tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Mikusa <dmik...@pivotal.io>
Subject Re: Issue while Configuring SSL in tomcat6
Date Tue, 05 May 2015 11:20:25 GMT
On Mon, May 4, 2015 at 8:35 PM, jairaj kamal <jairaj.kamal@gmail.com> wrote:

First, please stop top posting.  Reply inline or at the bottom.  It's the
convention followed on this list.

Hello, when I checked with below command I find my keystore created type as
> "JKS" and we are using tool "Keytool". Initially we received 2 certificates
> "TestRoot.cer" & "Test.cer", when found things not working, we are now
> trying to import certs of PKCS#12 format (.pfk) via Keytool
>

The format of your keystore is *not* the problem.  If it were the problem,
you would see an exception in Tomcat.  The problem you're seeing is
different.


>
> *#Testing Keystore type*
>
> *D:\Program Files (x86)\Java\jdk1.6.0_27\bin>keytool -list -v -keystore
> C:\Users\*
>
> *svcr2wadmin\nedr2wqajob1\Test.keystore*
>
> *Enter keystore password:*
>
>
> *Keystore type: JKS*
>
> *Keystore provider: SUN*
>
>
> *#Earlier tried steps:*
>
> keytool -genkey -alias report2web -keyalg RSA -keystore
> C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore
>
>
> keytool -certreq -keyalg RSA -alias report2web -file
> C:\Users\svcr2wadmin\nedr2wqajob1\Test.csr -keystore
> C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore
>
>
> keytool -import -alias root -keystore
> C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore -trustcacerts -file
> C:\Users\svcr2wadmin\nedr2wqajob1\TestRoot.cer
>
>
> keytool -import -alias *nedr2wqajob1 *-keystore
> C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore -file
> C:\Users\svcr2wadmin\nedr2wqajob1\Test.cer
>
>
>              Then also did below
>
>
> keytool -import -alias nedr2wjob1_non_prod_p7b -keystore
> C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore -file
> C:\Users\svcr2wadmin\nedr2wqajob1\Test.pfx
>
>
> # But
> Below is the error coming while importing the latest .pfx certificated
> shared
>
>  D:\Program Files (x86)\Java\jdk1.6.0_27\bin>keytool -import -alias
> nedr2wjob1QAJob1 -keystore C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore
> -file C:\Users\svcr2wadmin\nedr2wqajob1\*Test.pfx*
>
> Enter keystore password:
>
> *keytool error: java.lang.Exception: Input not an X.509 certificate*
>
> #Certificate status as observed in the browser
>
> 1. nedr2wqajob1 is the alias name of certificate Test.cer - It shows for
> non Root certificate as "Your connection to *nedr2wqajob1  *is encrypted
> with obsolete cryptography, The connections uses TLS 1.0. The connection
> uses AES_128_CBC with SHA1 for message authentication and DHE_RSA as the
> key exchange mechanism.
>
>
You might need to a.) check what crypto is supported by your version of the
JVM and b.) configure it to not use certain known insecure crypto.

More on this here:  http://wiki.apache.org/tomcat/HowTo/SSLCiphers


>
>
> 2. Error message showing in chrome browser as below
>
> “This CA Root certificate is not trusted because it is not in the
> Trusted Root Certification Authorities store.”
>

Who did you purchase your certificate from?

Dan



>
>
>
> Let me know what to do to resolve this ?
>
> *Jairaj Kamal*
>
>
> On Mon, May 4, 2015 at 6:51 PM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Jairaj,
> >
> > On 5/4/15 5:35 PM, jairaj kamal wrote:
> > > Attached find the error coming in browser,looks to be issue with
> > > Root certificate.
> >
> > This list strips attachments. Please copy/paste any messages into the
> > text of your post.
> >
> > > Also we tried PKCS#12 format certs but getting below Error
> >
> > The keystore format won't change what gets sent to the client.
> >
> > > D:\Program Files (x86)\Java\jdk1.6.0_27\bin>keytool -import -alias
> > > nedr2wjob1_no n_prod_p7b -keystore
> > > C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keysto re
> > > -file C:\Users\svcr2wadmin\nedr2wqajob1\nedr2wjob1_non_prod.p7b
> > > Enter keystore password: *keytool error: java.lang.Exception: Input
> > > not an X.509 certificate*
> >
> > If you really have a PKCS12 keystore, they you'll need to specify the
> > keystore type on the command-line.
> >
> > - -chris
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2
> > Comment: GPGTools - http://gpgtools.org
> >
> > iQIcBAEBCAAGBQJVSAYcAAoJEBzwKT+lPKRYLREQAMPD6shOiwK7On4wTmMbsuJR
> > ifabn95GXN4ia+L80IlvqyY17Mjfe1VzMYsVhLgpJRiEQmSMoy3ChxbeD+2h3Pzc
> > 38GXZWg8anBHaHqceQDhaiHW2HYNW1HV7IzG22gYDlfi0zwv8JYbpxqQXr7Kf+9q
> > CtO8sUt4hTxWW9zYl5mTa2xB7vXr7jl5k0UTTCF7nNuraXGhFBWifebYZ1AxFJEp
> > aP6n80rglMC9/K4SVCGRaGjGbHKcN7fiJX1InswWNnGzfWgIvt4HxlZeQwNFrQaa
> > N35MGu9pINQ/iofrW/7M5Vp1oqQNMWRSRpU6t9QK3FO6crfNpIuNxmwf46oeEiQh
> > 7HKF+sBmWlWC4QTdpdMiHNg1Ux2XhZrOzpo657QdrLKPKKLHAqtqcmrlJDTCs6Bs
> > lI7NvQXMpMyc466Q0EvemQPkjoyeYr2uRJo8pcscATrvPPqD+chqEstgc6UjHDsZ
> > NQqgDIPxPjKrZf1RUj3oEM693ezMCcvTICAMWbcjzTXrrDBFRPFgrM7gSrGjd/ib
> > 17XsI5+cO3Rc4Ai3d6ss+uMf2HI7/DRQwYEs1h4dUu4Ug1WmRTOEEXV4nFkDUGBS
> > AkoQqx77phGcy3XiASB0Dc96CrkbkVXCtmPYf2RH5OXivzkIztn78WSexWv4q01L
> > sP/r1a2F394bEExnUXIX
> > =7onF
> > -----END PGP SIGNATURE-----
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message