"Signature does not match" error when importing a certificate into keystore - why?

In principle, this is a keytool issue, not anything to do with Shibboleth, but it would probably be helpful to understand where I am trying to get to (skip to the bits in bold if the Shibboleth stuff doesn't mean anything to you):

I am trying to set up a Shibboleth SSO configuration. The IdP was already set up, and I have established an SP to talk to it. So far (after much hacking away), so good - the SP (linked into an apache reverse proxy) intercepts calls to secured resources and redirects to the IdP correctly, which presents a login page. After logging in, the IdP replies handing the SP a token.

The SP is then supposed to contact the IdP to get the token translated into attributes valid for the person who logged in, but here the IdP is complaining that the message doesn't meet security requirements.

As best as I can tell, this is because tomcat is not accepting the SP's certificate, which was self-signed.

Instead I am trying to generate a CA cert, and use that to sign the certificate. I have added the CA cert into $JAVA_HOME/jre/lib/security/cacerts, so keytool should trust it, but then when I try importing the signed SP certificate into the keystore, I get the error:

keytool error: java.security.SignatureException: Signature does not match.

The import command I am using is:

keytool -import -v -alias sp_signed_cert -keystore idp.jks -trustcacerts -file server.crt

where server.crt is the signed SP certificate.

Why am I getting this error, and what can I do about it?

The only options I seem to have left are:

• put apache in front of the Tomcat running the IdP and use its "optional_no_ca" setting to be able to use a self-signed certificate,
• pay for a well-known CA to sign the certif开发者_如何学运维icate (not really appropriate for a proof-of-concept, though)

Well don't know about SSO or IdP to be honest but here goes:

As best as I can tell, this is because tomcat is not accepting the SP's certificate, which was self-signed.

If this is indeed the problem all you have to do is import that certificate to Tomcat's truststore.

Instead I am trying to generate a CA cert, and use that to sign the certificate

I have no idea what you are trying to do here. It is signed by who?
The cacerts by default has the certificate of all CAs that are trusted e.g. Verisign.
Also the import command you mention in the post is trying to import to idp.jks not the cacerts

put apache in front of the Tomcat running the IdP and use its "optional_no_ca" setting to be able to use a self-signed certificate,

You don't need apache in front of tomcat, also, Shibboleth people say don't.

pay for a well-known CA to sign the certificate (not really appropriate for a proof-of-concept, though)

The need for a wll-known CA, is just because o trust-chains, you will never need to pay, if you don't want.

Try to communicate first without encryption, since you are doing a proof-of-concept.

The error is when you do the import? Why don't you import the CA cert instead of just a specific SP?