On 07/26/2012 10:46 AM, Phil Daws wrote:
next hurdle am having problems with is trusting the
back-end
certificate. We have our own PKI and issued certificates for the
back-end and front-end servers. I have updated the keystore
information in Tomcats server.xml including the PKCS12 password. On
CentOS there is no update-ca-certificates so where would Tomcat pull
the CA bundle details from ?
When I connect to the front-end and attempt to sign in I see within
the back-end djigzo.log the following:
26 Jul 2012 04:31:05 | WARN EXCEPTION (org.mortbay.log)
[1310202490@qtp-649430934-0] javax.net.ssl.SSLHandshakeException:
Received fatal alert: certificate_unknown at
sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at
[snip]
Java by default trusts all the trusted certificates stored in the
cacerts JKS keystore. The Debian script update-ca-certificates reads a
directory of certificates and updates the cacerts keystore using the
keytool java tool. On RedHat/CentOS you can use keytool directly to add
your own root to cacerts, On Ubuntu the default cacerts keystore can be
found at ./usr/lib/jvm/java-6-openjdk-amd64/jre/lib/security/cacerts. I
do not have a working CentOS at the moment so you should search for
cacerts (as root).
you can view all entries in the cacerts store with the following command:
keytool -list -keystore
/usr/lib/jvm/java-1.6.0-openjdk/jre/lib/security/cacerts
The default password for the cacerts store is:
changeit
Importing a trusted cert can be done I think with:
keytool -importcert -trustcacerts -alias your_alias -keystore
/usr/lib/jvm/java-1.6.0-openjdk/jre/lib/security/cacerts -file <cert_file>
Change the path to the cacerts file for your system, select an alias and
specify the cert to import (note: I haven't tested this)
Hope this helps.
Kind regards,
Martijn
--
DJIGZO email encryption