tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sean Killeen <seankill...@gmail.com>
Subject Issues with Tomcat 6.0 & Renewing SSL cert using keytool
Date Mon, 14 Feb 2011 14:03:10 GMT
Hi all,

I'm hoping someone has run into this problem before.

I'm using VeriSign certs and have imported a certificate correctly before
using keytool. However, the certificate we were using expired, and we
obtained a replacement.

Importing the replacement appears to be more difficult.

Verisign's intermediate CA appears to be different than before, and now uses
a primary and secondary. So initially I had one intermediate CA and one
tomcat certificate.

I then imported the two new CAs (alias "intermediatecaprimary" and
"intermediatecasecondary") -- this worked without error.

The next step seems to throw tomcat off. I believe I need to replace the
"tomcat" alias certificate. Barring a replace function in keytool (which I
don't think exists, though I could be wrong), I think this means I have to
delete the old "tomcat" certificate and replace it with the new one.

Doing this (using the command "keytool -delete -alias tomcat -keystore
.keystore" and then "keytool -import -alias tomcat -keyalg RSA -keystore
.keystore -file D:\keystore\Certificates\tomcat.cer") appears to complete
without error.

However, the next time I start Tomcat (running as a service), the CPU &
memory spin upward until the machine is barely accessible. Tomcat doesn't
start up.

In the Tomcat log file the following can be seen:

*Feb 14, 2011 8:45:07 AM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
*
*SEVERE: Socket accept failed*
*java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No
available certificate or key corresponds to the SSL cipher suites which are
enabled.*
* at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:149)
*
* at
org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:309)*
* at java.lang.Thread.run(Thread.java:619)*

I'm sure this is just a mistake I'm making somewhere either in keytool or my
Tomcat setup, but it's worked fine until trying to use this replacement
cert.

One possibility: Do I need to specify a keylength when specifying the
keyalg, or is there a default?

My Tomcat connector is as follows (password redacted):

*     <Connector *
*        port="8443"*
* protocol="HTTP/1.1"*
* SSLEnabled="true" *
* enableLookups="false" *
* acceptCount="100"*
*        maxThreads="200" *
* scheme="https"*
* keystoreFile="d:\keystore\.keystore" *
* keystorePass="[Password]"*
*        secure="true" *
* clientAuth="false" *
* sslProtocol="TLSv1" *
* cipher="RSA"*
* allowUnsafeLegacyRenegotiation="false"*
* />*

Thanks in advance for any help you can give!
--
Sean

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message