Troubleshooting SSL certificates and Crowd
1. Ensure that you are not using any parameters in the JAVA_OPTS
variable that refer to your keystore. For example,
-Djavax.net.ssl.trustStore="/my/key/store"
The JAVA_OPTS
variable is normally located in the Crowd distribution's apache-tomcat/bin/setenv.sh or setenv.bat file (depending on the OS you are using). Remove these references and restart Crowd.
2. Run this command on the Crowd server, replacing <ip address of LDAP server> with your LDAP server's IP address:
openssl s_client -connect <ip address of LDAP server>:636
3. Save the certificate (including the BEGIN CERTIFICATE
and END CERTIFICATE
lines) of the response into a local file called tmp.pem.
4. Run this command on the local tmp.pem file. This should return an MD5 Fingerprint value.
openssl x509 -fingerprint -md5 -noout -in tmp.pem
5. Run this command on the Crowd server. This assumes you are using the default keystore and the $JAVA_HOME (or for Windows %JAVA_HOME%) variable has been set. If not, please specify the correct keystore path.
keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts
6. Ensure that the MD5 Fingerprint from step 3 is listed in your keystore. If it is not, you will need to import the tmp.pem certificate into your keystore.
If you continue to experience issues with your SSL configuration and Crowd, please open a new support issue. Attach the CROWD APPLICATION DIRECTORY
/atlassian-crowd.log file and the output of the tests above to the support issue.