• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
Bartenders:
  • Piet Souris
  • Frits Walraven
  • Carey Brown

Tomcat SSL certificate set up

 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I had searched on multiple sources and tried multiple solutions but cannot make my Tomcat take my trusted certificates:

I had purchased a SSL certificate from my ISP provider which was issued by DigiCert. I am having trouble to make my Tomcat deployed AWS Linux accepting it. Here are the details of the procedure that I think it should work.

I have created my keystore (jks format) , and signing request using keytool. After getting the certificate for my domain and the root certificate, I ran the following commands:

keytool -import -alias root -file rootca.crt -keystore mkeystore.jks
keytool -import -alias myalias -file mysubdomain.pem -keystore mykeystore.jks

In server.xml, I have the following entry:
<Connector SSLEnabled="true" clientAuth="false" keystoreFile="conf/mykeystore.jks" keystorePass="mypassword" keyAlias="myalias"  maxThreads="150" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS"/>

After I restart Tomcat, I have the follow error:

Caused by: java.lang.IllegalArgumentException: Alias name [myalias] does not identify a key entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:116)

Any help is appreciated!

Thanks,






 
Alexsk Lau
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I also had tried to combine my cert nd the root cert into on file and import it to the keystore but still get the same error.
I tried to view the keystore with : keytool -list -v -keystore mykeystore.jks and the alias name that I used was there:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: myalias
Creation date: 8-Jun-2018
Entry type: trustedCertEntry

Owner: CN=mysundomainca
Issuer: CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US



 
Saloon Keeper
Posts: 22273
151
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the Ranch, Alexsk!

There are 2 parts to certification: the SSL private key and the cert itself. From the looks of it, you imported a cert that does not have an accompanying private key.

There's a very useful GUI tool for working keys and certs called portacle. You might want to get a copy of it and use it to examine your certs and your keystore.
 
Alexsk Lau
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tim,

Thanks for the reply. I think it lies in the alias that Tomcat only wants it to be "tomcat". I tested this with a self sign certificate and used the same alias in my CSR. Restarting Tomcat resulted in same error. I then create another self sign certificate using tomcat as alias, this time the server starts up no problem and I can access my app using SSL. (of cause with security warning because of the self signed certificate).

Anyone knows if I I can change this behavior? I am using AWS Amazon Linux .

Thanks,
 
Tim Holloway
Saloon Keeper
Posts: 22273
151
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I only understand that stuff when I'm working with it and it has been a while. However, "tomcat" is definitely the easiest alias to work with and there's no real benefit to using a different alias there, since the Tomcat keystore database isn't usually shared with anything else or used outside of Tomcat. Parent certs stored in the keystore can have any alias name you like.

Keystores aren't really magic, though. A Keystore is just a file structured to hold certs and keys. The magic is that it is encrypted, both as a whole and on a per-item basis. You can even move the keystore to some other location if you need to (sometimes I build them offline). There's nothing inside a keystore that cares about which host, which OS, or even which file on disk it is.

So the main confusion here would be in setting up the keystore-related attributes of the Tomcat SSL connector(s) correctly. And, alas, that's quite enough.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
    Bookmark Topic Watch Topic
  • New Topic