Adding an SSL certificate to your java keystore in Linux

Tags:

The problem

I was trying to get Jasig's Central Authentication Service set-up to work with Tomcat but I was getting the following error:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This is the information that is in their wiki but I didn't have much luck with it, hence I wrote this post.

I found this difficult to work out and it can be really nasty to get right. I have had two main problems so far:
  • An alias was already in the keystore and first needs to be deleted, I didn't get any message about this duplicate key for some reason. The typical aliases that can cause problems are mykey , localhost and tomcat. This is most likely to be a key that you added while trying to get things set-up correctly, if you haven't added it - great;
  • The second problem I had was a corrupted keystore. If your keystore has 0 keys in it after trying the following then I suggest that you should re-install your JDK and try again, that's what I did to fix this - it may be over the top but it worked for me.
If you are looking for information on how to install SSL in tomcat then you can follow their Tomcat 6 SSL configuration how-to

Firstly, open a shell and set the JDK you are using. Remember that if, in the future you upgrade your JDk then you will need to repeat this in order to get the new JDk ready for use.


JAVA_HOME=/opt/jrockit....
export JAVA_HOME
echo $JAVA_HOME

Delete any old aliases that may be left over from previous attempts:


${JAVA_HOME}/bin/keytool -delete -alias tomcat
${JAVA_HOME}/bin/keytool -delete -alias mykey
${JAVA_HOME}/bin/keytool -delete -alias localhost

And any other aliases that you may have previously created. This should leave you with a clean keystore.

Install SSL

Issue this command:


${JAVA_HOME}/bin/keytool -genkey -alias tomcat -keyalg RSA

Next you should download this file, I didn't write this and original post I got the source code from is Andreas blog (Java and security bits).

Unzip the file and issue the following commands:

cd dist
java Main localhost:8443

You may need to change the localhost:8443 to match your server setup. You should see some output on your screen, accept the certificate you are offered to import it into a jssecacerts file which will be created in the dist directory. You must now copy this file into your ${JAVA_HOME}/jre/lib/security replacing any existing jssecacerts file that is already there (you may want to backup the original first). As far as I know, when you use your JRE/JDK it will look only in your new jssecacerts and will ignore the default cacerts file.

Final checks

Now that everything should be set-up correctly you can check that your jssecacerts keystore is not corrupted as follows


${JAVA_HOME}/bin/keystore --list

If it returns


Keystore type: JKS
Keystore provider: SUN
Your keystore contains 0 entry

then it may be corrupted and you should re-install your JDK and try again.

03.03.2009 10:13 - Posted by doahh - Comments: 0 - Java

Comments:

Post a Comment:

HTML Syntax: Allowed