tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Richard S. Huntrods" <huntr...@nucleus.com>
Subject RE: Please Help - Tomcat serves HTTPS with self-signed cert, but not Thawte cert!
Date Wed, 06 Feb 2002 21:32:36 GMT
Paul,

It is not strange - just very, very convoluted.  I have spent 2 months
getting this stuff to work, and am about to order my cert from Thawte.

There are a couple of problems.  First, all certs in your keystore must
have the 'tomcat' alias.  Second, the type of certificate ordered from a
vendor is *CRITICAL*, both to the way the final keystore is generated,
and to your ability to use the 'tomcat' alias without error.

In a nutshell, you must request a "PKCS#7 chain format" certificate from
the vendor, or nothing else will work.  Also, don't remove the trailing
linefeeds on the vendor cert - or it won't import.

I suspect either your alias, or your type of cert.  Contact Thawte for
further info - but I worked with Jason Barr and he was EXCELLENT.

Here is a excerpt from one of his emails to me about getting and
installing a Thawte cert:

~~~~~~~~~~~~~~~~~~~~~~from Jason Barr at Thawte~~~~~~~~~~~~~~~~~~~~~~~~
Generate the keystore and key files without the parameters specifying a
validity date, so the command should
look like this:

keytool -genkey -keyalg RSA -keystore [keystore name] -alias [key name]

Then you will generate a CSR with the following command:

keytool -certreq -keystore [keystore name] -file mycsr.csr -alias [key
name]

With the trusted certs you receive a status page where various formats
of the cert can be downloaded, and the
default option should be PKCS#7, if it isn't you can select it.  ; )

Import the file with the following command:

 keytool -import -file mycert.crt -alias [keyentry alias in keystore]
-trustcacerts
-keystore [keystore name]

The private key file is the file created within the keystore and the
-alias switch gives the key its name. You should
backup the keystore file created, as this will backup the key file.

If you have problems with the certificate you should be able to fix
them, but if you lose the private key you will
need to buy another.
~~~~~~~~~~~~~~~~~~~~~~~~

Cheers,

-Richard
=============================Paul Morrow wrote: ========================

   Date:
        Wed, 6 Feb 2002 16:03:39 -0800
   From:
        "Paul Morrow" <paul@morrow.net>

This is a rather strange problem that I'm hoping someone can assist
with.
In a nutshell, Tomcat serves HTTPS pages when a self-signed cert is
installed, but not when a Thawte cert is installed.

I'm running Tomcat 4.0.1 on Solaris 8.  I used keytool to create a
self-signed cert, i.e.

    ./keytool -genkey -alias tomcat -keyalg RSA

I restarted Tomcat and could then access my pages via https as
expected.  I
ordered and received a cert from Thawte which I used keytool to install
(after deleting the self-signed cert), i.e.

    ./keytool -import -alias foo -file baz

I restarted Tomcat, but now HTTPS no longer works (however, the pages
are
still available via HTTP).

openssl reports the following

    CONNECTED(00000004)
    3824:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:455:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 7 bytes and written 130 bytes
    ---
    New, (NONE), Cipher is (NONE)
    ---

Does anyone have any ideas why this might be the case?

Thanks in advance for any help you can provide.

Paul Morrow
MMS Incentives, Inc.





--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message