Re: Need help w/ installing certificate continued...
Andy Tipton wrote: I have read all through the documentation and can't find what I am doing wrong. The only thing that I didn't do was the importing of the valicert_class2_root.crt file because I wasn't given one when I downloaded my certificate. I imported the real one after I imported the intermediate crt. Did you get any error during this step ie., importing intermediate crt after root? So now I have this: C:\Program Files\Java\jdk1.5.0_05\binkeytool -list -keystore .keystore Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries tomcat5, Nov 13, 2006, trustedCertEntry, Certificate fingerprint (MD5): 73:EA:94:A1:38:C8:9A:5D:65:44:7C:C7:65:A7:01:5F intermed, Nov 13, 2006, trustedCertEntry, Certificate fingerprint (MD5): 7A:A5:BA:4F:BC:0A:C5:3C:56:E9:50:A0:13:6A:88:A9 C:\Program Files\Java\jdk1.5.0_05\bin Could it have to do with the alias? I am can't figure out what it could be. I am not sure of whether this could be the problem with alias. I just get a 'page cannot be displayed' when trying to access it. I have been reading, but can't find anywhere that really explains who the keystore and certificate relate to each other. if the alias matters. I really need some help here. Below are the steps i did in one of my Linux box(must work in windows too). First i generated tomcat.key CSR with: $ keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.key $ keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore tomcat.key Got the certs from our CA(Files sf_issuing.crt _mydomain.crt). Copied the CA's intermediate cert to valicert_class2_root.crt First import the CA's intermediate certificate to root, like this: $ keytool -import -alias root -keystore tomcat.key -trustcacerts -file valicert_class2_root.crt Then import issuing cert to intermed: $ keytool -import -alias intermed -keystore tomcat.key -trustcacerts -file sf_issuing.crt Last is to import your domain's cert to tomcat alias: $ keytool -import -alias tomcat -keystore tomcat.key -trustcacerts -file _mydomain.crt The above steps worked perfectly for me. I had to just point the correct key file in server.xml and https started working. Let me know if that helped you out. Regds, SK - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Need help w/ installing certificate continued...
Andy Tipton wrote: I have done the following... (I am running Tomcat 5 on a Windows 2003 Server) - Recreated the .keystore many different times trying to get one to work... - Tried different aliases with my domain crt (does the alias matter?) - Installed the crts in Windows and everthing shows fine there when viewing Does the .keystore file that you recreated has the same key you used to generate CSR? If not, you may have to start from the first step gen fresh tomcat.key(tomcat alias) and fresh csr and get new cert. the crt. - Set my config in the server.xml (I have tried SSL and TLS): !-- Define a SSL HTTP/1.1 Connector on port 8443 -- Connector port=443 maxHttpHeaderSize=8192 address=192.168.1.190 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=tomcat.keystore keystorePass=changeit/ You can try giving the full path to the keystoreFile=c:\..\tomcat.key and see if that works. - Imported the certificates into my keystore in the following order: root, intermed, tomcat. C:\Program Files\Java\jdk1.5.0_05\binkeytool -list -keystore tomcat.keystore Enter keystore password: changeit C:\Program Files\Java\jdk1.5.0_05\bin - When I installed the root crt it said that there was already a system wide root crt installed, do I want to continue to import it into the keystore and I said 'yes'. - All I get is a 'Page cannot be displayed' when trying to access the browser 'https:' - If I create a keystore without importing the real crt, then it works, but just says that the crt it to trusted. What am I missing? I can't get it to work... Hope you have done all the steps as mentioned in my previous post. Regds, SK -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Saravana Kumar Sent: Wednesday, November 15, 2006 5:07 AM To: users@tomcat.apache.org Subject: Re: Need help w/ installing certificate continued... Andy Tipton wrote: I have read all through the documentation and can't find what I am doing wrong. The only thing that I didn't do was the importing of the valicert_class2_root.crt file because I wasn't given one when I downloaded my certificate. I imported the real one after I imported the intermediate crt. Did you get any error during this step ie., importing intermediate crt after root? So now I have this: C:\Program Files\Java\jdk1.5.0_05\binkeytool -list -keystore .keystore Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries tomcat5, Nov 13, 2006, trustedCertEntry, Certificate fingerprint (MD5): 73:EA:94:A1:38:C8:9A:5D:65:44:7C:C7:65:A7:01:5F intermed, Nov 13, 2006, trustedCertEntry, Certificate