Hi all, I'm hoping someone has run into this problem before.
I'm using VeriSign certs and have imported a certificate correctly before using keytool. However, the certificate we were using expired, and we obtained a replacement. Importing the replacement appears to be more difficult. Verisign's intermediate CA appears to be different than before, and now uses a primary and secondary. So initially I had one intermediate CA and one tomcat certificate. I then imported the two new CAs (alias "intermediatecaprimary" and "intermediatecasecondary") -- this worked without error. The next step seems to throw tomcat off. I believe I need to replace the "tomcat" alias certificate. Barring a replace function in keytool (which I don't think exists, though I could be wrong), I think this means I have to delete the old "tomcat" certificate and replace it with the new one. Doing this (using the command "keytool -delete -alias tomcat -keystore .keystore" and then "keytool -import -alias tomcat -keyalg RSA -keystore .keystore -file D:\keystore\Certificates\tomcat.cer") appears to complete without error. However, the next time I start Tomcat (running as a service), the CPU & memory spin upward until the machine is barely accessible. Tomcat doesn't start up. In the Tomcat log file the following can be seen: *Feb 14, 2011 8:45:07 AM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run * *SEVERE: Socket accept failed* *java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.* * at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:149) * * at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:309)* * at java.lang.Thread.run(Thread.java:619)* I'm sure this is just a mistake I'm making somewhere either in keytool or my Tomcat setup, but it's worked fine until trying to use this replacement cert. One possibility: Do I need to specify a keylength when specifying the keyalg, or is there a default? My Tomcat connector is as follows (password redacted): * <Connector * * port="8443"* * protocol="HTTP/1.1"* * SSLEnabled="true" * * enableLookups="false" * * acceptCount="100"* * maxThreads="200" * * scheme="https"* * keystoreFile="d:\keystore\.keystore" * * keystorePass="[Password]"* * secure="true" * * clientAuth="false" * * sslProtocol="TLSv1" * * cipher="RSA"* * allowUnsafeLegacyRenegotiation="false"* * />* Thanks in advance for any help you can give! -- Sean
