Re: Issues with Tomcat 6.0 Renewing SSL cert using keytool
Hi Sal, Thanks for the response. I believe there was a bug or issue which caused us to use TLSv1 instead of just TLS for the setting. At any rate, this setting has not been an issue in the past, and I can verify that it strictly enforces TLS (which is our requirement -- we don't want it to be able to fall back to SSL). I'll verify that it still works upon removing the v1, and if it does I'll keep it like that. Thanks for the heads up! *An update: * leaving the old intermediate CA old certificate, I added the new intermediate CAs and the new certificate with an alias of tomcat2. I added 'keyAlias=tomcat2' to my connector to specify the name. The result at this point was good news / bad news -- Tomcat didn't spiral out of control, but the site was inaccessible. When changing the specified alias back to tomcat, at least I could bring the site back up, even with the other certs in the keystore. Previously I'd been unable to get it to do that. -- Sean On Mon, Feb 14, 2011 at 11:20 PM, Crypto Sal crypto@gmail.com wrote: Hi Sean, Have you tried to specify just TLS or SSL for the sslProtocol? You presently have this set at TLSv1, which I do not believe is valid. http://tomcat.apache.org/tomcat-6.0-doc/config/http.html --Sal On 02/14/2011 02:46 PM, Sean Killeen wrote: It doesn't -- it tells me that a certificate already exists with that alias, and the import fails. -- Sean On Mon, Feb 14, 2011 at 12:54 PM, Mark Thomasma...@apache.org wrote: On 14/02/2011 14:03, Sean Killeen wrote: The next step seems to throw tomcat off. I believe I need to replace the tomcat alias certificate. Barring a replace function in keytool (which I don't think exists, though I could be wrong), I think this means I have to delete the old tomcat certificate and replace it with the new one. That will delete the key. I'm fairly sure you can just import the new certificate and it will replace old one. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issues with Tomcat 6.0 Renewing SSL cert using keytool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sean, On 2/15/2011 7:37 AM, Sean Killeen wrote: leaving the old intermediate CA old certificate, I added the new intermediate CAs and the new certificate with an alias of tomcat2. I added 'keyAlias=tomcat2' to my connector to specify the name. The result at this point was good news / bad news -- Tomcat didn't spiral out of control, but the site was inaccessible. When changing the specified alias back to tomcat, at least I could bring the site back up, even with the other certs in the keystore. Previously I'd been unable to get it to do that. Which exact version of Tomcat 6.0 are you using? When you use tomcat2, do you still get the no valid ciphers error? I'm pretty sure that RSA isn't a valid cipher. I think you need something that looks like TLS_RSA_WITH_AES_128_CBC_SHA. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1arWEACgkQ9CaO5/Lv0PBC7ACeLS2vQPZEBKym7McmhcnVLMPa TToAn2n0ail5X00q6+jBiugp3/JAfrWG =WRRq -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issues with Tomcat 6.0 Renewing SSL cert using keytool
On 14/02/2011 19:46, Sean Killeen wrote: It doesn't -- it tells me that a certificate already exists with that alias, and the import fails. Hmm. Did you re-use the same private key for this updated certificate? If that is the case then I think you can fix this with some java code but it looks like keytool is insufficient. The Java API for keystore manipulation lets you extract private keys. As an aside, the usual process would be to generate a new private key with a new alias and then the process should be relatively simple. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Issues with Tomcat 6.0 Renewing SSL cert using keytool
Hi all, I'm hoping someone has run into this problem before. I'm using VeriSign certs and have imported a certificate correctly before using keytool. However, the certificate we were using expired, and we obtained a replacement. Importing the replacement appears to be more difficult. Verisign's intermediate CA appears to be different than before, and now uses a primary and secondary. So initially I had one intermediate CA and one tomcat certificate. I then imported the two new CAs (alias intermediatecaprimary and intermediatecasecondary) -- this worked without error. The next step seems to throw tomcat off. I believe I need to replace the tomcat alias certificate. Barring a replace function in keytool (which I don't think exists, though I could be wrong), I think this means I have to delete the old tomcat certificate and replace it with the new one. Doing this (using the command keytool -delete -alias tomcat -keystore .keystore and then keytool -import -alias tomcat -keyalg RSA -keystore .keystore -file D:\keystore\Certificates\tomcat.cer) appears to complete without error. However, the next time I start Tomcat (running as a service), the CPU memory spin upward until the machine is barely accessible. Tomcat doesn't start up. In the Tomcat log file the following can be seen: *Feb 14, 2011 8:45:07 AM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run * *SEVERE: Socket accept failed* *java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.* * at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:149) * * at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:309)* * at java.lang.Thread.run(Thread.java:619)* I'm sure this is just a mistake I'm making somewhere either in keytool or my Tomcat setup, but it's worked fine until trying to use this replacement cert. One possibility: Do I need to specify a keylength when specifying the keyalg, or is there a default? My Tomcat connector is as follows (password redacted): * Connector * *port=8443* * protocol=HTTP/1.1* * SSLEnabled=true * * enableLookups=false * * acceptCount=100* *maxThreads=200 * * scheme=https* * keystoreFile=d:\keystore\.keystore * * keystorePass=[Password]* *secure=true * * clientAuth=false * * sslProtocol=TLSv1 * * cipher=RSA* * allowUnsafeLegacyRenegotiation=false* * /* Thanks in advance for any help you can give! -- Sean
Re: Issues with Tomcat 6.0 Renewing SSL cert using keytool
On 14/02/2011 14:03, Sean Killeen wrote: The next step seems to throw tomcat off. I believe I need to replace the tomcat alias certificate. Barring a replace function in keytool (which I don't think exists, though I could be wrong), I think this means I have to delete the old tomcat certificate and replace it with the new one. That will delete the key. I'm fairly sure you can just import the new certificate and it will replace old one. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issues with Tomcat 6.0 Renewing SSL cert using keytool
It doesn't -- it tells me that a certificate already exists with that alias, and the import fails. -- Sean On Mon, Feb 14, 2011 at 12:54 PM, Mark Thomas ma...@apache.org wrote: On 14/02/2011 14:03, Sean Killeen wrote: The next step seems to throw tomcat off. I believe I need to replace the tomcat alias certificate. Barring a replace function in keytool (which I don't think exists, though I could be wrong), I think this means I have to delete the old tomcat certificate and replace it with the new one. That will delete the key. I'm fairly sure you can just import the new certificate and it will replace old one. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issues with Tomcat 6.0 Renewing SSL cert using keytool
Hi Sean, Have you tried to specify just TLS or SSL for the sslProtocol? You presently have this set at TLSv1, which I do not believe is valid. http://tomcat.apache.org/tomcat-6.0-doc/config/http.html --Sal On 02/14/2011 02:46 PM, Sean Killeen wrote: It doesn't -- it tells me that a certificate already exists with that alias, and the import fails. -- Sean On Mon, Feb 14, 2011 at 12:54 PM, Mark Thomasma...@apache.org wrote: On 14/02/2011 14:03, Sean Killeen wrote: The next step seems to throw tomcat off. I believe I need to replace the tomcat alias certificate. Barring a replace function in keytool (which I don't think exists, though I could be wrong), I think this means I have to delete the old tomcat certificate and replace it with the new one. That will delete the key. I'm fairly sure you can just import the new certificate and it will replace old one. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org