Hello,
Thanks for the advise - ive tried various permutations of trying to use an
exisiting CA signed X509 certificate to enable SSL with tomcat. From reading
various mailing lists it appears this is a frequent problem but one that many
people have solved using the solutions I have tried - perhaps Im missing
something? My environment is Java 1.5.0_06, Tomcat 5.5.12, Fedora Core 4, my
certificate is signed my the eScience CA in the UK.
Here are my findings ...
Splitting the p12 file into a crt and key:
In the conf/server.xml
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEngine="on"
SSLCertificateFile="certificate.crt"
SSLCertificateKeyFile="certificate.key"
SSLPassword="pass" />
Error message splitting the p12 file into crt and key:
java.io.FileNotFoundException: /home/jm/.keystore (No such file or directory)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(FileInputStream.java:106)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:279)
.......
It appears that Tomcat 5.5.12 is ignorning my configuration of the https
connector and looking for the default JKS keystore - which I hadnt created -
therefore I created the keystore adding a self-signed certificate and yes it
enabled https connection but not using the intended certificates so
effectively this does not work either.
Using the p12 file as the keystore:
In conf/server.xml
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreType="PKCS12"
keystoreFile=".p12" keystorePass="pass"/>
Error message using p12 file as keystore:
Could not establish an encrypted connection because certificate presented by
localhost is invalid or corrupted. Error Code: -8101
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: Netscape cert type does not permit
use for SSL server
Finally, adding my p12 CA signed certificate programmatically into a JKS
keystore with the root CA certificate added as:
keytool -import -keystore my.keystore -storepass pass -alias eScienceRoot
-file /downloads/cacert.crt
In the conf/server.xml
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/home/jm/jm.keystore" keystorePass="pass"/>
Error message from adding p12 into a JKS keystore:
Could not establish an encrypted connection because certificate presented by
localhost is invalid or corrupted. Error Code: -8101
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: Netscape cert type does not permit
use for SSL server
Thanks,
Julie.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
