This week's book giveaway is in the Android forum.
We're giving away four copies of Head First Android and have David & Dawn Griffiths on-line!
See this thread for details.
Win a copy of Head First Android this week in the Android forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Tim Cooke
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Rob Spoor
  • Bear Bibeault
Saloon Keepers:
  • Jesse Silverman
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Piet Souris
  • Al Hobbs
  • salvin francis

SSL Certificate Question

Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I do not have much experience with Tomcat, and I am trying to figure out how to resolve an SSL certificate issue. It appears as though the cert on a Tomcat server was installed with an incomplete chain. This is a Sectigo cert, and scans of the website are showing that Intermediate certificates are missing. If I look at the directory on he server where everything is stored, I can see a .pfx file which is being designated as the keystore file. In that directory, there are also four .crt files, which appear to all be the correct certificates to make up the chain. There is also a .p7b file which contains the same four certs. So I'm wondering if the .pfx file was not generated properly to include the full chain? All of the people who did all of this work are gone, and this has just been handed to me. So I'm trying to figure out how to correct this. There is a lot of documentation on installing SSL certs in Tomcat. But I'm just wondering if it's possible to modify that .pfx file to include the proper certificate chain. Based on what I have read, I'm not sure this cert was installed in conventional manner. Just looking for the best way to install the certificate correctly without taking down the site. Any advice would be appreciated.
Saloon Keeper
Posts: 24553
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Welcome to the Ranch, Robert!

Tomcat SSL used to drive me crazy until I realized that the best way to handle SSL in Tomcat was for Tomcat not to handle SSL.

OK. Let me explain. For a smooth browsing experience, HTTPS client requests should be sent to the server's TCP Port 433. Port 433, like port 80 (HTTP) is in the "magic" port range (0-1023) that most OS's will not allow ordinary system users to listen on. In order for Tomcat to use those ports, it has to run with administrator/root privileges. That's a major security problem, since if an attacker can take over Tomcat, they'll effectively pwn the entire machine.

A safer solution is to front Tomcat with a reverse proxy server such as Apache, Nginx or IIS. Apache and Nginx have the ability to launch as privileged users, to acquire ports 80 and 443 and then downshift to non-privileged status.  I would hope that so does IIS, although I have never checked. Tomcat, being a Java application cannot do that, since it's not a "write-once/run-anywhere" function.

In such a configuration, the incoming SSL requests address port 443 and the proxy server manages the security certs. And it's a lot easier for most people to use and get support for certs in Apache and nginx than it is for Java apps such as Tomcat. The proxy then talks to Tomcat using a private protocol such as AJP, and since this typically happens between machines behind the firewall (and often on the same physical or virtual host), no additional encryption is needed. Tomcat's default proxy port is 8009 and you set up a connector in your proxy server to address it. The directives required are fairly simple.

However, in some situations you do indeed need Tomcat to handle SSL directly. Tomcat uses a Java keystore file to manage and secure the SSL cert chain. Normally that file has a ".jks" extension. A keystore is a database where security documents are kept in an encrypted container, accessible by a simple text ID. The default id for the Tomcat SSL cert is "tomcat".

The keystore must contain both the private key and certificate files and it must also contain (and link) parent certs - up to a point. There is a small set of master certs stored (and fingerprinted) in the JVM itself, just as there are in web browsers and other TLS clients and servers. For a "chain of trust" to be complete, then, the certs in the keystore must refer up the keystore until at the top keystore cert level, the cert refers to one of the "universal" certs in the JVM. That's done by the cert supplier, as only they can obtain the final credentials in a certified way.

For me, chaining the certs is only small part of the grief. It's identifying and including the private key and getting them in the right format that's the real headache. What made my life immensely easier was a Java GUI app called "portecle". The portecle app can create and manage keystores and convert certs and keyfiles to their proper formats. It can also work with offline keystores.

That last has been a real lifesaver. I can build a keystore file and test it with my own private Tomcat. Then, when I'm satisfied, I can copy that keystore file to the production server, restart the server, and Bob's your uncle.
You showed up just in time for the waffles! And this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
    Bookmark Topic Watch Topic
  • New Topic