...
- Portecle is a Java GUI tool that can handle all the keystore and certificate formats I've ever encountered. Very easy to use and recommended if you are uncomfortable with CLI tools.
- keystore is a CLI tool that has a couple notable improvements on keytool:
- Support for both PEM and DER-encoded files.
- You can import a certificate/key pair directly into a keystore. (With keytool, keys never leave the keystore; you generate them, then a corresponding CSR, then import the matching certificate once it is issued.)
When All Else Fails
If you have read, understood, and tried all the troubleshooting tips on this page and continue to have problems, please perform an SSL trace and attach it to a posting to the cas-user@lists.jasig.org mailing list. An SSL trace is written to STDOUT when the following system property is set, javax.net.debug=ssl. An example follows of how to do this in the Tomcat servlet container.
| Code Block | ||
|---|---|---|
| ||
# Uncomment the next 4 lines for custom SSL keystore
# used by all deployed applications
#KEYSTORE="$HOME/path/to/custom.keystore"
#CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.keyStore=$KEYSTORE"
#CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.keyStoreType=BKS"
#CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.keyStorePassword=changeit"
# Uncomment the next 4 lines to allow custom SSL trust store
# used by all deployed applications
#TRUSTSTORE="$HOME/path/to/custom.truststore"
#CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.trustStore=$TRUSTSTORE"
#CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.trustStoreType=BKS"
#CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.trustStorePassword=changeit"
# Uncomment the next line to print SSL debug trace in catalina.out
#CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.debug=ssl"
export CATALINA_OPTS
|