aspose file tools*
The moose likes Tomcat and the fly likes TomCat and SSL cert Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "TomCat and SSL cert" Watch "TomCat and SSL cert" New topic
Author

TomCat and SSL cert

R Ha
Greenhorn

Joined: Feb 23, 2011
Posts: 2
I am trying to setup and install a SSL cert into TomCat

keytool -certreq -keyalg RSA -alias CFCU -file certreq.csr -keystore TCIKey.jks

keytool -genkey -alias CFCU -keyalg RSA -keystore TCIKey.jks -keysize 2048


Upload the cotents for the certreq.csr to Verisign

Download the .p7b file from Verisign.

keytool -import -alias CFCU -keystore TCIKey.jks -trustcacerts -file cert.p7b

Moved, cert.p7b,certreq.csr,TCIKey.jks to the conf folder in Tomcatt.

<Connector
className="org.apache.tomcat.service.PoolTcpConnector">
<Parameter name="handler"
value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
<Parameter name="port" value="443"/>
<Parameter name="socketFactory"
value="org.apache.tomcat.net.SSLSocketFactory"/>
<Parameter name="keystore" value="conf/TCIkey.jks"/>
<Parameter name="keypass" value="XXXXX"/>
<Parameter name="clientAuth" value="false"/>
</Connector>
From there I restart the Tomcat Services

And nothing when I go to

https://certname.domain

Im not sure what I am missing any help would be great.

Thank You
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16305
    
  21

You do not need to copy the csr or cert files into Tomcat. The keytool imports the required information straight into its database, and Tomcat accesses that database for certificate information.

Often, you'll need not only your own certificate to be imported, but also one or 2 intermediary certs that have to be imported as well. This forms a "chain of trust" where the user's browser has a master cert on file, and that master cert vouches for the top-level intermediate cert, which vouches for the second-level intermediate cert, which vouches for your server's cert.

You should have been provided with information on these additional certs by your cert provider.

SSL is fairly easy to get going on Tomcat. The official Tomcat SSL docs are pretty clear, and the logs will contain error messages that are fairly helpful in case you do anything wrong.


Customer surveys are for companies who didn't pay proper attention to begin with.
R Ha
Greenhorn

Joined: Feb 23, 2011
Posts: 2
Thank you, my provider has been less than helpful.

What are some logs I can post, to see what may be the proble?

Here is one someone else suggested but Im not really sure what to look for.

Ok this is what is in the log.

Feb 18, 2011 3:51:05 PM org.apache.coyote.http11.Http11AprProtocol pause
INFO: Pausing Coyote HTTP/1.1 on http-80
Feb 18, 2011 3:51:05 PM org.apache.coyote.http11.Http11AprProtocol pause
INFO: Pausing Coyote HTTP/1.1 on http-0
Feb 18, 2011 3:51:05 PM org.apache.coyote.ajp.AjpAprProtocol pause
INFO: Pausing Coyote AJP/1.3 on ajp-8009
Feb 18, 2011 3:51:06 PM org.apache.catalina.core.StandardService stop
INFO: Stopping service Catalina
Feb 18, 2011 3:51:06 PM org.apache.coyote.http11.Http11AprProtocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-80
Feb 18, 2011 3:51:06 PM org.apache.coyote.http11.Http11AprProtocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-0
Feb 18, 2011 3:51:06 PM org.apache.coyote.ajp.AjpAprProtocol destroy
INFO: Stopping Coyote AJP/1.3 on ajp-8009
Feb 18, 2011 3:51:08 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.20.
Feb 18, 2011 3:51:08 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
Feb 18, 2011 3:51:08 PM org.apache.tomcat.util.digester.Digester endElement
WARNING: No rules found matching 'Server/Service/Connector/Parameter'.
Feb 18, 2011 3:51:08 PM org.apache.tomcat.util.digester.Digester endElement
WARNING: No rules found matching 'Server/Service/Connector/Parameter'.
Feb 18, 2011 3:51:08 PM org.apache.tomcat.util.digester.Digester endElement
WARNING: No rules found matching 'Server/Service/Connector/Parameter'.
Feb 18, 2011 3:51:08 PM org.apache.tomcat.util.digester.Digester endElement
WARNING: No rules found matching 'Server/Service/Connector/Parameter'.
Feb 18, 2011 3:51:08 PM org.apache.tomcat.util.digester.Digester endElement
WARNING: No rules found matching 'Server/Service/Connector/Parameter'.
Feb 18, 2011 3:51:08 PM org.apache.tomcat.util.digester.Digester endElement
WARNING: No rules found matching 'Server/Service/Connector/Parameter'.
Feb 18, 2011 3:51:08 PM org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-80
Feb 18, 2011 3:51:08 PM org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-0
Feb 18, 2011 3:51:08 PM org.apache.coyote.ajp.AjpAprProtocol init
INFO: Initializing Coyote AJP/1.3 on ajp-8009
Feb 18, 2011 3:51:08 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 412 ms
Feb 18, 2011 3:51:08 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Feb 18, 2011 3:51:08 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.29
Feb 18, 2011 3:51:08 PM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor host-manager.xml
Feb 18, 2011 3:51:08 PM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor manager.xml
Feb 18, 2011 3:51:08 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory docs
Feb 18, 2011 3:51:08 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory examples
Feb 18, 2011 3:51:08 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory ROOT
Feb 18, 2011 3:51:08 PM org.apache.coyote.http11.Http11AprProtocol start
INFO: Starting Coyote HTTP/1.1 on http-80
Feb 18, 2011 3:51:08 PM org.apache.coyote.http11.Http11AprProtocol start
INFO: Starting Coyote HTTP/1.1 on http-0
Feb 18, 2011 3:51:08 PM org.apache.coyote.ajp.AjpAprProtocol start
INFO: Starting Coyote AJP/1.3 on ajp-8009
Feb 18, 2011 3:51:08 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 365 ms
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16305
    
  21

Actually, I'm not sure what that "SSLSocketFactory" is all about.

Standard Tomcat SSL confiiguration in server.xml looks like this:


The prototype is already present, commented out, in the server.xml that comes with Tomcat. I'm using the cert alias "tomcat" for my security cert, which is the default alias name. Otherwise I would also have supplied an explicit alias name in the Connector configuration.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: TomCat and SSL cert