tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Crypto Sal <>
Subject Re: SSL with multiple Tomcat instances
Date Tue, 25 Aug 2009 00:31:24 GMT
Hi Don,

A few questions:

1) Does server.xml reference the appropriate IP and keystore for "webui"?

2) What's the output of: [ openssl s_client -connect ] from the box, more specifically just the top 
area that mentions the certificate chain. It should look something like 

Certificate chain
  0 s:/C=US/ST=Ohio/L=Ashland/O=Ashland University/OU=Administrative 
    i:/C=ES/ST=Barcelona/L=Barcelona/O=IPS Certification Authority 
s.l./ C.I.F.  B-B62210695/OU=ipsCA CLASEA1 
Certification Authority/CN=ipsCA CLASEA1 Certification 
  1 s:/C=ES/ST=Barcelona/L=Barcelona/O=IPS Certification Authority 
s.l./ C.I.F.  B-B62210695/OU=ipsCA CLASEA1 
Certification Authority/CN=ipsCA CLASEA1 Certification 
CA/OU=Certificaciones/CN=IPS SERVIDORES/
CA/OU=Certificaciones/CN=IPS SERVIDORES/
CA/OU=Certificaciones/CN=IPS SERVIDORES/

3) Have you stopped and started the instance in question each time you 
made a change to the certificates(keystore) or the server.xml file?

I don't see any issues with the way you generated the keystore, CSR or 
how you imported the certificates as that's how I would do it. It's 
pretty much the way Comodo, Verisign, Thawte, and DigiCert suggest you 
do so.

Without knowing what the server is presenting, it is hard for me to tell 
you exactly what's wrong. As per RFC2246(TLS protocol), in a chained 
certificate environment the server must present the full chain (just 
Intermediates, Root is optional.) so that all RFC compliant clients 
(Chrome, Firefox, Opera, Safari, etc), can connect easily. (Internet 
Explorer actually tries to go behind the scenes and grab the 
intermediates from WindowsUpdate) Using OpenSSL's s_client command, 
should open things up a bit more and provide us with good information to 


On 08/24/2009 10:47 AM, Don Prezioso wrote:
> These are standalone Tomcat instances (Tomcat is the web server, no Apache) running on
Red Hat.
> Each instance has it's own IP address (verified via netstat) and each address has a separate
DNS entry ( and, each which resolve correctly. Each
certificate is generated using the DNS name for the service it is intended for.
> As far as I can tell, the certificate store is valid. When I use the keytool command
to list the original keystore (the one with both certificates loaded in the same keystore),
I get the attached listing. When I look at the new one (separate keystores, each with only
one certificate) it looks the same except that it is missing the tomcat (the first instance)
certificate and only has the webui certificate.
> The commands I used to create the keystore were:
> keytool -genkey -alias webui -keyalg RSA -keystore webui.keystore
> keytool -certreq -alias webui -keystore webui.keystore
> keytool -import -trustcacerts -alias IPSROOT -file IPSServidores.crt -keystore webui.keystore
> keytool -import -trustcacerts -alias IPSCAA1 -file IPSCACLASEA1.crt -keystore webui.keystore
> keytool -import -trustcacerts -alias webui -file webui.crt -keystore webui.keystore
> The IPSServidores.crt is the IPS root certificate, IPSCACLASEA1.crt is the intermediate
certificate, and webui.crt is the certificate reply from IPS.
> These are the same steps I followed for the webadvisor instance and it is working properly.
> The only things that I can think are different between these two tomcat instances are:
> a) The webadvisor instance is visible through our firewall from off campus, and the webui
instance is not (I am connecting from on campus)
> b) The webadvisor instance is using the network device eth0, and webui is using eth0:0
> Don
> --
> Don Prezioso
> Director of Administrative I.T.
> Ashland University
> Ashland, Ohio
> -----Original Message-----
> From: Crypto Sal []
> Sent: Thursday, August 20, 2009 8:00 PM
> To: Tomcat Users List
> Subject: Re: SSL with multiple Tomcat instances
> Hi Don,
> Is this Tomcat for Windows or Tomcat for a UNIX variant?
> Have you verified the keystore as correct via * keytool -v -list
> -keystore KEYSTORE_PATH/FILE* ? (Redirect that text to a file if need be!)
> Did you use the *-trustcacerts* flag upon importing the certificates or
> was this omitted?
> ------------------------------------------------------------------------
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message