Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

TomCat and SSL cert

 
R Ha
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am trying to setup and install a SSL cert into TomCat

keytool -certreq -keyalg RSA -alias CFCU -file certreq.csr -keystore TCIKey.jks

keytool -genkey -alias CFCU -keyalg RSA -keystore TCIKey.jks -keysize 2048


Upload the cotents for the certreq.csr to Verisign

Download the .p7b file from Verisign.

keytool -import -alias CFCU -keystore TCIKey.jks -trustcacerts -file cert.p7b

Moved, cert.p7b,certreq.csr,TCIKey.jks to the conf folder in Tomcatt.

<Connector
className="org.apache.tomcat.service.PoolTcpConnector">
<Parameter name="handler"
value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
<Parameter name="port" value="443"/>
<Parameter name="socketFactory"
value="org.apache.tomcat.net.SSLSocketFactory"/>
<Parameter name="keystore" value="conf/TCIkey.jks"/>
<Parameter name="keypass" value="XXXXX"/>
<Parameter name="clientAuth" value="false"/>
</Connector>
From there I restart the Tomcat Services

And nothing when I go to

https://certname.domain

Im not sure what I am missing any help would be great.

Thank You
 
Tim Holloway
Saloon Keeper
Pie
Posts: 18012
47
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You do not need to copy the csr or cert files into Tomcat. The keytool imports the required information straight into its database, and Tomcat accesses that database for certificate information.

Often, you'll need not only your own certificate to be imported, but also one or 2 intermediary certs that have to be imported as well. This forms a "chain of trust" where the user's browser has a master cert on file, and that master cert vouches for the top-level intermediate cert, which vouches for the second-level intermediate cert, which vouches for your server's cert.

You should have been provided with information on these additional certs by your cert provider.

SSL is fairly easy to get going on Tomcat. The official Tomcat SSL docs are pretty clear, and the logs will contain error messages that are fairly helpful in case you do anything wrong.
 
R Ha
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you, my provider has been less than helpful.

What are some logs I can post, to see what may be the proble?

Here is one someone else suggested but Im not really sure what to look for.

Ok this is what is in the log.

Feb 18, 2011 3:51:05 PM org.apache.coyote.http11.Http11AprProtocol pause
INFO: Pausing Coyote HTTP/1.1 on http-80
Feb 18, 2011 3:51:05 PM org.apache.coyote.http11.Http11AprProtocol pause
INFO: Pausing Coyote HTTP/1.1 on http-0
Feb 18, 2011 3:51:05 PM org.apache.coyote.ajp.AjpAprProtocol pause
INFO: Pausing Coyote AJP/1.3 on ajp-8009
Feb 18, 2011 3:51:06 PM org.apache.catalina.core.StandardService stop
INFO: Stopping service Catalina
Feb 18, 2011 3:51:06 PM org.apache.coyote.http11.Http11AprProtocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-80
Feb 18, 2011 3:51:06 PM org.apache.coyote.http11.Http11AprProtocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-0
Feb 18, 2011 3:51:06 PM org.apache.coyote.ajp.AjpAprProtocol destroy
INFO: Stopping Coyote AJP/1.3 on ajp-8009
Feb 18, 2011 3:51:08 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.20.
Feb 18, 2011 3:51:08 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
Feb 18, 2011 3:51:08 PM org.apache.tomcat.util.digester.Digester endElement
WARNING: No rules found matching 'Server/Service/Connector/Parameter'.
Feb 18, 2011 3:51:08 PM org.apache.tomcat.util.digester.Digester endElement
WARNING: No rules found matching 'Server/Service/Connector/Parameter'.
Feb 18, 2011 3:51:08 PM org.apache.tomcat.util.digester.Digester endElement
WARNING: No rules found matching 'Server/Service/Connector/Parameter'.
Feb 18, 2011 3:51:08 PM org.apache.tomcat.util.digester.Digester endElement
WARNING: No rules found matching 'Server/Service/Connector/Parameter'.
Feb 18, 2011 3:51:08 PM org.apache.tomcat.util.digester.Digester endElement
WARNING: No rules found matching 'Server/Service/Connector/Parameter'.
Feb 18, 2011 3:51:08 PM org.apache.tomcat.util.digester.Digester endElement
WARNING: No rules found matching 'Server/Service/Connector/Parameter'.
Feb 18, 2011 3:51:08 PM org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-80
Feb 18, 2011 3:51:08 PM org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-0
Feb 18, 2011 3:51:08 PM org.apache.coyote.ajp.AjpAprProtocol init
INFO: Initializing Coyote AJP/1.3 on ajp-8009
Feb 18, 2011 3:51:08 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 412 ms
Feb 18, 2011 3:51:08 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Feb 18, 2011 3:51:08 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.29
Feb 18, 2011 3:51:08 PM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor host-manager.xml
Feb 18, 2011 3:51:08 PM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor manager.xml
Feb 18, 2011 3:51:08 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory docs
Feb 18, 2011 3:51:08 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory examples
Feb 18, 2011 3:51:08 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory ROOT
Feb 18, 2011 3:51:08 PM org.apache.coyote.http11.Http11AprProtocol start
INFO: Starting Coyote HTTP/1.1 on http-80
Feb 18, 2011 3:51:08 PM org.apache.coyote.http11.Http11AprProtocol start
INFO: Starting Coyote HTTP/1.1 on http-0
Feb 18, 2011 3:51:08 PM org.apache.coyote.ajp.AjpAprProtocol start
INFO: Starting Coyote AJP/1.3 on ajp-8009
Feb 18, 2011 3:51:08 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 365 ms
 
Tim Holloway
Saloon Keeper
Pie
Posts: 18012
47
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Actually, I'm not sure what that "SSLSocketFactory" is all about.

Standard Tomcat SSL confiiguration in server.xml looks like this:


The prototype is already present, commented out, in the server.xml that comes with Tomcat. I'm using the cert alias "tomcat" for my security cert, which is the default alias name. Otherwise I would also have supplied an explicit alias name in the Connector configuration.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic