Clearwell Fails To Listen On Port 443 (HTTPS) After Installing A Signed Certificate
Article ID: 100027840
Updated On:
Description
Error Message
When this keystore is then used with Clearwell, the following error in the log file cw_home/CW/VXX/logs/catalina-
java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabledThe error prevents Clearwell from listening on port 443 (HTTPS).
Resolution
When the keytool -import command is run, make sure that the keystore exists in the current directory (because the Clearwell documented steps don't specify a path to the keystore, it is assumed to be in the current directory). Alternatively, specify an absolute path to the keystore file when using the keytool -keystore argument.
Before or after the signed certificate has been installed (and any additional intermediate or root certificates), list the contents of the keystore using the keytool -list command. Ensure the clearwellkey entry is of type PrivateKeyEntry. This indicates the presence of the private key. For example:
C:\Users\fred>C:\jrockit-jdk1.6.0_29-R28.2.0-4.1.0-x64\bin\keytool.exe -list -keystore .\new-server.keystoreEnter keystore password:
Keystore type: JKS
Keystore provider: SUN
Keystore contains 3 entries
root, Oct 7, 2012, trustedCertEntry,
Certificate fingerprint (MD5): E0:19:F5:FC:C0:9A:13:0E:38:B7:BF:0D:02:40:D3:C2
intermediate, Oct 7, 2012, trustedCertEntry,
Certificate fingerprint (MD5): 71:13:D9:3A:CD:21:F2:EE:9F:59:17:8D:A6:F9:AE:14
clearwellkey, Oct 7, 2012, PrivateKeyEntry,
Certificate fingerprint (MD5): A3:DA:A4:41:3D:78:B2:EB:5A:00:3A:A9:67:3A:19:01
If all the entries are of type trustedCertEntry, then keystore doesn't contain the private key for the certificate and Clearwell will not be able to listen on port 443.
Issue/Introduction
When the documented Clearwell steps for installing a signed certificate are followed, it is important to run the keytool -import commands against the keystore that was used to generate the CSR. This is where the private key resides that corresponds to the CSR and therefore corresponds to the signed certificate.
If the keystore does not exist, the keytool -import command will create a brand new keystore, before then inserting the specified certificate. This new keystore will not correspond to the CSR and it won't contain any private key.
If the keystore does not exist, the keytool -import command will create a brand new keystore, before then inserting the specified certificate. This new keystore will not correspond to the CSR and it won't contain any private key.
Was this article helpful?
Yes
No
Powered by
