File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Tomcat and the fly likes Dealing with SSL Cert Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Dealing with SSL Cert" Watch "Dealing with SSL Cert" New topic

Dealing with SSL Cert

Kevin Crider

Joined: Oct 18, 2011
Posts: 1
I'm trying to get my Tomcat setup with SSL. Seems to be common to have issues with this...needless to say I've had issues...

All I have on hand is our domain star files... *.crt and *.key files. The CSR was done by someone else years ago on another machine.

Can I use just these 2 files to setup Tomcat with SSL?

I found some instructions online (here that described using an program to import into the keystore. I've done this. I can run tomcat over SSL and the examples all work.

One of the apps I'm deploying is CAS, which deploys fine and I can login/authenticate...the app seems to work OK. BUT when I try to access the management interface I get the dreaded

HTTP Status 500 - PKIX path building failed: unable to find valid certification path to requested target

I get the same error when I try to run the Jasig sample Java app here

I've tried turning on Debuging and I get more output on the console, but nothing that means much to me.

so it appears something is still not right with my SSL...and I'm not even sure where to look...

Any thoughts???

K. Gil
Ranch Hand

Joined: Apr 29, 2011
Posts: 75 unable to find valid certification path to requested target

your app seems to be trying to connect somewhere, could be it trying to "localhost" or something, while your cert is for domainname.
and see what exactly is inside logs.

also, did you imported your certificate to java keystore (using keytool)?
As far as I can see, you mentioned only configuring tomcat ssl connector, but your java process that trying to connect to this connector locally, may not recognize your certificate.

Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17421

Welcome to the JavaRanch, Kevin!

The first thing we need to know is what mechanism CAS is using to authenticate with. If you have Tomcat set up to use CAS and part of that setup points Tomcat to an external CAS server, the channel between Tomcat and that CAS server would follow completely different rules than those used for incoming webapp requests.

You actually should be able to have Tomcat and CAS communicate without encryption (TLS/SSL), since that traffic is "behind the scenes" and not (I hope) on the open Internet, but I wouldn't recommend it, since anybody running an in-house traffic analyzer could potentially read clear-text userids and passwords.

Assuming then that you do encrypt the Tomcat-to-CAS network traffic, you would then need to configure the CAS server with its own encrypted channels, which probably won't be https. Furthermore, since the SSL cert for Tomcat contains the Tomcat hostname (I believe), you probably couldn't recycle that cert and use it on the CAS server (at least if the CAS server is on some other host).

So you'll have to study up on the CAS channel configurations, and most likely generate a TLS certificate for the CAS server. Since CAS doesn't require general public trust like a webserver does, this can be a self-signed cert.

An IDE is no substitute for an Intelligent Developer.
I agree. Here's the link:
subject: Dealing with SSL Cert
It's not a secret anymore!