SSL using Apaches certificate

Hanjo · May 14, 2005, 1:10pm

Hi,

I’'m having an Apache v2 running SSL with a self-signed certifcate containing of tow files server.crt and server.key. The first one is having “CERTIFICATE” in it, the second one “RSA PRIVATE KEY”.

'‘Cause it’'s the same server name, I want this certificate for Jive as well. So I tried to import it with the web-frontend and after this fails I tried with keytool. However I still get the following error:

14:22:28.114 WARN!! [Acceptor [SSL: ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=9091]]] org.mortbay.util.ThreadedServer.acceptSocket(ThreadedServer.java:449) >02> EXCEPTION

javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.

at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(Unknown Source)

at org.mortbay.util.ThreadedServer.acceptSocket(ThreadedServer.java:423)

at org.mortbay.util.ThreadedServer$Acceptor.run(ThreadedServer.java:608)

and this one:

2005.05.14 14:22:06 [org.jivesoftware.messenger.net.SSLSocketAcceptThread.run(SSLSocketAcceptThread .java:144)

] Kann SSL-Socket nicht einrichten

javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.

at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(Unknown Source)

at org.jivesoftware.messenger.net.SSLSocketAcceptThread.run(SSLSocketAcceptThread. java:127)

(and it ends up with a loop, so I need to kill messengerd.exe (yes it’'s windows ))

I guess he’‘s missing the private key file, but I’'ve no clue how to give it to him…

thx a lot

Gaston_Dombiak · May 16, 2005, 11:33pm

Hey Hanjo,

There are a couple of reasons for that error. This is what I found at Thawte’'s KB:

By default, certificates created with keytool use DSA public keys.
Importing the certificate into the incorrect keystore
There is no trusted certificate chain present when importing the certificate

Resolution:

1. By default, certificates created with keytool use DSA public keys.

You should create certificates that use RSA-based keys.

To do this, you need to specify the -keyalg RSA option when using keytool. For example:

When you create the private key, stipulate RSA as the key algorithm:

keytool -genkey -alias test -keyalg RSA

-keystore ~/.keystore

Then when you create the certificate request, stipulate RSA as the

signature algorithm:

keytool -certreq -alias test -sigalg MD5withRSA

-keystore ~/.keystore

2. Importing the certificate into the incorrect keystore

Please import the certificate into the correct keystore file which contains the certificates corresponding private key file.

3. There is no trusted certificate chain present when importing the certificate

Please use the ‘’-trustcacerts’’ option in your command when importing the certificate into the keystore.

keytool -import -alias -trustcacerts -file mythawtecert.crt -keystore

Another reason could be that the keystore and the entries (ie. certificates) have different passwords.

Hope that helps,

– Gato

Adam_D_Amico · May 22, 2005, 5:58am

Sounds like this could be the same problem described toward the end of this thread:

http://www.jivesoftware.org/forums/thread.jspa?threadID=14209&tstart=0

In short: Yes, you’‘re missing the private key half, and sorry, keytool can’'t import those. You have to use an alternate method.

Hanjo · May 22, 2005, 10:21am

Thank you for this, I maybe need to generate a new key…

Adam_D_Amico · May 25, 2005, 7:29pm

Nah, don’'t bother with that. Use the Keyman Java app to import the one you already have.

Hanjo · May 29, 2005, 4:48pm

Where do I get it?

Adam_D_Amico · May 30, 2005, 7:53pm

http://www.alphaworks.ibm.com/tech/keyman

There’'s more info in the thread referenced above.