Trust this certificate? [no]: yes > Certificate was added to keystore > > 2b) Server root key (our public key): > > $ keytool -import -alias tomcat -keystore > /etc/cert/mydomain.kdb -file > /etc/cert/mydomain.crt > Enter keystore password: changeit > Certificate was added to keystore > > 2c) Here's the list of my keystore. > > $ keytool -list -keystore /etc/cert/mydomain.kdb > Enter keystore password: changeit > > Keystore type: jks > Keystore provider: SUN > > Your keystore contains 2 entries > > tomcat, Mar 9, 2004, trustedCertEntry, > Certificate fingerprint (MD5): > 1B:AE:BF:96:6C:3C:0A:C3:AE:3E:5A:46:94:CF:AF:0B > geotrustca, Mar 9, 2004, trustedCertEntry, > Certificate fingerprint (MD5): > 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4 > > 3) Update server.xml. Note we are using Tomcat 5, so > the directive for the SSL connector syntax is > different from that shown on the Geotrust web site > instructions. > > Compared to the default connector parameters, I added > the keystoreFile parameter to point to my kdb file > created in step 2. > > <Connector port="8443" > maxThreads="150" minSpareThreads="25" > maxSpareThreads="75" enableLookups="false" > disableUploadTimeout="true" acceptCount="100" > debug="0" scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" > keystoreFile="/etc/cert/mydomain.kdb" > /> > > > When I enable the SSL connector in my server.conf file > and restart tomcat, logs show this exception: > > Mar 9, 2004 5:59:55 AM > org.apache.tomcat.util.net.PoolTcpEndpoint > acceptSocket > SEVERE: Endpoint [SSL: > ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=8443]] > ignored exception: java.net.SocketException: SSL > handshake errorjavax.net.ssl.SSLException: No > available certificate corresponds to the SSL cipher > suites which are enabled. java.net.SocketException: > SSL handshake errorjavax.net.ssl.SSLException: No > available certificate corresponds to the SSL cipher > suites which are enabled. > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFac tory.java:154) > at > org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java :387) > at > org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:557) > at > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:683) > at java.lang.Thread.run(Thread.java:536) > Mar 9, 2004 5:59:55 AM > org.apache.tomcat.util.net.PoolTcpEndpoint > acceptSocket WARNING: Reinitializing ServerSocket > > __________________________________ > Do you Yahoo!? > Yahoo! SiteBuilder - Free web site building tool. Try it! > http://webhosting.yahoo.com/ps/sb/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
