tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ognjen Blagojevic <>
Subject Re: tomcat https
Date Wed, 04 Nov 2009 09:28:22 GMT
Torleif wrote:
> I am trying to set up tomcat to use https.
> I used "keytool -genkey -alias tomcat -keyalg RSA"
> If I use "changeit" as password for keystore everything works ok.
> If I use a different password it does not work.
> I have modified "server.xml" with keystorePass="newpassword"
> My .keystore is located in default place.

It could help if you tell us what Tomcat version, OS and version are you 
using and what is "default place".

.keystore file should be on the home directory of the user running 
Tomcat. E.g. /home/tomcat on Linux, or "C:\Documents and 
Settings\ognjen\" on Windows XP.

Also note: "Finally, you will be prompted for the key password, which is 
the password specifically for this Certificate (as opposed to any other 
Certificates stored in the same keystore file). You MUST use the same 
password here as was used for the keystore password itself. (Currently, 
the keytool prompt will tell you that pressing the ENTER key does this 
for you automatically.)" (tomcat SSL docs)

> If I use "changeit" as password, will this be a security risk since this
> is a widely known password?

The way I see it, the security risk is not too big. .keystore file will 
most probably have the same access rights as your server.xml where the 
keystore password is stored in cleartext. So, if the unauthorized user 
is able to access .keystore file it will also be able to access the 
server.xml, and read the keystore password.

However, if your configuration, backup strategy, or anything else 
introduces the possibility for unauthorized person to access only the 
.keystore file (and not server.xml) - or you are simply paranoid - you 
should change the default password.

> Also I run a mailserver with https web interface.
> Can I use a different https certificate in tomcat or must it be the same
> as my mailserver?

It really depends of your configuration.

Are both webmail and Tomcat on the same port? Do you run webmail 
application under Tomcat or not? Do you use httpd or not? Do you have 
more than one IP address available for the server?

If you use two servers, two different IP addresses OR two different 
ports on the same IP address, you can have different certificates. In 
other cases, you can't.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message