tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: FW: Issue in reading SSL certificate
Date Wed, 09 Sep 2015 15:13:20 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hirnya,

On 9/9/15 9:49 AM, Hirnya Kaushal wrote:
> I am facing a very peculiar issue with the SSL certificate for
> Tomcat7. I am using Java 7 and Tomcat 1.7.075. and facing the below
> issue with the SSL certificate. I have followed the below steps to
> generate the certificate and apply same on server.xml.
> 
> Generated the CSR file by using the keytool on the server.
> 
> 1)      *$JAVA_HOME/bin/keytool ** -genkey -alias server -keyalg
> RSA -keysize 2048 -keystore /opt/hirnya/mobileweyakae.jks*
> 
> 2)      *$JAVA_HOME/bin/**keytool -certreq -alias server -file 
> /opt/hirnya/csr.txt -keystore /opt/hirnya/mobileweyakae.jks*

Good so far.

> Shared my case file with CA provider and received back chain.p7b
> file. And followed the below step to import the key tool (I tried 2
> ways to apply the same but the end results and the error on the
> tomcat logs are almost same.)
> 
> 1. Double click .p7b file on windows 2. Expand the node
> certificates from the left side. 3. On the right side the list of
> certificate occurred. 4. Double click the required certificate to
> open it. 5. Click the details tab. 6. Click the "copy to file...”
> button 7. click next 8. select the 2nd format (Base-64 encoded
> X.509 (.CER)) 9. Enter the file name (As original file name).
> Please make sure the file location (Directory) 10. Read the export
> wizard setting and then Press "Finish" button. 11. Repeat the same
> steps for all 3 certificates.
> 
> Then, transferred the all certificate on same path where I have 
> generated the csr file and imported the file with 2 different way.
> 
> 
> 
> Steps of Process one applied:
> 
> Imported the files received from CA with below command and applied
> with all files received from CA.
> 
> *$JAVA_HOME/bin/keytool -import -trustcacerts -alias root -file 
> /opt/hirnya/root.cer -keystore /opt/hirnya/mobileweyakae.jks*

You might want to call this "Cybertrust root" or something like that,
in case you want to use more than one CA's root. It also helps
document what *you* think the certificate is.

> *$JAVA_HOME/bin/keytool -import -trustcacerts -alias abc -file 
> /opt/hirnya/server.cer -keystore /opt/hirnya/mobileweyakae.jks*

An alias like "Cybertrust intermediate" might have been a better name.

> *$JAVA_HOME/bin/keytool -import -trustcacerts -alias mobile -file 
> /opt/hirnya/mobile.cer -keystore /opt/hirnya/mobileweyakae.jks*

I see that you haven't imported any certificates with the alias
"server". When you import the signed certificate from the CA, you
should probably update the "server" cert instead of importing it under
a different alias. This may not be the problem, but it's the way I've
always done it.

> *Attached is the view of certificate generated
> (crtifacate-process1.txt) and the tomcat logs ()tomcatand below is
> the configuration for SSL on tomcat.*

Looks okay to me. There are 4 certs:

1. root   (Cybertrust's root cert)
2. mobile (your signed server certificate)
3. abc    (Cybertrust's intermediate certificate)
4. server (the private key for the cert you want to create)

> *<Connector port="443" 
> protocol="org.apache.coyote.http11.Http11Protocol"
> maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"  useURIValidationHack="false" 
> keystoreFile="/opt/hirnya/mobileweyakae.jks"
> keystorePass="changeit" />*

You haven't specified an "alias" for the connector, so it uses the
first one in the keystore which is probably "root". That's not what
you want.

> Steps of Process Two applied:
> 
> Exported the keystore to the pem file.
> 
> 
> 
> *1)      **$JAVA_HOME/bin/*keytool -exportcert -rfc -file 
> /opt/hirnya/server.pem -keystore /opt/hirnya/mobileweyakae.jks
> -alias server
> 
> *2)      **Open the pem file with cat and added the other
> certificates received from CA into the same file and generated the
> bundle.pem file, attached is the file for reference. (this includes
> all the certificates)*
> 
> *3)      **Then imported the certificates to the keytool with below
> command*
> 
> *$JAVA_HOME/bin*/keytool -importcert -keystore 
> /opt/hirnya/mobileweyakae.jks -alias server -file
> /opt/hirnya/bundle.pem.
> 
> 
> 
> 
> 
> The certificate generated output is attached as
> certificate-process2.txt for reference and the logs of the tomcat
> as well.
> 
> * *
> 
> * *
> 
> In both the case I am able to reach the https:// but receiving the 
> security error and only reading the self-generated key and not able
> to read the imported key.

What is showing the error? The browser or Tomcat (or both)? Any stack
traces from Tomcat?

> Attaching the generated key files(mobileweyakae.jks) and
> certificate (hirnya.zip) as well for your reference.

If you did in fact attach your Java keystore, then you have leaked
your server's private key and it can no longer be considered secure.
You ought to delete everything and start over again. BEFORE YOU DO,
confirm that your CA will re-sign a new CSR with a new key for the
same domain name without requiring you to pay a second time.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV8EyQAAoJEBzwKT+lPKRY1gMQAKnnv45RQIVFGrYihVCNNSBD
zjOYe81ltoDTUsV0PUDW2ILIZK2RVCGTeNKIricZ0tqp8hrnMAOakRtoAsymCGo0
HkrkPBAHp6GX3D6mlL1dgYhAU5kt0LPcrXOeivmd+LjfqMXlrdZVwbaWi9uisjAn
4k4/1h67wuLRq6zmLoTVEiIlzoTjyM/OrjKRCdNnuuqq9DBOzctkAIbYNlQs8b9K
XyAYSHO4Wm5Gr3O0nFJPFDWr0gug9OthWUHux//h+t7wOWY0FDEGtS/qTmA9IMmb
EwItZckMc9cI3fqDSrfEv+ejLcCFOQv5vXWj28fcrEYJYVlxbxF/Mxg8zMWFW9/6
WF096jKR9iBB8OjoUEnsR7VFeZM0E6vuWPSFaZDKUBqyGLNMpg+GxqOlmvOT0/f3
zczVKrrNA0KWHiQTSaHBUFvWmsXqS7dHUegMshXq8gQF/lL3+i4M+YdC/f1zuJze
0Sf/A7PfPCz9cNMpbhChR1Ptkd7Hdsf53ajTrzZmQNOEcA0WHnx3Zb+cOnK58N4q
+OK369fwy+HbHTYagk5JKHl0tEXwBUIr3bV1bJrjWd7ld/nKyJIJaDYbIi4kovMg
PU25oy6fUKrg90tyY0AL9t5Zqw+fXrJ/RTX/Q5d9KJPcBp84IcBrm1N/7saa+iFR
IUd57O5hZZGoLnlauPzI
=zEd7
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message