After Importing my certificate I am unable to use the ssl port and browsers accessing SSL port get ERR_SSL_VERSION_OR_CIPHER_MISMATCH or using java ssl clients javax.net.ssl.SSLHandshakeException: no cipher suites in common |
This knowledge article may contain information that does not apply to version 21.05 or later which runs in a container environment. Please refer to Article Number 000385088 for more information about troubleshooting BMC products in containers. So far we've seen 2 cases where the private key is not part of the keystore when checking the keystore with this command "C:\Program Files\Java\bin\keytool.exe" -list -v -keystore "C:\Users\avidaurr\Documents\sslproblem column\keystore.jks" | less We've found that the Entry type is a "trustedCertEntry" Alias name: main Entry type: trustedCertEntry Owner: CN=xxxxx, OU=zzzz Issuer: CN=zzz, OU=zzz, O=z, L=zzz, ST=zzz, C=zz Serial number: zzz The certificate imported in the keystore should also include the private keys in order to work A proper entry in the keystore should read as Alias name: server Entry type: PrivateKeyEntry Certificate chain length: 3 Certificate[1]: Owner: CN=zzzz Issuer: CN=zzzz Serial number: xxxxx Usually the certificates are created as 1. Create a keypair locally at the server (this includes both private and public key 2 using the keypair create a CSR, to be signed by the CA 3. Once the CSR comes back from the CA signed: import back into the keystore. Preserve the private and public keys To import a signed CSR in java keystores you can do the following keytool -keystore SERVER_KEYSTORE.jks -storepass PASSWORD -importcert -alias SERVER_ALIAS -file SIGNED_CSR_FILE to import a signed CSR in keystore explorer To perform this step you'd need the key password , right click on the Key pair generated for the server, on the menu select "Import CA Reply" > From File |