tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bodycombe, Andrew" <>
Subject RE: SSL Servlet Client
Date Wed, 23 Oct 2002 09:52:00 GMT
You can see if your certificate is located in the cacerts file by using the
following command:

keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts

Putting your certificates in here is not recommended (see the keytool

Another thing you could do is set your default trust manager, by executing
your client with 
the system property set to /root/.keystore
and set to changeit.

(java ...)

Alternatively, you can do this within your code:

	Keystore ks = KeyStore.getInstance("JKS");
	ks.load(new FileInputStream("/root/.keystore"), "changeit");
	TrustManagerFactory tmFactory =
	SSLContext ctx = SSLContext.getInstance("SSL");
	ctx.init(null, tmFactory.getTrustManagers(), null);
	SSLSocketFactory socketFactory = ctx.getSocketFactory();

You can now create HttpsUrlConnections to talk to your SSL server (via the
URL.openConnection method)
The SSL handshake should authenticate using the certificates in your
/root/.keystore file.
See the JDK1.4 javadoc, (or JSSE) for more information

One other thing that may help is setting inside tomcat,


before restarting tomcat. This will give you a lot of debugging information
for SSL which could be useful.

Hope this helps,

-----Original Message-----
From: []
Sent: 22 October 2002 20:48
To: Tomcat Users List
Subject: Re: SSL Servlet Client

OK, I think I've got to where I understand the problem more clearly 
then i did yesterday. Here it is.  When I followed the tomcat ssl how to
and typed
keytool -genkey -alias tomcat -keyalg RSA
it created a keystore file called /root/.keystore in which a key aliased
by 'tomcat' was stored.  This key is what tomcat uses to present a
to any client that requests an SSL session.  

Now what I want to do is create a Java Client that will connect to Tomcat
via SSL and communicate with one of it's servlets.  When Tomcat receives
the request, it sends it's 'tomcat' certificate.  However, when the Java
client receives that certificate, it looks in a list of certificates found
and doesn't find a certificate that matches the one it receives, so it 
throws an exception: Received fatal alert:

So, what I need to do is put a copy of the Tomcat certificate in the cacerts
file.  So I tried using a combination of keytool -import / -export to copy
the certificate over.  It seemed like I was succesfull in doing so, but
when I rebooted tomcat and ran the webpage again, I got the same
exception.  Have I misunderstood the problem or the key management 
process somehow?

here is the console output from when I tried to copy the certificate:

[root@rho /root]# keytool -export -alias tomcat -file cert.cer -keystore
.keysto re
Enter keystore password:  changeit
Certificate stored in file <cert.cer>
[root@rho /root]# keytool -import -alias tomcat -file cert.cer -keystore
Enter keystore password:  changeit
Owner: CN=rho.abstrax.nan, OU=Abstrax, O=Abstrax, L=Mesz, ST=AZ, C=US
Issuer: CN=rho.abstrax.nan, OU=Abstrax, O=Abstrax, L=Mesz, ST=AZ, C=US
Serial number: 3db5698b
Valid from: Tue Oct 22 08:06:51 MST 2002 until: Mon Jan 20 08:06:51 MST 2003
Certificate fingerprints:
         MD5:  84:A4:4B:0D:F9:AE:2B:D2:4D:DD:84:0C:8F:D7:DD:EC
         SHA1: 67:AF:81:96:98:3F:0B:B3:84:BF:73:62:2A:45:05:C5:19:9C:F8:F1
Trust this certificate? [no]:  y
Certificate was added to keystore

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message