fingerprint (MD5): 7A:A5:BA:4F:BC:0A:C5:3C:56:E9:50:A0:13:6A:88:A9 C:\Program Files\Java\jdk1.5.0_05\bin Could it have to do with the alias? I am can't figure out what it could be. I am not sure of whether this could be the problem with alias. I just get a 'page cannot be displayed' when trying to access it. I have been reading, but can't find anywhere that really explains who the keystore and certificate relate to each other. if the alias matters. I really need some help here. Below are the steps i did in one of my Linux box(must work in windows too). First i generated tomcat.key CSR with: $ keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.key $ keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore tomcat.key Got the certs from our CA(Files sf_issuing.crt _mydomain.crt). Copied the CA's intermediate cert to valicert_class2_root.crt First import the CA's intermediate certificate to root, like this: $ keytool -import -alias root -keystore tomcat.key -trustcacerts -file valicert_class2_root.crt Then import issuing cert to intermed: $ keytool -import -alias intermed -keystore tomcat.key -trustcacerts -file sf_issuing.crt Last is to import your domain's cert to tomcat alias: $ keytool -import -alias tomcat -keystore tomcat.key -trustcacerts -file _mydomain.crt The above steps worked perfectly for me. I had to just point the correct key file in server.xml and https started working. Let me know if that helped you out. Regds, SK - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
RE: tomcat + certificate
Duan, Nick wrote: Without knowing the details of your problem (you may want to provide a stack trace next time), I think the problem is in the java client. Did you use JSSE to implement the client? The java sockets for accessing http are not the same as https. ND Duan, Thanks for the help. Below is the stack trace of the java client i use: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:847) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:836) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230) at ClientRequest.communicateGA(ClientRequest.java:46) at ClientRequest.main(ClientRequest.java:24) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145) at sun.security.validator.Validator.validate(Validator.java:203) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172) at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:840) ... 12 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216) ... 17 more I got this while i tried to connect with the sample servlet that comes with tomcat. Is that enough? Below is the snippet of the code i use: URL url = new URL(https://myserver:8443/servlets-examples/servlet/HelloWorldExample); URLConnection conn = url.openConnection(); conn.setDoOutput(true); OutputStreamWriter wr = new OutputStreamWriter(conn .getOutputStream()); Where am i doing wrong? I guess the problem is with client(as you pointed already) but unable to figure out the exact problem. The client and server both are in the same system. regds, SK -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Saravana Kumar Sent: Friday, February 10, 2006 2:29 AM To: users@tomcat.apache.org Subject: tomcat + certificate Hi, I am running a tomcat server running here. We have a servlet container hosted in the server. The servlet is called from a java client program and is working fine(http). Then i following the instructions from the tomcat documentation page i installed a self signed certificate. The site now shows up with the certificate from the browser. The problem is while running the java client and connecting to the server(https) the program gives out error(connection timed out/SSL handshake ... etc). Hope i am not raising a dumb question here. What is wrong with my setup? Any pointers. Some one said we have to install apache also. Is that so? Is it possible to make tomcat handle the certificates itself and free the servlet from that. BTW, i am running on FC4, with tomcat version 5.5.12. TIA, SK
tomcat + certificate
Hi, I am running a tomcat server running here. We have a servlet container hosted in the server. The servlet is called from a java client program and is working fine(http). Then i following the instructions from the tomcat documentation page i installed a self signed certificate. The site now shows up with the certificate from the browser. The problem is while running the java client and connecting to the server(https) the program gives out error(connection timed out/SSL handshake ... etc). Hope i am not raising a dumb question here. What is wrong with my setup? Any pointers. Some one said we have to install apache also. Is that so? Is it possible to make tomcat handle the certificates itself and free the servlet from that. BTW, i am running on FC4, with tomcat version 5.5.12. TIA, SK - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]