Clearwell fails to listen on port 443 (HTTPS) after installing a signed certificate with error: "No available certificate or key corresponds to the SSL cipher suites which are enabled"

Article:TECH198014  |  Created: 2012-10-08  |  Updated: 2013-02-19  |  Article URL http://www.symantec.com/docs/TECH198014
Article Type
Technical Solution


Issue



When the documented Clearwell steps for installing a signed certificate are followed, it is important to run the keytool -import commands against the keystore that was used to generate the CSR. This is where the private key resides that corresponds to the CSR and therefore corresponds to the signed certificate. 

If the keystore does not exist, the keytool -import command will create a brand new keystore, before then inserting the specified certificate. This new keystore will not correspond to the CSR and it won't contain any private key.  


Error



When this keystore is then used with Clearwell, the following error in the log file cw_home/CW/VXX/logs/catalina-<date>.log: is observed

java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled

The error prevents Clearwell from listening on port 443 (HTTPS).

Solution



When the keytool -import command is run, make sure that the keystore exists in the current directory (because the Clearwell documented steps don't specify a path to the keystore, it is assumed to be in the current directory). Alternatively, specify an absolute path to the keystore file when using the keytool -keystore argument. 

 
Before or after the signed certificate has been installed (and any additional intermediate or root certificates), list the contents of the keystore using the keytool -list command. You should see that the clearwellkey entry is of type PrivateKeyEntry. This indicates the presence of the private key. For example:

C:\Users\fred>C:\jrockit-jdk1.6.0_29-R28.2.0-4.1.0-x64\bin\keytool.exe -list -keystore .\new-server.keystore
Enter keystore password:

 
Keystore type: JKS
Keystore provider: SUN

 
Your keystore contains 3 entries

 
root, Oct 7, 2012, trustedCertEntry,
Certificate fingerprint (MD5): E0:19:F5:FC:C0:9A:13:0E:38:B7:BF:0D:02:40:D3:C2
intermediate, Oct 7, 2012, trustedCertEntry,
Certificate fingerprint (MD5): 71:13:D9:3A:CD:21:F2:EE:9F:59:17:8D:A6:F9:AE:14
clearwellkey, Oct 7, 2012, PrivateKeyEntry,
Certificate fingerprint (MD5): A3:DA:A4:41:3D:78:B2:EB:5A:00:3A:A9:67:3A:19:01


If all the entries are of type trustedCertEntry then your keystore doesn't contain the private key for your certificate and Clearwell will not be able to listen on port 443.



Article URL http://www.symantec.com/docs/TECH198014


Terms of use for this information are found in Legal Notices