tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: installing certificates
Date Mon, 09 Oct 2017 21:00:11 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Adam,

On 10/9/17 4:24 PM, Adam Pease wrote:
> Hi, I'm running Tomcat 8.5.23 on an AWS Ubuntu Linux 16.04 LTS 
> installation.  I'm trying to follow the instructions at 
> https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html to get
> HTTPS running under tomcat.

Version mismatch. You want this guide:
https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html

> My site runs with a self-signed certificate.  Now I'm trying to 
> install a proper certificate from > https://gethttpsforfree.com/
Try Let's Encrypt. I know nothing about "gethttpsforfree.com", but
I've personally done Let's Encrypt.

> After the rather lengthy process to generate the "Signed
> Certificate" and "Intermediate Certificate" it appears I'm ready to
> follow the instructions under the heading "Importing the
> Certificate".

BTW, LE is a single command to get a signed certificate.

> My first question is whether there is a difference between the 
> certificates mentioned in
> 
> - "import a so called Chain Certificate or Root Certificate into
> your keystore"
> 
> and
> 
> - "After that you can proceed with importing your Certificate."

You have a "server certificate" -- that's yours, and represents you.
There is (usually) another certificate, called the "chain" or
"intermediate" certificate, which represents the Certificate Authority
who signed your certificate.

When your server performs a TLS handshake with the client, it needs to
present a "certificate chain" which includes your server certificate
(the "leaf") and any certificates required to link the server cert to
a root certificate which is stored within the client and already
trusted (e.g. VeriSign, DigiCert, etc.). So your server needs to have
multiple certificates available to send, and only one "belongs" to you.

> I was able to execute the command:
> 
> keytool -import -alias root -keystore <your_keystore_filename> 
> -trustcacerts -file <filename_of_the_chain_certificate>
> 
> using a single file that has the "Signed Certificate" and
> "Intermediate Certificate" from gethttpsforfree.  But then I get an
> error from the next command
> 
> ~$ keytool -import -alias tomcat -keystore .keystore -file
> chained.pem Enter keystore password: keytool error:
> java.lang.Exception: Certificate reply does not contain public key
> for <tomcat>

Which file is which? Looks like you imported the chain twice.

> When I run
> 
> ~$ keytool -list -v
> 
> I see (in part)
> 
> Alias name: tomcat Creation date: Oct 9, 2017 Entry type:
> PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner:
> CN=Adam Pease
> 
> I'm very new to certificates.  Could someone point me in the right 
> direction?

Java keystores are a nightmare... it's not your fault. ;)

It looks like you didn't successfully import the CA's
root/intermediate certificate. Can you reply with some more specifics?
What files do you have from the CA, what keystore(s) do you have, and
what are the exact commands you are running? You've left-out some
important details from your post above.

Here's what I have in my "Java Keystore Cheat Cheet":

Create your server key and self-signed cert:
> $ keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 4096
> -alias ${HOSTNAME} -keystore ${HOSTNAME}.jks

Now, export your CSR:

> $ keytool -certreq -sigalg SHA256withRSA -keystore ${HOSTNAME}.jks
> 
Use that CSR to get your cert signed.

Now, import the signed cert back into your keystore, starting with the
root and/or intermediate cert and finishing with your server's cert:

> $ keytool -import -alias [Authority.CA] -trustcacerts -file
> [authority's CA cert] -keystore ${HOSTNAME}.jks

(^^^^^ if necessary)

> $ keytool -import -alias [Authority.intermediate] -trustcacerts
> -file [authority's intermediate cert] -keystore ${HOSTNAME}.jks $
> keytool -import -alias ${HOSTNAME} -file ${HOSTNAME}.crt -keystore
> ${HOSTNAME}.jks

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb41sdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjanw//ZLdT9HeenslFlWAz
6Bn76MPvXVnBAQ2NqK0ufp26p70KpOpYb+3+4OxxVIvZBo7DAFwS3Q6EY/bntij7
eyH8m/7GH3ZwIiNrwyFpRbIVQh9Jft5Q+Cmf9ARvUespfJZ0MjxvPKXfxGvt6IAI
ojyexYNlQ4P2kL2I1CCcYwQtwu838nFlZOHIw+11BlPl2Opm5GLcXVgVUtIoNS4n
JfgS7818t45mUeH1kPfTYwGaI/3KNRJS2OFp0A7dSr3qamR9Xpve0mYG2G4XH9BI
PGbGgXKQhaAAsw4rMtuOxp1ukxsfRW3VQItrTTg5F0juR2BkTZOsxzJMlJrKcvrG
3p+BmH9rTEUE6EctyLOu0b20DzeM5FHtBGxNOSuPBuQpFq28Nzgvjm5QQPosyEZG
uESgDOpsJ/qVLgBZeEd3HlLJGF2UQQryW5gAWhUVn3gk3/IEyrmhfWipqw1IBhgP
uJ6g8rowShwIOz/9b7ZLwPlyl0r+diTtMXf8qT5+DpsS7SMHSJ47/Kcba2wQxoON
TQnerLohHKJcKg140liZvpYI7bh63nendNsUdMTOKcyAKLhIw0deDkeHDTx/DCks
0QJAkW2SvjeIBeRN/3+xrsvYD/XvKr/xCuUGIdsHCDotrFsF+lk7SwecFhU+8I+W
RoezW/Qt6SSgu5iyyfuioT/na64=
=3ECo
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message