[ale] tomcat: how to update certificate?

Brian Stanaland brian.stanaland at gmail.com
Mon May 14 08:18:28 EDT 2007 

This is what we did to get Verisign's intermediate cert installed on our
SiteScope server.  Not sure it'll help.

SERVER:/opt/sitescope/SiteScope/java/lib/security

user: ../../bin/keytool -import -file Verisign.Class3.CA.cer -alias
VeriSign-Class3-CA -keystore jssecacerts

dtrace DOF libjvm.so: .SUNW_dof section corrupt

Enter keystore password:  ******

Certificate was added to keystore


On 5/13/07, Bob Toxen <transam at verysecurelinux.com> wrote:
>
> I'm having a problem on a tomcat server.  I'm trying to update the
> SSL certificates.  I've done
>
>      keytool -list -v
>
> to get the aliase name, call it foo.  I saw two items, VeriSign's
> bloody intermediate certificate and my own $399 certificate from
> VeriSign.
>
> I then nuked the old foo certificates via:
>
>      keytool -alias foo -delete
>
> I then imported the intermediate certificate and mine via:
>
>      keytool -import -alias rootca -trustcacerts -file intermediate.crt
>      keytool -import -alias foo -file cert.cer
>
> I then rebooted the system and restarted tomcat.
>
> Unfortunately, if one tries to browse the system, the server drops
> the connection and tomcat terminates with:
>
>      May 13, 2007 4:29:03 PM org.apache.tomcat.util.net.PoolTcpEndpoint
>      acceptSocket
>      SEVERE: Endpoint [SSL:
>      ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=8443]] ignored
>      exception: java.net.SocketException: SSL handshake
>      errorjavax.net.ssl.SSLException: No available certificate or key
>      corresponds to the SSL cipher suites which are enabled.
>
>
> QUESTION:
>
>   Is there somewhere else that I need to update for the new certificate
>   (besides /root/.key*) or did I not import the certificates correctly?
>
>   I could not figure out a way to get bothe the VeriSign intermediate
>   certificate and my new certificate to both show under the same "foo"
>   alias.
>
> Any help very gratefully accepted.
>
> Thanks VERY much,
>
> Bob Toxen
> bob at verysecurelinux.com               [Please use for email to me]
> http://www.verysecurelinux.com        [Network&Linux/Unix security
> consulting]
> http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security
> 2/e"]
> Quality Linux & UNIX security and SysAdmin & software consulting since
> 1990.
>
> "Microsoft: Unsafe at any clock speed!"
>    -- Bob Toxen 10/03/2002
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>



-- 

"Anyone who has the power to make
you believe absurdities has the power
to make you commit atrocities."

-- Voltaire
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the Ale mailing list