Am using JDK 1.6, tomcat 7.0.32, and Red Hat Linux. I need help setting up SSL on my local tomcat instance.
After looking at the instructions on the official tomcat 7 website: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html]http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html I followed the directions like this: (1) cd $CATALINA_HOME/conf (2) Create a certificate and store it in a new key store. keytool -genkey -alias tomcat -keyalg RSA -keystore .jks (3) Uncomment the SSL connector configuration in Tomcat's conf/server.xml, specifying your key store file and password. <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="./conf/keystore.jks" keystorePass="mypassword" /> (4) Export the certificate from the key store. keytool -exportcert -alias tomcat -file tomcat.crt -keystore keystore.jks When I tried to (which would have been Step # 5) import the certificate into the trust store. keytool -importcert -alias tomcat -file tomcat.crt -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts I get the following prompt for my password (after which I entered in "mypassword"): Enter keystore password: keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect (I disregarded this step by the way because I found it on Google but not on the official Tomcat7-SSL-Howto documentation - please let me know if its necessary). Tomcat's server output: INFO: Initializing ProtocolHandler ["http-bio-8080"] Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-bio-8443"] Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["ajp-bio-8009"] Dec 17, 2012 5:43:08 PM org.apache.catalina.startup.Catalina start Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-bio-8080"] Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-bio-8443"] Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractP INFO: Server startup in 9611 ms When I go to my bash shell and type this in: curl -X GET https://localhost:8443 I get the following error output: curl: (60) Peer certificate cannot be authenticated with known CA certificates More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. Am I missing a step here? I just want to enable SSL on Tomcat 7 and test it using curl. Would appreciate it if someone could point me in the right direction. If you wish to see this posting with better syntax coloring or my full server.xml, please check out these identical (but with more detail) forum posts: http://stackoverflow.com/questions/13925146/how-to-enable-ssl-on-tomcat-7-on-linux-test-using-curl http://www.coderanch.com/t/600556/Tomcat/Enable-SSL-Tomcat-Linux Happy programming, James
