tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Tomcat 5 and SSL Configuration
Date Mon, 25 Apr 2005 19:46:11 GMT
The following steps should work (although I have only ever done this 
using my own CA).

1. Create tomcat key in your own keystore
2. Create CSR
3. Submit CSR
4. Get response
5. Import CA's root cert to cacerts (%JAVA_HOME%\jre\lib\security\cacerts)
6. Import new cert to same keystore as 1 (use same alias & trustcacerts 
option)
7. Restart Tomcat

HTH

Mark

Bruce Perryman wrote:
> Thanks for responding!
> 
> Yes, I do have a backup, but I should have mentioned
> that there were several attempts to get this working.
> One of the first attempts ommitted step #5, but I had
> the same result.
> I used step #5 in an attempt to remove the old and
> then insert the new. But that didn't work either.
> 
> One other thing that I noticed is that my previous
> (expired) keystore had 2 certs in it one was a root
> trusted cert entry and the tomcat key entry.
> 
> This time, in one of my initial attempts, the tomcat
> alias was the only entry and it was the trusted cert
> entry.
> 
> Does this have anything to do with the problem?
> --- Mark Thomas <markt@apache.org> wrote:
> 
>>Bruce,
>>
>>You should not have done step 5. This deleted your
>>private key. I hope 
>>you have a backup ;)
>>
>>Mark
>>
>>Bruce Perryman wrote:
>>
>>>Hello,
>>>
>>>I'm using TC 5.0.19 and j2sdk1.4.2_04 on RedHat 9.
>>>
>>>My SSL certificate expired and I received a new
>>
>>one
>>
>>>but haven't been able to get the new one to work. 
>>>
>>>Here are the steps that I used to get the
>>
>>certificate
>>
>>>and import it into my keystore:
>>>
>>>[1] keytool -genkey -alias tomcat
>>>     -keyalg RSA -keystore .keystore
>>>[2] keytool -certreq -alias tomcat
>>>     -keystore .keystore -file tomcat.csr
>>>[3] Submit tomcat.csr to Entrust and then
>>>     retrieve entrust_ssl_ca.cer  (We used
>>>     cut and paste, not file download.)
>>>[4] shut down Tomcat
>>>[5] keytool -delete -alias tomcat
>>>      -keystore .keystore
>>>[6] keytool import -trustcacerts
>>>     -alias tomcat -file entrust_ssl_ca.cer
>>>     -keystore .keystore
>>>[7] restart tomcat
>>>Instead of [6], we also tried:
>>>[6a] keytool import -alias tomcat
>>>      -file entrust_ssl_ca.cer -keystore .keystore
>>>
>>>When I restart Tomcat and view my page, I get the
>>>message that the page cannot be displayed.
>>>
>>>In my catalina.out file, I see the following
>>
>>severe
>>
>>>error msg:
>>>
>>>Endpoint [SSL: ServerSocket[addr=     ]] ignored
>>>exception: java.net.SocketException: SSL handshake
>>>errorjavax.net.ssl.SSLException: No available
>>>certificate corresponds to the SSL cipher suites
>>
>>which
>>
>>>are enabled.
>>>
>>>Does anyone know what I'm doing wrong? I don't
>>
>>have
>>
>>>the exact steps that I performed with my previous
>>>certificate, but the above steps are what I used
>>
>>for
>>
>>>the newly issued certificate.
>>>
>>>Thanks, in advance, for your help.
>>>
>>>
>>>		
>>>__________________________________ 
>>>Do you Yahoo!? 
>>>Yahoo! Mail - 250MB free storage. Do more. Manage
>>
>>less. 
>>
>>>http://info.mail.yahoo.com/mail_250
>>>
>>>
>>
> ---------------------------------------------------------------------
> 
>>>To unsubscribe, e-mail:
>>
>>tomcat-user-unsubscribe@jakarta.apache.org
>>
>>>For additional commands, e-mail:
>>
>>tomcat-user-help@jakarta.apache.org
>>
>>>
>>>
>>
>>
> ---------------------------------------------------------------------
> 
>>To unsubscribe, e-mail:
>>tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail:
>>tomcat-user-help@jakarta.apache.org
>>
>>
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message