tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Larose <>
Subject Re: SSL Configuration Errors
Date Mon, 09 Jan 2012 19:24:15 GMT
Christopher Schultz <> wrote on 01/06/2012 
05:20:12 PM:

> From: Christopher Schultz <>
> To: Tomcat Users List <>
> Date: 01/06/2012 05:20 PM
> Subject: Re: SSL Configuration Errors
> Hash: SHA1

> Justin,

> On 1/6/12 2:56 PM, Justin Larose wrote:
> > This Tomcat environment was setup long before I worked here, so I
> > am just upgrading from an older version to 7.0.23 and trying to not
> > use a self signed certificate.

> It's important for you to know if your app actually requires client
> authentication. Since your <Connector> says clientAuth="true", it
> means that all clients must present a valid certificate in order to
> connect.

I actually removed the "clientAuth=true" statement and I can still access 
the application with the self signed cert.
I have asked the application developers if this is required.

> > I can get the sample-ssl.jks to work with the below connector port
> > information. But when I edit the connector ports to add the new
> > "wcmdev-ssl.jks" and imported Certificate(s) I received from the
> > CSR I get the error, " Alias name tomcat does
> > not identify a key entry"

> What do you get if you run this command:

> $ keytool -list -keystore conf/sample-ssl.jks

I cannot run the "keytool" command from the Tomcat home directory. What I 
have been doing is making a copy of the .jks and dropping them into the 
java home/bin directory and running the keytool -list from there. But here 
is what it looks like from java_home

> > Weird because it is an alias. Is it looking for tomcat as the
> > actual entry name or alias?

> Your certificate needs to have the alias "tomcat".

I did import my cert with the alias tomcat. You can see that in the 
screenshot here:

> > It seems like it is not reading the keystore properly. Should I
> > just create a new CSR from the sample-ssl.jks keystore?

> That shouldn't be necessary. You may have to re-import your
> certificate, though.

I have used the keytool to delete all 3 certs (root, intermediate and 
primary) and readd them many times. I even just tried only the Primary 
cert with the alias tomcat as the only cert. But the log shows same error:

SEVERE: Failed to initialize end point associated with ProtocolHandler 
["http-bio-8443"] Alias name tomcat does not identify a key entry

> - -chris
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools -
> Comment: Using GnuPG with Mozilla -

> CU4AoLsvEq++7v0Ml5+A+XjRPilsKA9p
> =6XzB

> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

This email and any files transmitted with it are intended solely for 
the use of the individual or agency to whom they are addressed. 
If you have received this email in error please notify the Navy 
Exchange Service Command e-mail administrator. This footnote 
also confirms that this email message has been scanned for the
presence of computer viruses.

Thank You!            

  • Unnamed multipart/related (inline, None, 0 bytes)
View raw message