NOTE: This issue has been fixed in both the production and test federations from 08/10/2013.
1.) Download the AusCERT CA SSL certificate
The URL for the AusCERT CA SSL certificate is:
You can download the certificate using a web browser, or a tool like wget.
2.) Verify the authenticity of the AusCERT CA SSL certificate
It is crucial that you verify that the SSL certificate you have downloaded is really the AusCERT CA certificate. To help you verify this, we have put a copy of the check sums for the certificate in this article.
Here are the MD5 and SHA1 check sums for the AusCERT CA SSL certificate:
MD5 = 01b51a12f1b413168610155e447a68c8
SHA1 = e0d026c7a8fb4182e643e25f9c66b35e5a86db1d
You can verify these check sums using utilities like md5sum and sha1sum on Linux, or md5 and shasum, for Mac OS X.
3.) Back up your JVM SSL key store before making any changes.
The location of the SSL key store will depend on the operating system and JVM that you are using. On RHEL 6/CentOS 6 with the OpenJDK 6, the key store is in the file /usr/lib/jvm/java-1.6.0-openjdk-22.214.171.124.x86_64/jre/lib/security/cacert with a symbolic link to this file in /etc/pki/java/cacerts.
It is a very good idea to take a copy of the key store before you modify it. If any errors are introduced after you modify the key store, you can just copy the old file back in place and restart tomcat, and this will restore your old key store.
So make a back up copy of your old SSL key store.
cp /etc/pki/java/cacerts /etc/pki/java/cacerts.bak
3.) Import the PEM encoded SSL certificate into key store for your JVM.
keytool -alias AusCERT-Server-CA -import -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit -file AusCERTServerCA.crt
If you receive a warning that the keystore already contains that certificate, then you don't need to import it again, and you can answer "no" (this is the default).
4.) Restart your tomcat instance
service tomcat6 restart
This will make tomcat reload the JVM's updated SSL key store.