[ale] tomcat: how to update certificate?

Bob Toxen transam at verysecurelinux.com
Sun May 13 23:34:33 EDT 2007


I'm having a problem on a tomcat server.  I'm trying to update the
SSL certificates.  I've done

     keytool -list -v

to get the aliase name, call it foo.  I saw two items, VeriSign's
bloody intermediate certificate and my own $399 certificate from
VeriSign.

I then nuked the old foo certificates via:

     keytool -alias foo -delete

I then imported the intermediate certificate and mine via:

     keytool -import -alias rootca -trustcacerts -file intermediate.crt
     keytool -import -alias foo -file cert.cer

I then rebooted the system and restarted tomcat.

Unfortunately, if one tries to browse the system, the server drops
the connection and tomcat terminates with:

     May 13, 2007 4:29:03 PM org.apache.tomcat.util.net.PoolTcpEndpoint
     acceptSocket
     SEVERE: Endpoint [SSL:
     ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=8443]] ignored
     exception: java.net.SocketException: SSL handshake
     errorjavax.net.ssl.SSLException: No available certificate or key
     corresponds to the SSL cipher suites which are enabled.


QUESTION:

  Is there somewhere else that I need to update for the new certificate
  (besides /root/.key*) or did I not import the certificates correctly?

  I could not figure out a way to get bothe the VeriSign intermediate
  certificate and my new certificate to both show under the same "foo"
  alias.

Any help very gratefully accepted.

Thanks VERY much,

Bob Toxen
bob at verysecurelinux.com               [Please use for email to me]
http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

"Microsoft: Unsafe at any clock speed!"
   -- Bob Toxen 10/03/2002



More information about the Ale mailing list