tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christina Cunningham <>
Subject Re: SSL problems with commercial X509 certificates and jks - solution
Date Thu, 05 Aug 2004 09:00:09 GMT

I have finally found a solution to the problem of
using commercial certificates and running tomcat in
https mode. As this seems to be a common issue for
people using tomcat and 3rd party certs, I have
provided the information below - might save someone
else some time!
(I have translated the solution found at

Prior to starting:
Ensure that there is a hostcert.pem and hostkey.pem
and that the hostcert.pem starts and ends with
-----. If it contains any other information then
create a copy of the .pem file, delete any other lines
and use this copy to carry out the steps below.

The following steps should be followed to configure
Tomcat for Https communication using 3rd party CA

1.Follow ONLY the 'Edit the Tomcat Configuration File'
section in the Jakarta Project Tomcat SSL
Configuration HOW-TO located at

2.Import CA root certificate into Tomcat cacerts
keytool -import -keystore
$JAVA_HOME/jre/lib/security/cacerts -file caRoot.pem.
This is the system wide CA certificates store and
contains entries for other CA such as Verisign and

3.Create the java keystore used by Tomcat. This is
located at $HOME/.keystore – if the file doesn't
already exist it will be created in the process.
The first step is to generate a certificate in pkcs12
format by combining the host's key and certificate.
openssl pkcs12 -export -inkey hostkey.pem -in
hostcert.pem -out <host_name>.pkcs12

The next step is to read the pkcs12 file into the
keystore. To do this a java class taken from Jetty is
used. Download Jetty (if required) and locate the file. This needs to be compiled and
then run using 
java -classpath org.mortbay.jetty-jdk1.2.jar
PKCS12Import <host_name>.pkcs12 $HOME/.keystore
( java <classpath> <class file> <pkcs12 cert>
<keystore location> )
When asked for the input keystore password – this is
the certificate password used in the step above. The
output keystore password is the password of the
.keystore, 'changeit'.

This puts the host certificate and key into the
keystore with an alias of 1. To rename the alias the
following steps are required:
keytool -keyclone -keystore .keystore -alias 1 -dest
Delete the alias 1 from the keystore using:
keytool -delete -keystore .keystore -alias 1 (These
steps are not obligatory)

Create the chain of certificates.
Concatenate the host certificate file with the CA root
cat hostcert.pem caRoot.pem >
Generate a pkcs7 file which contains this chain:
openssl crl2pkcs7 -nocrl -certfile
certchain-<host_name>.pem -outform DER 
	-out certchain-<host_name>.pkcs7
Import this chain to the keystore
keytool -import -alias <host_name> -trustcacerts -file
certchain-<host_name>.pkcs7 -keystore .keystore

Check the content of your keystore
keytool -list -v -keystore .keystore
This should contain the entry of type keyEntry, which
is a chain of certificates.

If using jakarta-tomcat-4.1.27, a known bug exists
which results in tomcat throwing a fatal error after
two hits with https. This bug is documented and
discussed with the necessary information to fix this
issue at

Restart tomcat and open https://<host_name>:8443/ in
your browser.

Hope this helps!


 --- Christina Cunningham
<> wrote: 
> Hi
> I am trying to deploy tomcat securely using https
> and
> X509 certificates issued by a CA. I have followed
> the
> documentation on the tomcat webpage to insert my CA
> certificate into the cacerts store in Java as well
> as
> the server.ks and changed the server.xml file.
> When I try and run tomcat securely using my issued
> certificates (which are valid and have nothing
> before
> the BEGIN CERTIFICATE line) I get an error message
> from the browser that "Mozilla and localhost cannot
> communicate securely because they have no common
> encryption algorithms".
> However, if I put a self generated and signed
> certificate into the java .keystore located in my
> $HOME directory, tomcat will run securely. If I
> replace this certificate with an issued certificate
> then I get the same error message detailed above.
> Can anyone shed some light on this problem?
> I am using tomcat 4.1.27, Red Hat Linix 9.0 and
> mozilla-1.6.1.
> Thanks,
> Christina
> Yahoo! Messenger - all new features - even more fun!
> To unsubscribe, e-mail:
> For additional commands, e-mail:

___________________________________________________________ALL-NEW Yahoo! Messenger - all
new features - even more fun!

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message