1 Reply Latest reply on Oct 4, 2005 9:08 AM by jswright

    HTTPS/SSL with commercial certificate, no common encryption

    jswright Newbie

      I'm trying to configure JBoss 4.0.2/Tomcat to serve HTTPS using a commercial certificate from GeoTrust. I can make this happen using a self-signed certificate created with keytool, no problem. However, when I try to use the commercial certificate, the browser gets no response back and the JBoss server.log shows no errors or warnings.

      Firefox displays a dialog that says Firefox and {server} cannot communicate securely because they have no common encryption algorithms.

      The certificate came in a PEM format in an email, and I used keytool to create the keystore.

      I'm using the Tomcat Connector on 8443 that comes commented out with JBoss in server.xml. I can set up two keystores in the conf directory, one with the GeoTrust cert and one with the self-signed cert, and switch only the keystore in the Connector. The self-signed one works, the commercial one doesn't. Here's what my Connector looks like:

      <Connector port="8443" address="${jboss.bind.address}"
       maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
       scheme="https" secure="true" clientAuth="false"
       keystorePass="****" sslProtocol="TLS" />

      I've been really banging my head against this and getting nowhere.

        • 1. Re: HTTPS/SSL with commercial certificate, no common encrypt
          jswright Newbie

          Ok, problem solved. It all boiled down to not properly handling the keystore.

          The thing that I missed is that keystores contain 2 types of entries, trusted certs and keys. I was just importing the cert from GeoTrust to a new keystore, which created a trusted cert entry. Instead, I need to import to the original keystore that was used for the CSR, so that the GeoTrust cert would attach to my key pair.

          So if you're having this kind of trouble, study up on keytool!