tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Burch <>
Subject Re: SSL BIO/NIO setup with openssl CA puzzle
Date Sat, 03 Nov 2012 10:11:19 GMT
On 31/10/12 16:39, Daniel Mikusa wrote:
> On Oct 31, 2012, at 10:23 AM, Brian Burch wrote:
>> On 26/10/12 13:24, Daniel Mikusa wrote:
>>> On Oct 26, 2012, at 5:11 AM, Brian Burch wrote:
>> 2.8. keytool -list -v -keystore jks-keystore shows the keystore contents as two entries:
>> 2.8.1. the first has an alias of tomcat, a private key entry and the two certificates
which comprise the complete chain.
>> 2.8.2. the second has an alias of "Certificate Authority", with only the CA's certificate.
>> Observation 2.8.2 indicates that I have put too much into this certificate store
and that step 2.6 was redundant. Nevertheless, tomcat is perfectly happy to start its SSL
Connector using this keystore.
> Have you tried deleting the second alias?  Does it continue to work without this alias?
> Also, it might be interesting to convert this working JKS keystore into a PKCS12 keystore
and see if it continues to work with Tomcat.  I think you can do that with a command like
> keytool -importkeystore -srckeystore jks-keystore -srcstoretype jks -srcstorepass changeit
-srcalias tomcat -destkeystore pkcs12-keystore -deststoretype pkcs12 -deststorepass changeit

I just copied the "fat" keystore to a new file and verified it was 
identical. Then I ran:

keytool -delete -keystore jks-keystore -alias "Certificate Authority"

I printed the contents of keystore to confirm a) the tomcat collection 
of private key and certificate chain were still present, and b) the 
second alias had gone.

Tomcat started successfully using this new "minimal" keystore, so we can 
conclude that my step 2.6 was definitely not necessary. This is because 
the openssl certificate authority (by default) had bundled the entire 
authority chain into the new server certificate.

I'll try your other suggestions later, but I thought it would be helpful 
to clear up this particular issue quickly.



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message