tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Wulff <oliver.wu...@zurich.ch>
Subject SSL, keystore with ca hierarchy
Date Sat, 24 Jan 2004 14:24:37 GMT




I've created the following keystore for Tomcat 4.1.18:
SET KEYSTORE_FILE=.\.keystore

keytool -import -keystore %KEYSTORE_FILE% -storepass icebeer -alias root
-trustcacerts -file CA_Root_APU.pem
keytool -import -keystore %KEYSTORE_FILE% -storepass icebeer -alias
server_ca -trustcacerts -file CA_Server_APU.pem
keytool -import -keystore %KEYSTORE_FILE% -storepass icebeer -alias tomcat
-trustcacerts -file TestServer_APU.pem

the root ca is self signed. the tomcat certificate is signed by server_ca
which is issued by the root ca. the password for the keystore and the
tomcat certificat are identical. Further, I've configured the server.xml
accordingly:
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
           port="9443" minProcessors="5" maxProcessors="75"
           enableLookups="true"
       acceptCount="100" debug="0" scheme="https" secure="true"
           useURIValidationHack="false" disableUploadTimeout="true">
  <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
           clientAuth="false" protocol="TLS"
           keystoreFile="certs/.keystore"
           keystorePass="123456"
           />
</Connector>

Tomcat starts with no problems:
24.01.2004 15:10:41 org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on port 9080
24.01.2004 15:10:41 org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on port 9443

But I get the error "The Page Cannot Be Displayed" when I try to access the
index.html.

When I create the certificates in the following way it does work:
keytool -genkey -storepass 123456 -alias tomcat -keyalg RSA -keystore
.\dummy.keystore
keytool -rfc -storepass 123456 -export -alias tomcat -keystore
.\dummy.keystore -file dummy.tomcat.pem

Does Tomcat not support certificates with a ca hierarchy?

-oliver







******************* BITTE BEACHTEN *******************
Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet
möglicherweise vertrauliche oder gesetzlich geschützte Daten oder
Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter
Ausschluss jeder Reproduktion zu zerstören und die absendende Person
umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe.


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message