tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Miguel González Castaños <>
Subject Re: Javamelody and Struts
Date Fri, 27 Apr 2012 21:11:14 GMT
On 26/04/2012 15:51, Christopher Schultz wrote:
> Hash: SHA1
> Miguel,
> On 4/26/12 5:58 AM, Miguel González Castaños wrote:
>> On 26/04/2012 03:58, Christopher Schultz wrote:
>>> Miguel,
>>> On 4/25/12 6:24 PM, Miguel González Castaños wrote:
>>>>> Please post your SSL<Connector>    configuration (cleansed of
>>>>> any passwords).
>> By the way, double checking the info from my web browser I get this
>> is a verisign class 3 secure server G3
> It looks like you were using the "EV" intermediate certificates
> before. This page[1] says that C3G3 certs are not frequently used
> except for client certificates... is that what you've got?
> [1]
>> I'm sorry but I come from the Apache world and I'm pretty new to
>> Tomcat. Also I have inherited this server and the configuration is
>> messy.
> When you use Java, you generally have to work with keystores. It's
> just a file full of keys and certificates. Think of a Java keystore as
> all of the following httpd directives mashed together into a single
> binary entity:
>    SSLCertificateKeyFile
>    SSLCertificateFile
>    SSLCertificateChainFile
>    SSLCACertificateFile
> Also, you have to use an "alias" that Tomcat uses (it's "tomcat") as
> the alias for the certificate to actually use for the server (as
> opposed to any other certificates you might have in the keystore).
>> Maybe I'm wrong but should I add the CAcert somewhere in the SSL
>> connector?
> There's no place to do that: the whole chain must be in the keystore,
> including the CA root all the way down to your own certificate. You
> may be able to get away with not having the very top-root CA
> certificate... I haven't worked too much with Java keystores so it's
> possible that there is a set of root, trusted certificates that are
> inherited by all keystores, but there are many ways to
> create/configure a ServerSocketFactory, so it's probably possible to
> set one up both with or without that globally-recognized set of root
> CA certs (i.e. those trusted by the JVM implicitly).
> If you are getting this error in Javamelody, then you need to
> configure Javamelody properly -- this isn't a Tomcat thing if web
> browsers can connect properly to Tomcat via HTTPS.
Thanks for your answers, they have lead me to (partly) the solution.

I found some clues here:


I didn't have to add the certificate to the tomcat keystore, but to the 
java keystore of the JRE

Now I get a javamelody error reporting the app hasn't been configured to 
use javamelody, so no more SSL handshake errors

Many thanks,


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message