• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Devaka Cooray
  • Knute Snortum
  • Paul Clapham
  • Tim Cooke
Sheriffs:
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Bear Bibeault
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Ron McLeod
  • Piet Souris
  • Frits Walraven
Bartenders:
  • Ganesh Patekar
  • Tim Holloway
  • salvin francis

Tomcat SSL certificate set up  RSS feed

 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I had searched on multiple sources and tried multiple solutions but cannot make my Tomcat take my trusted certificates:

I had purchased a SSL certificate from my ISP provider which was issued by DigiCert. I am having trouble to make my Tomcat deployed AWS Linux accepting it. Here are the details of the procedure that I think it should work.

I have created my keystore (jks format) , and signing request using keytool. After getting the certificate for my domain and the root certificate, I ran the following commands:

keytool -import -alias root -file rootca.crt -keystore mkeystore.jks
keytool -import -alias myalias -file mysubdomain.pem -keystore mykeystore.jks

In server.xml, I have the following entry:
<Connector SSLEnabled="true" clientAuth="false" keystoreFile="conf/mykeystore.jks" keystorePass="mypassword" keyAlias="myalias"  maxThreads="150" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS"/>

After I restart Tomcat, I have the follow error:

Caused by: java.lang.IllegalArgumentException: Alias name [myalias] does not identify a key entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:116)

Any help is appreciated!

Thanks,






 
Alexsk Lau
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I also had tried to combine my cert nd the root cert into on file and import it to the keystore but still get the same error.
I tried to view the keystore with : keytool -list -v -keystore mykeystore.jks and the alias name that I used was there:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: myalias
Creation date: 8-Jun-2018
Entry type: trustedCertEntry

Owner: CN=mysundomainca
Issuer: CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US



 
Bartender
Posts: 20743
124
Android Eclipse IDE Java Linux Redhat Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the Ranch, Alexsk!

There are 2 parts to certification: the SSL private key and the cert itself. From the looks of it, you imported a cert that does not have an accompanying private key.

There's a very useful GUI tool for working keys and certs called portacle. You might want to get a copy of it and use it to examine your certs and your keystore.
 
Alexsk Lau
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tim,

Thanks for the reply. I think it lies in the alias that Tomcat only wants it to be "tomcat". I tested this with a self sign certificate and used the same alias in my CSR. Restarting Tomcat resulted in same error. I then create another self sign certificate using tomcat as alias, this time the server starts up no problem and I can access my app using SSL. (of cause with security warning because of the self signed certificate).

Anyone knows if I I can change this behavior? I am using AWS Amazon Linux .

Thanks,
 
Tim Holloway
Bartender
Posts: 20743
124
Android Eclipse IDE Java Linux Redhat Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I only understand that stuff when I'm working with it and it has been a while. However, "tomcat" is definitely the easiest alias to work with and there's no real benefit to using a different alias there, since the Tomcat keystore database isn't usually shared with anything else or used outside of Tomcat. Parent certs stored in the keystore can have any alias name you like.

Keystores aren't really magic, though. A Keystore is just a file structured to hold certs and keys. The magic is that it is encrypted, both as a whole and on a per-item basis. You can even move the keystore to some other location if you need to (sometimes I build them offline). There's nothing inside a keystore that cares about which host, which OS, or even which file on disk it is.

So the main confusion here would be in setting up the keystore-related attributes of the Tomcat SSL connector(s) correctly. And, alas, that's quite enough.
 
I'm not dead! I feel happy! I'd like to go for a walk! I'll even read a tiny ad:
how do I do my own kindle-like thing - without amazon
https://coderanch.com/t/711421/engineering/kindle-amazon
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!