You can see if your certificate is located in the cacerts file by using the following command:
keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts Putting your certificates in here is not recommended (see the keytool documentation) Another thing you could do is set your default trust manager, by executing your client with the system property javax.net.ssl.trustStore set to /root/.keystore and set javax.net.ssl.trustStorePassword to changeit. (java -Djavax.net.ssl.trustStore=/root/.keystore -Djavax.net.ssl.trustStorePassword=changeit ...) Alternatively, you can do this within your code: { Keystore ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream("/root/.keystore"), "changeit"); TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("RSA"); SSLContext ctx = SSLContext.getInstance("SSL"); ctx.init(null, tmFactory.getTrustManagers(), null); SSLSocketFactory socketFactory = ctx.getSocketFactory(); HttpsUrlConnection.setDefaultSSLSocketFactory(socketFactory); } You can now create HttpsUrlConnections to talk to your SSL server (via the URL.openConnection method) The SSL handshake should authenticate using the certificates in your /root/.keystore file. See the JDK1.4 javadoc, (or JSSE) for more information One other thing that may help is setting javax.net.debug=all inside tomcat, export CATALINA_OPTS="-Djavax.net.debug=all" before restarting tomcat. This will give you a lot of debugging information for SSL which could be useful. Hope this helps, Andy -----Original Message----- From: [EMAIL PROTECTED] [mailto:Monte.Gardner@;asu.edu] Sent: 22 October 2002 20:48 To: Tomcat Users List Subject: Re: SSL Servlet Client OK, I think I've got to where I understand the problem more clearly then i did yesterday. Here it is. When I followed the tomcat ssl how to and typed keytool -genkey -alias tomcat -keyalg RSA it created a keystore file called /root/.keystore in which a key aliased by 'tomcat' was stored. This key is what tomcat uses to present a certificate to any client that requests an SSL session. Now what I want to do is create a Java Client that will connect to Tomcat via SSL and communicate with one of it's servlets. When Tomcat receives the request, it sends it's 'tomcat' certificate. However, when the Java client receives that certificate, it looks in a list of certificates found in $JAVA_HOME/jre/lib/security/cacerts and doesn't find a certificate that matches the one it receives, so it throws an exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown So, what I need to do is put a copy of the Tomcat certificate in the cacerts file. So I tried using a combination of keytool -import / -export to copy the certificate over. It seemed like I was succesfull in doing so, but when I rebooted tomcat and ran the webpage again, I got the same exception. Have I misunderstood the problem or the key management process somehow? here is the console output from when I tried to copy the certificate: [root@rho /root]# keytool -export -alias tomcat -file cert.cer -keystore .keysto re Enter keystore password: changeit Certificate stored in file <cert.cer> [root@rho /root]# keytool -import -alias tomcat -file cert.cer -keystore $DOCUTRAK/tomcat Enter keystore password: changeit Owner: CN=rho.abstrax.nan, OU=Abstrax, O=Abstrax, L=Mesz, ST=AZ, C=US Issuer: CN=rho.abstrax.nan, OU=Abstrax, O=Abstrax, L=Mesz, ST=AZ, C=US Serial number: 3db5698b Valid from: Tue Oct 22 08:06:51 MST 2002 until: Mon Jan 20 08:06:51 MST 2003 Certificate fingerprints: MD5: 84:A4:4B:0D:F9:AE:2B:D2:4D:DD:84:0C:8F:D7:DD:EC SHA1: 67:AF:81:96:98:3F:0B:B3:84:BF:73:62:2A:45:05:C5:19:9C:F8:F1 Trust this certificate? [no]: y Certificate was added to keystore -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org> -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>