Wednesday, April 23, 2008

Java Self-Signed Certificates and Firefox 3 beta 5

A few weeks ago, I started having problems with Firefox 3 beta 5 and my self-signed certificates being used by some Tomcat servers. Though I could add the certificate as an exception, Firefox 3 beta 5 would not let me get in. I was using Java's keytool with the -genkeypair option to create the certificate.

I recently discovered a solution. keytool by default uses the DSA algorithm when generating the self-signed cert. Earlier versions of Firefox accepted these keys without problem. With Firefox 3 beta 5, using DSA doesn't work, but using RSA does. Passing "-keyalg RSA" when generating the self-signed certificate creates a cert the Firefox 3 beta 5 fully accepts.

I'm not sure if this is by Firefox design or not, but at least it's working for me.

No comments: