On 31/10/12 16:39, Daniel Mikusa wrote:
On Oct 31, 2012, at 10:23 AM, Brian Burch wrote:
On 26/10/12 13:24, Daniel Mikusa wrote:
On Oct 26, 2012, at 5:11 AM, Brian Burch wrote:
<snip/>
2.8. keytool -list -v -keystore jks-keystore shows the keystore contents as two
entries:
2.8.1. the first has an alias of tomcat, a private key entry and the two
certificates which comprise the complete chain.
2.8.2. the second has an alias of "Certificate Authority", with only the CA's
certificate.
Observation 2.8.2 indicates that I have put too much into this certificate
store and that step 2.6 was redundant. Nevertheless, tomcat is perfectly happy
to start its SSL Connector using this keystore.
Have you tried deleting the second alias? Does it continue to work without
this alias?
Also, it might be interesting to convert this working JKS keystore into a
PKCS12 keystore and see if it continues to work with Tomcat. I think you can
do that with a command like this…
keytool -importkeystore -srckeystore jks-keystore -srcstoretype jks
-srcstorepass changeit -srcalias tomcat -destkeystore pkcs12-keystore
-deststoretype pkcs12 -deststorepass changeit
I just copied the "fat" keystore to a new file and verified it was
identical. Then I ran:
keytool -delete -keystore jks-keystore -alias "Certificate Authority"
I printed the contents of keystore to confirm a) the tomcat collection
of private key and certificate chain were still present, and b) the
second alias had gone.
Tomcat started successfully using this new "minimal" keystore, so we can
conclude that my step 2.6 was definitely not necessary. This is because
the openssl certificate authority (by default) had bundled the entire
authority chain into the new server certificate.
I'll try your other suggestions later, but I thought it would be helpful
to clear up this particular issue quickly.
Regards,
Brian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
