Architecture > Encryption

SSL

Here's some guidance on how to troubleshoot the following SSL-related issues, such as No available authentication scheme,Unsupported or unrecognized SSL message, or SSL Protocol Error.

In our experience these issues are not caused by 3forge AMI but are generic error messages indicating that there was a problem in how the certificate was generated.

Here is our recommended procedure for the generation:

1. Download the root keystore for your environment (Should not matter if using jks or pem)

   keytool -importkeystore -srckeystore cacerts.jks -destkeystore web.keystore
   

   Or

   keytool -import -file cacert.pem -keystore web.keystore
   

2. Generate Certificate Signing Request (CSR) - Modifies keystore * keypass and storepass should match https.keystore.password, source password is the cacerts password

   keytool -genkeypair -keystore web.keystore -alias server -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "CN=...,OU=...,O=C=..."
   

3. Through your Certificate Authority (CA) create a Certificate Request -> Certificate Type, MS CA WebServer to generate a Certificate

4. Import the certificate into the keystore

   keytool -import -v -trustcacerts -alias root -keystore web.keystore -file cert.cer -keypass [pass] -storepass [pass]
   

5. In our experience the following command didn't work and was the cause of the above SSL-related errors

   keytool -importcert -keystore web.keystore -alias server -file cert.cer