tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Friebel" <andr...@reynolds.com.au>
Subject RE: Need help w/ installing certificate continued...
Date Thu, 16 Nov 2006 01:12:30 GMT
Have you check the logs to see what errors (if any) have been logged?

Since you are having so many hassles, I would try and do some internal
testing using self signed certificates.

o	Generate you keystore - keytool -genkey -alias tomcat -keystore
tomcat.keystore -keyalg RSA
o	Self sign the certificate - keytool -selfcert -alias tomcat
-keystore tomcat.keystore

Restart tomcat, then see if you can access your pages.

Once you get that going, then you should try using signed certificates:

o	Generate you keystore - keytool -genkey -alias tomcat -keystore
tomcat.keystore -keyalg RSA  (algorithm as required)
o	Import root certificate(s) as required (may need to import more
than one certificate here) - keytool -import -alias <alias> -keystore
tomcat.keystore -file <file>
o	Import the signed certificate - keytool -import -alias tomcat
-keystore tomcat.keystore -file <signed certificate>

That's my suggestion.

-----Original Message-----
From: Andy Tipton [mailto:artipton@tiptonshome.com] 
Sent: Thursday, 16 November 2006 11:23 AM
To: 'Tomcat Users List'; tuxkumar@gmail.com
Subject: RE: Need help w/ installing certificate continued...

I have done the following... (I am running Tomcat 5 on a Windows 2003
Server)

- Recreated the .keystore many different times trying to get one to
work...
- Tried different aliases with my domain crt (does the alias matter?)
- Installed the crts in Windows and everthing shows fine there when
viewing

  the crt.
- Set my config in the server.xml (I have tried SSL and TLS):
      <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
      <Connector port="443" maxHttpHeaderSize="8192"
address="192.168.1.190"
               maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
	       keystoreFile="tomcat.keystore"
	       keystorePass="changeit"/>
- Imported the certificates into my keystore in the following order:
root,

  intermed, tomcat.
      
	C:\Program Files\Java\jdk1.5.0_05\bin>keytool -list -keystore
tomcat.keystore
	Enter keystore password:  changeit

	Keystore type: jks
	Keystore provider: SUN

	Your keystore contains 3 entries

	root, Nov 13, 2006, trustedCertEntry,
	Certificate fingerprint (MD5):
A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
	tomcat, Nov 13, 2006, trustedCertEntry,
	Certificate fingerprint (MD5):
73:EA:94:A1:38:C8:9A:5D:65:44:7C:C7:65:A7:01:5F
	intermed, Nov 13, 2006, trustedCertEntry,
	Certificate fingerprint (MD5):
7A:A5:BA:4F:BC:0A:C5:3C:56:E9:50:A0:13:6A:88:A9

	C:\Program Files\Java\jdk1.5.0_05\bin>

- When I installed the root crt it said that there was already a system
wide

  root crt installed, do I want to continue to import it into the
keystore  
  and I said 'yes'.

- All I get is a 'Page cannot be displayed' when trying to access the   
  browser 'https:'

- If I create a keystore without importing the real crt, then it works,
but 
  just says that the crt it to trusted.

What am I missing?  I can't get it to work...




-----Original Message-----
From: news [mailto:news@sea.gmane.org] On Behalf Of Saravana Kumar
Sent: Wednesday, November 15, 2006 5:07 AM
To: users@tomcat.apache.org
Subject: Re: Need help w/ installing certificate continued...

Andy Tipton wrote:

> I have read all through the documentation and can't find what I am
doing
> wrong. The only thing that I didn't do was the importing of the
> valicert_class2_root.crt file because I wasn't given one when I
downloaded
> my certificate.  I imported the real one after I imported the
intermediate
> crt.

Did you get any error during this step ie., importing intermediate crt
after
root?

> So now I have this:
>  
> C:\Program Files\Java\jdk1.5.0_05\bin>keytool -list -keystore
.keystore
> Enter keystore password:  changeit
>  
> Keystore type: jks
> Keystore provider: SUN
>  
> Your keystore contains 2 entries
>  
> tomcat5, Nov 13, 2006, trustedCertEntry,
> Certificate fingerprint (MD5):
> 73:EA:94:A1:38:C8:9A:5D:65:44:7C:C7:65:A7:01:5F
> intermed, Nov 13, 2006, trustedCertEntry,
> Certificate fingerprint (MD5):
> 7A:A5:BA:4F:BC:0A:C5:3C:56:E9:50:A0:13:6A:88:A9
>  
> C:\Program Files\Java\jdk1.5.0_05\bin>
>  
> Could it have to do with the alias?  I am can't figure out what it
could
> be.

I am not sure of whether this could be the problem with alias.

> I just get a 'page cannot be displayed' when trying to access it.  I
have
> been reading, but can't find anywhere that really explains who the
> keystore and certificate relate to each other. if the alias matters.
>  
> I really need some help here.
Below are the steps i did in one of my Linux box(must work in windows
too).

First i generated tomcat.key & CSR with:
$ keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.key
$ keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore
tomcat.key

Got the certs from our CA(Files sf_issuing.crt & _mydomain.crt). Copied
the
CA's intermediate cert to valicert_class2_root.crt

First import the CA's intermediate certificate to root, like this:
$ keytool -import -alias root -keystore tomcat.key -trustcacerts -file
valicert_class2_root.crt

Then import issuing cert to intermed:
$ keytool -import -alias intermed -keystore tomcat.key -trustcacerts
-file
sf_issuing.crt

Last is to import your domain's cert to tomcat alias:
$ keytool -import -alias tomcat -keystore tomcat.key -trustcacerts -file
_mydomain.crt

The above steps worked perfectly for me. I had to just point the correct
key
file in server.xml and https started working.

Let me know if that helped you out.

Regds,
SK


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message