Hi David,
I'm unfortunately on a Wintel server and the OS has problems with files named
with a preceding.
My connector references the 'keystore' and accessing the keystore via keytool.
I've tried it with the .keystore name as an early solution but it didn't make
any difference. If the .keystore name is mandatory I can try it again, but it
still doesn't explain where the self-signed certificate is coming from.
Thanks,
Rob Cole
+44 (0)20 754 51117
David Goodenough
<[EMAIL PROTECTED] To:
[EMAIL PROTECTED]
onnect.com> cc:
Subject: Re: SSL
Certificate configuration
09/11/2004 11:33
Please respond to
"Tomcat Users List"
On Thursday 11 November 2004 11:04, Robert Cole wrote:
> Hi,
>
> I'm having some fun and games getting Tomcat 5.0.19 to use a non-self
> signed certificate. I've done the following:
>
> 1) Using Keytool, generated a new key pair using the genkey switch, into a
> new keystore 2) Generated a CSR using the new keystore created above
> 3) Using OpenSSL, where I've created a certificate authority to sign my
> CSRs, I've then generated a signed certificate valid for 365 days, signed
> by my root authority 4) I've then imported the Root CA into the keystore
> created in 1
> 5) Then I've imported the new, signed certificate into the keystore from 1
> 6) I've then enabled by HTTPS connector in server.xml, with the keystore
> entry pointing to the keystore from 1. I bounced Tomcat afterwards
>
> I can then connect to Tomcat on port 8443 but when I examine the
> certificate it is a self signed certificate that expired after 3 months.
> There is no evidence of the signed certificate.
>
> So far I have:
>
> 1) Removed the keystore file to check that Tomcat is picking up the correct
> file. It is as I get loads of errors in the std.out file 2) Listed the
> contents of the keystore. I can see in the following order, the root CA
> certificate, the generated keypair and then the signed certificate. 3) I
> made a copy of the keystore, changed the configuration to use the copy and
> then fired Tomcat up again. I finally managed to shut Tomcat down again
> after a large number of errors flooded the log file. 4) I've used the
> Keytool export and printcert switches to check that the signed certificate
> in the keystore is the right one, and it is.
>
> So, my question is, how is tomcat using a self signed SSL certificate, and
> where could it be getting it from? Is there a way to force Tomcat to use a
> certain certificate from a keystore?
>
> I'm now very, very stuck and would appreciate some help. Are there any
> switches I can use to get more information from Tomcat on what it is using,
> certificate wise?
>
> For reference, the connector config looks like this:
>
> <Connector port="8443"
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" disableUploadTimeout="true"
> acceptCount="100" debug="0" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"
> keystoreFile="D:\db\certificates\keystore"
> keystorePass="" />
>
> My keystore:
>
> D:\db\certificates>keytool -keystore keystore -list
should that not be ".keystore", not "keystore"?
David
> Enter keystore password:
>
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 3 entries
>
> rootca, Nov 9, 2004, trustedCertEntry,
> Certificate fingerprint (MD5):
> 7B:CD:2C:5D:AE:79:8A:86:D5:70:25:56:3D:0D:D1:AC mis1_key, Nov 9, 2004,
> keyEntry,
> Certificate fingerprint (MD5):
> BB:6A:10:C7:1C:DC:A2:AE:BD:77:C3:6F:50:B6:50:C1 mis1_cert, Nov 9, 2004,
> trustedCertEntry,
> Certificate fingerprint (MD5):
> 63:A4:57:A1:3E:B9:72:67:14:21:88:F3:3A:90:C5:5A
>
> The certificate that should be used is the mis1_cert certificate. From the
> printcert:
>
> D:\db\certificates>keytool -keystore keystore -printcert -file test.crt -v
> Owner: CN=mis1, OU=gmPrice, O=Deutsche Bank, L=London, ST=England, C=UK
> Issuer: [EMAIL PROTECTED], CN=gmPrice, OU=Shared Technology,
> O=Deutsche Bank, L=London, ST=England, C=UK Serial number: 8
> Valid from: Tue Nov 09 09:26:01 GMT 2004 until: Wed Nov 09 09:26:01 GMT
> 2005 Certificate fingerprints:
> MD5: 63:A4:57:A1:3E:B9:72:67:14:21:88:F3:3A:90:C5:5A
> SHA1: C7:AA:85:F7:7E:92:AC:E6:77:8B:44:F4:B2:7F:33:11:A7:DC:57:A3
>
>
>
> Rob Cole
>
>
>
>
> --
>
> This e-mail may contain confidential and/or privileged information. If you
> are not the intended recipient (or have received this e-mail in error)
> please notify the sender immediately and destroy this e-mail. Any
> unauthorized copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
This e-mail may contain confidential and/or privileged information. If you are
not the intended recipient (or have received this e-mail in error) please
notify the sender immediately and destroy this e-mail. Any unauthorized
copying, disclosure or distribution of the material in this e-mail is strictly
forbidden.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
