I (somewhat sadly, imo) need to run Tomcat/SSL on a public-facing machine at work. I was really, really hoping I could use the GCJ-compiled version of Tomcat supplied in the base repository.

I can't get Tomcat to read a Java keystore created with the keytool utility provided (in java-1.4.2-gcj-compat-1.4.2.0-40jpp.110).

The Sun and GNU keytools produce different keystores. I'll use the Tomcat nomenclature to describe the differences. Obviously, I'm looking for the correct "algorithm" (i.e., certificate signing algorithm) setting:

Toolset keystoreType algorithm ------- ------------ --------- Sun JKS SunX509 GNU GKR ???

The Tomcat that ships with CentOS 4.92 defaults to assuming keystoreType="JKS" and algorithm="SunX509" so that in /etc/tomcat5/server.xml the Connector tag will assume those values, e.g.,

<Connector port="8443" maxHttpHeaderSize="8192" [....] scheme="https" secure="true" sslProtocol="TLS" keystoreType="JKS" algorithm="SunX509" />

With those settings -- either implicitly (since they're the default) or explicitly -- Tomcat fails to start an SSL listener. The catalina.out log reports:

SEVERE: Exception trying to load keystore /path/to/keystore java.security.KeyStoreException: JKS

If I set keystoreType="gkr", the error changes:

SEVERE: Error initializing endpoint java.io.IOException: SunX509

I've taken some wild stabs at guessing the algorithm string ("X.509", "X509", "GnuX509", "GNU-CRYPTOX509", and some others), to no avail.

My keystore seems to be valid, since "keytool -list" run against it produces the expected output.

My google-foo has failed me completely. Help, anyone?