tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel M Garland <>
Subject OpenSSL + APR + Tomcat 5.5.2 Help
Date Wed, 28 Nov 2007 16:10:22 GMT
Hi folks,

Again I call on your expert assistance:

I have a tomcat 5.5.2 server running on a Debian Etch linux box. Its 
configured to use APR 1.1.3 and I want to get SSL going. I've 
successfully managed this using JSSE but not OpenSSL. I installed 
openssl using apt, as well as the APR libraries. Tomcat was installed 
with the binaries from Apache.

I ran the following commands (with help from

- Create private key and certificate request for my own certificate 
openssl req -new -newkey rsa:1024 -nodes -out ssl/ca/ca.csr -keyout

- Self-sign
openssl x509 -trustout -signkey ssl/ca/ca.key -days 365 -req -in
ssl/ca/ca.csr -out ssl/ca/ca.pem

-Import into Java's security thingy
keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file 
ssl/ca/ca.pem -alias tomcat

-Created a file CA's serial numbers?
echo "02" > ssl/ca/

-Created a keystore
keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -keystore
~/.keystore -storetype JKS

-Create a certficate request for the server
keytool -certreq -keyalg RSA -alias tomcat -file ssl/certreq.csr 
-keystore .keystore

(This certificate got sent off to verisign, but in the meantime I 
thought I'd try signing myself off to see SSL working)

openssl x509 -CA ssl/ca/ca.pem -CAkey ssl/ca/ca.key -CAserial 
ssl/ca/ -req -in ssl/certreq.csr  -out ssl/selfcert.crt -days 365

- Import my self-cert into the keystore
keytool -import -alias tomcat  -keystore .keystore -trustcacerts -file 

Then I had this in server.xml
<Connector port="8443" maxHttpHeaderSize="8192"
                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                enableLookups="false" disableUploadTimeout="true"
                acceptCount="100" scheme="https" secure="true"
                clientAuth="false" sslProtocol="TLS" 
keystoreFile="/home/tomcat5/.keystore" keystorePass="password" />

The docs said that it would pickup .keystore in the user's home 
directory but I thought I'd set it explicitly.

When I restart tomcat I see in the log:
28-Nov-2007 14:59:26 org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443

And no errors alluding to SSL anywhere else.

When I try to access


firefox tells me that the connection was interrupted, following a 
lengthy pause.

keytool -list shows 1 entry.

Since I'm a bit of a newbie to SSL, and there is nothing in the log, I 
am stuck as for what to do next. I gather that since I use APR I might 
need other settings in my server.conf, but the documentation is vauge on 
whether I need both the keystore attributes and the openssl stuff, or 
just the ssl stuff, or what. If I were to add the SSLEngine, 
SSLCertificateFile, SSLCertificateKeyFile attributes, what values would 
I feed them based on the previous steps?

Does anyone have any good howtos for the openssl side of things (the 
first line of the official docs is a caveat that the howto applies to 
JSSE only!)

Thanks in advance

Dan Garland

This email has been scanned by the MessageLabs Email Security System.
For more information please visit 

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message