This issue got resolved, the private key was not present in the JKS file. Once we got the pfx file from the customer and pointed to that in the server.xml file, application started working. When we imported the certificate (.cer file), keytool utility did not complain the private key is not present. Also when browser makes a request there was no error messages/no indication in the tomcat, there was no response from the tomcat server. Any comments on this please.
-Latha -----Original Message----- From: Sivasubramaniam, Latha Sent: Wednesday, July 18, 2012 1:56 PM To: 'Tomcat Users List' Cc: Samala, Praveen; Pandurangan Krishnakumar Subject: RE: Certificate chain does not seem to work and no errors in the tomcat logs We tried with Firefox, that did not work either. -----Original Message----- From: Sivasubramaniam, Latha Sent: Wednesday, July 18, 2012 1:55 PM To: 'Tomcat Users List' Cc: Samala, Praveen; Pandurangan Krishnakumar Subject: RE: Certificate chain does not seem to work and no errors in the tomcat logs Connector string <Connector port="9883" protocol="org.apache.coyote.http11.Http11NioProtocol" maxHttpHeaderSize="8192" SSLEnabled="true" maxThreads="800" enableLookups="false" disableUploadTimeout="true" acceptCount="200" scheme="https" secure="true" clientAuth="false" URIEncoding="UTF-8" keystoreFile="D:\Program Files (x86)\Aspect Software\Real-Time Reporting Server\SunJVM\jre\lib\security\keystorertrself2048.jks" keystorePass="changeit" keystoreType="JKS" /> Thanks, Latha -----Original Message----- From: Sivasubramaniam, Latha Sent: Wednesday, July 18, 2012 9:26 AM To: Tomcat Users List Cc: Samala, Praveen; Pandurangan Krishnakumar Subject: RE: Certificate chain does not seem to work and no errors in the tomcat logs Thanks for your response Christopher. We have requested customer to install firefox. We are using SSL and I will get the connector configuration once I get access to the system. Log level is changed to FINE in the logging.properties but we don't seem to get anything related to the certificate and the same when we start tomcat. I will check the log contents and post if the relevant lines. Thanks, Latha -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, July 18, 2012 8:40 AM To: Tomcat Users List Subject: Re: Certificate chain does not seem to work and no errors in the tomcat logs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Latha, On 7/17/12 8:20 PM, Sivasubramaniam, Latha wrote: > I am having issues with the SSL certificate chain the https requests > from the IE8 browser does not get any response. Following are the > details and any help is appreciated. This is in one of our customer > implementation. > > Tomcat version: 6.0.29 OS: Windows 2008 Browser: IE8 Ceritificate key > size: 2048 and the server certificate is 4th level in the chain. What about other web browsers? Is it only MSIE8 that is giving you problems, or can you not connect from any browser/client? > I have tried following different things. > > * Imported chain and the server certificate to my keystore > and set keystore properties in the server.xml Please post your <Connector> configuration. Also, are you using APR for SSL? When you imported the certificate chain, did you import all 4 certificates? (You may not need the top-level CA one, as it was probably already trusted by the JVM). > * Imported certificate chain to cacerts and imported > server certificate to my own keystore and speficied keystore > properties in the server.xml > > * Imported certificate chain to my own trusted keystore in > addition to the cacerts and server certificate to another keystore, > specified both trustkeystore and keystore properties in the server.xml > > None of the above is working. > > I generated selfsigned certificate and that is working. That is good to know. > We have windows based components using the same certificate on the > same server, certificates imported on to the windows certmgr and those > components are working. But the same certificate is not working on the > Java based components. > > I do not see any errors in the tomcat logs. Do you get any output at all when you launch Tomcat? > How can I get additional logging to see what is happening? Is there > any known issue with the certificate chain ( I did not find any in the > bug list) You can change the log level from INFO to DEBUG or FINE. Look at conf/logging.properties. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAG2LcACgkQ9CaO5/Lv0PCuNACaAq0VJe9jm9noc2CeLFrwqB/F q/8AnieQE0bUS4mnooudOy79pGJWCzzJ =wEtL -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
