tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andy Tipton" <artip...@tiptonshome.com>
Subject RE: Need help w/ installing certificate continued...
Date Thu, 16 Nov 2006 00:23:26 GMT
I have done the following... (I am running Tomcat 5 on a Windows 2003
Server)

- Recreated the .keystore many different times trying to get one to work...
- Tried different aliases with my domain crt (does the alias matter?)
- Installed the crts in Windows and everthing shows fine there when viewing

  the crt.
- Set my config in the server.xml (I have tried SSL and TLS):
      <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
      <Connector port="443" maxHttpHeaderSize="8192" address="192.168.1.190"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
	       keystoreFile="tomcat.keystore"
	       keystorePass="changeit"/>
- Imported the certificates into my keystore in the following order: root,

  intermed, tomcat.
      
	C:\Program Files\Java\jdk1.5.0_05\bin>keytool -list -keystore
tomcat.keystore
	Enter keystore password:  changeit

	Keystore type: jks
	Keystore provider: SUN

	Your keystore contains 3 entries

	root, Nov 13, 2006, trustedCertEntry,
	Certificate fingerprint (MD5):
A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
	tomcat, Nov 13, 2006, trustedCertEntry,
	Certificate fingerprint (MD5):
73:EA:94:A1:38:C8:9A:5D:65:44:7C:C7:65:A7:01:5F
	intermed, Nov 13, 2006, trustedCertEntry,
	Certificate fingerprint (MD5):
7A:A5:BA:4F:BC:0A:C5:3C:56:E9:50:A0:13:6A:88:A9

	C:\Program Files\Java\jdk1.5.0_05\bin>

- When I installed the root crt it said that there was already a system wide

  root crt installed, do I want to continue to import it into the keystore  
  and I said 'yes'.

- All I get is a 'Page cannot be displayed' when trying to access the   
  browser 'https:'

- If I create a keystore without importing the real crt, then it works, but 
  just says that the crt it to trusted.

What am I missing?  I can't get it to work...




-----Original Message-----
From: news [mailto:news@sea.gmane.org] On Behalf Of Saravana Kumar
Sent: Wednesday, November 15, 2006 5:07 AM
To: users@tomcat.apache.org
Subject: Re: Need help w/ installing certificate continued...

Andy Tipton wrote:

> I have read all through the documentation and can't find what I am doing
> wrong. The only thing that I didn't do was the importing of the
> valicert_class2_root.crt file because I wasn't given one when I downloaded
> my certificate.  I imported the real one after I imported the intermediate
> crt.

Did you get any error during this step ie., importing intermediate crt after
root?

> So now I have this:
>  
> C:\Program Files\Java\jdk1.5.0_05\bin>keytool -list -keystore .keystore
> Enter keystore password:  changeit
>  
> Keystore type: jks
> Keystore provider: SUN
>  
> Your keystore contains 2 entries
>  
> tomcat5, Nov 13, 2006, trustedCertEntry,
> Certificate fingerprint (MD5):
> 73:EA:94:A1:38:C8:9A:5D:65:44:7C:C7:65:A7:01:5F
> intermed, Nov 13, 2006, trustedCertEntry,
> Certificate fingerprint (MD5):
> 7A:A5:BA:4F:BC:0A:C5:3C:56:E9:50:A0:13:6A:88:A9
>  
> C:\Program Files\Java\jdk1.5.0_05\bin>
>  
> Could it have to do with the alias?  I am can't figure out what it could
> be.

I am not sure of whether this could be the problem with alias.

> I just get a 'page cannot be displayed' when trying to access it.  I have
> been reading, but can't find anywhere that really explains who the
> keystore and certificate relate to each other. if the alias matters.
>  
> I really need some help here.
Below are the steps i did in one of my Linux box(must work in windows too).

First i generated tomcat.key & CSR with:
$ keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.key
$ keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore
tomcat.key

Got the certs from our CA(Files sf_issuing.crt & _mydomain.crt). Copied the
CA's intermediate cert to valicert_class2_root.crt

First import the CA's intermediate certificate to root, like this:
$ keytool -import -alias root -keystore tomcat.key -trustcacerts -file
valicert_class2_root.crt

Then import issuing cert to intermed:
$ keytool -import -alias intermed -keystore tomcat.key -trustcacerts -file
sf_issuing.crt

Last is to import your domain's cert to tomcat alias:
$ keytool -import -alias tomcat -keystore tomcat.key -trustcacerts -file
_mydomain.crt

The above steps worked perfectly for me. I had to just point the correct key
file in server.xml and https started working.

Let me know if that helped you out.

Regds,
SK


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message