Tomcat 5.5.23 with SSL
Hi I'm having issues with using a signed SSL certificate from thawte.com with tomcat 5.5.23. My server.xml contains the following: Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true address=192.168.1.106 maxThreads=120 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/usr/share/tomcat5/keystore.kdb keyAlias=tomcat keystorePass=password / /var/log/tomcat5/catalina.out reports the following: LifecycleException: service.getName(): Catalina; Protocol handler start failed: java.io.IOException: Alias name tomcat does not identify a key entry Regardless of what alias name I add to the keystore and modify in my server.xml, I always get this error. Does anyone have a suggestion as to why this happens? Regards Alexander Mills - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 5.5.23 with SSL
Is the keystore file available to be read/executed by the user running tomcat? -Original Message- From: Alexander Mills [mailto:alexander.mi...@psycle.com] Sent: Monday, February 14, 2011 8:04 AM To: users@tomcat.apache.org Subject: Tomcat 5.5.23 with SSL Hi I'm having issues with using a signed SSL certificate from thawte.com with tomcat 5.5.23. My server.xml contains the following: Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true address=192.168.1.106 maxThreads=120 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/usr/share/tomcat5/keystore.kdb keyAlias=tomcat keystorePass=password / /var/log/tomcat5/catalina.out reports the following: LifecycleException: service.getName(): Catalina; Protocol handler start failed: java.io.IOException: Alias name tomcat does not identify a key entry Regardless of what alias name I add to the keystore and modify in my server.xml, I always get this error. Does anyone have a suggestion as to why this happens? Regards Alexander Mills - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.5.23 with SSL
Yes, -rwxr-xr-x 1 tomcat tomcat 1098 Feb 14 12:32 keystore.kdb On 14 Feb 2011, at 15:38, Shaun Farrugia wrote: Is the keystore file available to be read/executed by the user running tomcat? -Original Message- From: Alexander Mills [mailto:alexander.mi...@psycle.com] Sent: Monday, February 14, 2011 8:04 AM To: users@tomcat.apache.org Subject: Tomcat 5.5.23 with SSL Hi I'm having issues with using a signed SSL certificate from thawte.com with tomcat 5.5.23. My server.xml contains the following: Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true address=192.168.1.106 maxThreads=120 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/usr/share/tomcat5/keystore.kdb keyAlias=tomcat keystorePass=password / /var/log/tomcat5/catalina.out reports the following: LifecycleException: service.getName(): Catalina; Protocol handler start failed: java.io.IOException: Alias name tomcat does not identify a key entry Regardless of what alias name I add to the keystore and modify in my server.xml, I always get this error. Does anyone have a suggestion as to why this happens? Regards Alexander Mills - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.5.23 with SSL
For reference, keytool -list -keystore keystore.kdb [root@localhost tomcat5]# keytool -list -keystore keystore.kdb Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry tomcat, Feb 14, 2011, trustedCertEntry, Certificate fingerprint (MD5): FC:XX:XX:87:74:CF:29:7A:F1:XX:9B:6E: 18:32:7E:XX On 14 Feb 2011, at 15:38, Shaun Farrugia wrote: Is the keystore file available to be read/executed by the user running tomcat? -Original Message- From: Alexander Mills [mailto:alexander.mi...@psycle.com] Sent: Monday, February 14, 2011 8:04 AM To: users@tomcat.apache.org Subject: Tomcat 5.5.23 with SSL Hi I'm having issues with using a signed SSL certificate from thawte.com with tomcat 5.5.23. My server.xml contains the following: Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true address=192.168.1.106 maxThreads=120 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/usr/share/tomcat5/keystore.kdb keyAlias=tomcat keystorePass=password / /var/log/tomcat5/catalina.out reports the following: LifecycleException: service.getName(): Catalina; Protocol handler start failed: java.io.IOException: Alias name tomcat does not identify a key entry Regardless of what alias name I add to the keystore and modify in my server.xml, I always get this error. Does anyone have a suggestion as to why this happens? Regards Alexander Mills - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.5.23 with SSL
On 14/02/2011 15:45, Alexander Mills wrote: For reference, keytool -list -keystore keystore.kdb [root@localhost tomcat5]# keytool -list -keystore keystore.kdb Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry tomcat, Feb 14, 2011, trustedCertEntry, Certificate fingerprint (MD5): FC:XX:XX:87:74:CF:29:7A:F1:XX:9B:6E:18:32:7E:XX That is just a certificate - there is no key so that is never going to work. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 5.5.23 with SSL
I believe this information might help - apologies if this was tried already http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html#Configuration -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Monday, February 14, 2011 12:52 PM To: Tomcat Users List Subject: Re: Tomcat 5.5.23 with SSL On 14/02/2011 15:45, Alexander Mills wrote: For reference, keytool -list -keystore keystore.kdb [root@localhost tomcat5]# keytool -list -keystore keystore.kdb Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry tomcat, Feb 14, 2011, trustedCertEntry, Certificate fingerprint (MD5): FC:XX:XX:87:74:CF:29:7A:F1:XX:9B:6E:18:32:7E:XX That is just a certificate - there is no key so that is never going to work. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.5.23 with SSL
Hi Alexander, As Mark has previously mentioned, there's no entry type of 'privateKeyEntry' which is *required* for the certificate to work. I suspect what has happened is that you might not have been in the directory with your keystore file or you did not specify the right keystore as keytool is a little sneaky in this regard. If the keystore doesn't exist in the location that is specified, it will create it for you, but it will of course be missing the Private Key. I see this happen all too often. See if you have another 'keystore.kdb' file on your system and then try installing your certificate into it. --Crypto.Sal On 02/14/2011 12:52 PM, Mark Thomas wrote: On 14/02/2011 15:45, Alexander Mills wrote: For reference, keytool -list -keystore keystore.kdb [root@localhost tomcat5]# keytool -list -keystore keystore.kdb Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry tomcat, Feb 14, 2011, trustedCertEntry, Certificate fingerprint (MD5): FC:XX:XX:87:74:CF:29:7A:F1:XX:9B:6E:18:32:7E:XX That is just a certificate - there is no key so that is never going to work. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org