Installing SSL CA certificate into client
Hi,
Our RTC server has been configured for SSL, and the self-signed certificate replaced with one signed by our company-wide root CA certificate. However, since that's not one of the standard root CAs, when I start the client it displays a warning about the "untrusted" SSL certificate.
I know I can just select "always accept", but as a better solution (which allows for the server cert expiring and being replaced, and perhaps could be included in our standard installation) is it possible to import the corporate CA cert somewhere so that the server certificate will automatically be trusted? I didn't see anything for it under Window->Preferences in the client; what about if it was added into jdk\jre\lib\security\cacerts in the bundled java runtime? (and any suggestions how I go about it?)
Andrew.
Our RTC server has been configured for SSL, and the self-signed certificate replaced with one signed by our company-wide root CA certificate. However, since that's not one of the standard root CAs, when I start the client it displays a warning about the "untrusted" SSL certificate.
I know I can just select "always accept", but as a better solution (which allows for the server cert expiring and being replaced, and perhaps could be included in our standard installation) is it possible to import the corporate CA cert somewhere so that the server certificate will automatically be trusted? I didn't see anything for it under Window->Preferences in the client; what about if it was added into jdk\jre\lib\security\cacerts in the bundled java runtime? (and any suggestions how I go about it?)
Andrew.
2 answers
Nobody knows? Guess I'll have to experiment, then.
Andrew.
Andrew.
Hi,
Our RTC server has been configured for SSL, and the self-signed certificate replaced with one signed by our company-wide root CA certificate. However, since that's not one of the standard root CAs, when I start the client it displays a warning about the "untrusted" SSL certificate.
I know I can just select "always accept", but as a better solution (which allows for the server cert expiring and being replaced, and perhaps could be included in our standard installation) is it possible to import the corporate CA cert somewhere so that the server certificate will automatically be trusted? I didn't see anything for it under Window->Preferences in the client; what about if it was added into jdk\jre\lib\security\cacerts in the bundled java runtime? (and any suggestions how I go about it?)
Andrew.
In case it's of use to anyone else, here's how I got it working.
At a command prompt,
This assumes the cacerts' password hasn't been changed from the default. And obviously you need a .crt file containing the root certificate.
Having done that, when I start up and connect to the repository, it now accepts the repository's certificate as being trusted and no longer prompts me.
The same worked for Rational Application Developer, though obviously the cacerts path was different (C:\Program Files\IBM\RAD8\jdk\jre\lib\security).
Andrew.
At a command prompt,
cd "C:\Program Files\IBM\TeamConcert\jdk\jre\lib\security"(I'm using Windows XP, YMMV) Then
..\..\..\bin\keytool -import -alias mycorporaterootca -file C:\Path\To\MyRootCA.crt -keystore cacerts -storePass=changeit
This assumes the cacerts' password hasn't been changed from the default. And obviously you need a .crt file containing the root certificate.
Having done that, when I start up and connect to the repository, it now accepts the repository's certificate as being trusted and no longer prompts me.
The same worked for Rational Application Developer, though obviously the cacerts path was different (C:\Program Files\IBM\RAD8\jdk\jre\lib\security).
Andrew.
Nobody knows? Guess I'll have to experiment, then.
Andrew.
Hi,
Our RTC server has been configured for SSL, and the self-signed certificate replaced with one signed by our company-wide root CA certificate. However, since that's not one of the standard root CAs, when I start the client it displays a warning about the "untrusted" SSL certificate.
I know I can just select "always accept", but as a better solution (which allows for the server cert expiring and being replaced, and perhaps could be included in our standard installation) is it possible to import the corporate CA cert somewhere so that the server certificate will automatically be trusted? I didn't see anything for it under Window->Preferences in the client; what about if it was added into jdk\jre\lib\security\cacerts in the bundled java runtime? (and any suggestions how I go about it?)
Andrew.