Hi
Can you help me with this problem.
Problem: Installing SSL certificate on Apache Tomcat 8.0.36 fails
I am trying to install a new SSL certificate into Apache tomcat 8.0.36.I ran
same steps ran successfully in 2013 and 2016 on tomcat 7. Nothing changed other
than moving the virtual machine from old server to new hardware this year.
Windows Server 2008 is still the same Operating system.
I created a keystore and extracted CSR, generated certificate using godaddy for
Apache server and imported to server. I keep getting an SSL handshake errors
and I think it is because the certificate entrytype is "trustedcertEntry" and
not "privateKey Entry'
Here are the steps I used to create the keystore and import certificate to it.
1) Generate a Keystorecd C:\Program Files\Java\jre7\bin
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -sigalg SHA256withRSA
-keypass secret19 -keystore tomcat10.keystore
2) Create a CSRkeytool -certreq -alias tomcat -keyalg RSA -sigalg SHA256withRSA
-keystore tomcat10.keystore -file file10.csr
3) Generate certificates on godaddy site for "Apache" server (not tomcat)
4) Install root, intermediate and user certificate
keytool -import -alias root -keystore tomcat14.keystore -trustcacerts -file
c:\cert_2022\gd-class2-root.crt
keytool -import -alias intermediate -keystore tomcat14.keystore -trustcacerts
-file c:\cert_2022\gd_bundle-g2-g1.crt
keytool -import -alias tomcat -keystore tomcat10.keystore -file
c:\cert_2019\508c844632c0145.crt
I am not sure why but it seems the new one is not linking all certificates into
the private key.
I tried many different imports and it would never import the server certificate
as a "privateKeyentry" as the one running now.C:\Program
Files\Java\jre7\bin>keytool -list -keystore tomcat10.keystoreEnter keystore
password:
Keystore type: JKSKeystore provider: SUN
Your keystore contains 3 entries
root, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1):
47:BE:AB:C9:22:EA:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8Bintermediate, Jul 22,
2019, trustedCertEntry,Certificate fingerprint (SHA1):
27:AC:93:69:FA:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8tomcat, Jul 22, 2019,
trustedCertEntry,Certificate fingerprint (SHA1):
B6:27:BE:DF:ED:EF:EF:4D:62:D2:F1:5C:CC:C1:A2:AB:98:60:8E
I also tried creating a PEM text file for all certificates and importing that
into private key alias tomcat but it only imported the domain certificate as
"trustedcertentry"
My server xml file connector config is like this
Tried many different options for keytool command.
Followed tomcat 8 documentation and godaddy list for installing certificate.
When I try to access using browser I get this error
This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced
settings and try connecting to https://psscr.xyz.c
When I use openssl I get handshake failure$openssl s_client -connect
10.60.xx.xx:443CONNECTED(0003)140298896533392:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:769:---no peer certificate available---No client certificate
CA names sent---SSL handshake has read 7 bytes and written 289 bytes---New,
(NONE), Cipher is (NONE)Secure Renegotiation IS NOT supportedCompression:
NONEExpansion: NONENo ALPN negotiatedSSL-Session: Protocol : TLSv1.2
Cipher : Session-ID: Session-ID-ctx: Master-Key: Key-Arg
: None Krb5 Principal: None PSK identity: None PSK identity hint: None
Start Time: 1564789174 Timeout : 300 (sec) Verify return code: 0 (ok)
Thanks,