tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ray.d...@usbank.com
Subject Re: question on certificate use - resending with attachment descriptions in case they get stripped out again. If this doesnt work I will resend the email when I get home
Date Wed, 01 Oct 2014 19:05:16 GMT
Thanks Ongnjen, you gave me the hint I needed to fix the issue!

What I did was delete my keystore and start back from scratch.
I had to run these extra steps though:

keytool -genkey -alias <aliasname> tomcat -keyalg RSA

then enter in the exact matching info that was specified in the assigned 
certificate itself (name, organizational unit, organization, etc).

then I ran :
keytool -certreq -alias <aliasname> -keyalg RSA -file <pathToANewCSRFile>

This creates a new .csr file.

Then I point my connector in server.xml to the new keystore.

Restarted tomcat services and app services.

Loaded the website and let the error popup happen once, then I install the 
certificate it prompts about (to my truststore).

Closed out Internet Explorer.

Reopened it, and reaccessed my site.

And voila, no more certificate error.

Thanks again!


Ray Diaz
Application Consultant
U.S. Bancorp Technology and Operations Services

All of us serving you





From:   Ognjen Blagojevic <ognjen.d.blagojevic@gmail.com>
To:     Tomcat Users List <users@tomcat.apache.org>, 
Date:   09/30/2014 03:33 PM
Subject:        Re: question on certificate use - resending with 
attachment descriptions in case they get stripped out again. If this 
doesnt work I will resend the email when I get home



Ray,

On 30.9.2014 20:54, ray.diaz@usbank.com wrote:
> <Connector
>             port="443" maxThreads="200"
>             scheme="https" secure="true" SSLEnabled="true"
>   keystoreFile="C:\Bonaire\REVPORT\.keystore" keystorePass="changeit"
>   keyAlias="tomcat2"
>   proxyName="revport-it.us.bank-dns.com" proxyPort="443"
> />
>
> And then on the browser, when I try to load the site, I get a blank
> screen again, says "Internet Explorer cannot display the webpage".
>
>
> If I use "tomcat" as the alias in my connector, the site loads but then
> I get the "Certificate Error"  popup again, which is what I need to get
> rid of (on the top right the Internet Explorer).

It seems that you created key pair under alias "tomcat" and imported 
certificate reply from your CA under alias "tomcat2". That is wrong. You 
should be importing certificate reply under same alias as you generated 
key pair.

Here is exceprt from Oracle keytool docs:

"You import a certificate for two reasons:

     to add it to the list of trusted certificates, or

     to import a certificate reply received from a CA as the result of 
submitting a Certificate Signing Request (see the -certreq command) to 
that CA.

Which type of import is intended is indicated by the value of the -alias 
option:

     If the alias does not point to a key entry, then keytool assumes 
you are adding a trusted certificate entry. In this case, the alias 
should not already exist in the keystore. If the alias does already 
exist, then keytool outputs an error, since there is already a trusted 
certificate for that alias, and does not import the certificate.

     If the alias points to a key entry, then keytool assumes you are 
importing a certificate reply."

-Ognjen

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org




U.S. BANCORP made the following annotations
---------------------------------------------------------------------
Electronic Privacy Notice. This e-mail, and any attachments, contains information that is,
or may be, covered by electronic communications privacy laws, and is also confidential and
proprietary in nature. If you are not the intended recipient, please be advised that you are
legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this
information in any manner. Instead, please reply to the sender that you have received this
communication in error, and then immediately delete it. Thank you in advance for your cooperation.

---------------------------------------------------------------------

Mime
  • Unnamed multipart/related (inline, None, 0 bytes)
View raw message