On 18 December 2012 13:03, James Dekker <james.dek...@gmail.com> wrote: > Am using JDK 1.6, tomcat 7.0.32, and Red Hat Linux. > > I need help setting up SSL on my local tomcat instance. > > After looking at the instructions on the official tomcat 7 website: > > http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html]http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html > > I followed the directions like this: > > (1) cd $CATALINA_HOME/conf > > (2) Create a certificate and store it in a new key store. > > keytool -genkey -alias tomcat -keyalg RSA -keystore .jks > > (3) Uncomment the SSL connector configuration in Tomcat's conf/server.xml, > specifying your key store file and password. > > <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" > maxThreads="150" scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" > keystoreFile="./conf/keystore.jks" > keystorePass="mypassword" > /> > > (4) Export the certificate from the key store. > > keytool -exportcert -alias tomcat -file tomcat.crt -keystore keystore.jks > > When I tried to (which would have been Step # 5) import the certificate > into the trust store. > > keytool -importcert -alias tomcat -file tomcat.crt -trustcacerts -keystore > $JAVA_HOME/jre/lib/security/cacerts > > I get the following prompt for my password (after which I entered in > "mypassword"): > > Enter keystore password: > > keytool error: java.io.IOException: Keystore was tampered with, or password > was incorrect > > (I disregarded this step by the way because I found it on Google but not on > the official Tomcat7-SSL-Howto documentation - please let me know if its > necessary). > > Tomcat's server output: > > INFO: Initializing ProtocolHandler ["http-bio-8080"] > Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init > INFO: Initializing ProtocolHandler ["http-bio-8443"] > Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init > INFO: Initializing ProtocolHandler ["ajp-bio-8009"] > Dec 17, 2012 5:43:08 PM org.apache.catalina.startup.Catalina start > Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start > INFO: Starting ProtocolHandler ["http-bio-8080"] > Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start > INFO: Starting ProtocolHandler ["http-bio-8443"] > Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractP > INFO: Server startup in 9611 ms > > When I go to my bash shell and type this in: > > curl -X GET https://localhost:8443 > > I get the following error output: > > curl: (60) Peer certificate cannot be authenticated with known CA > certificates > More details here: http://curl.haxx.se/docs/sslcerts.html > > curl performs SSL certificate verification by default, using a "bundle" > of Certificate Authority (CA) public keys (CA certs). If the default > bundle file isn't adequate, you can specify an alternate file > using the --cacert option. > If this HTTPS server uses a certificate signed by a CA represented in > the bundle, the certificate verification probably failed due to a > problem with the certificate (it might be expired, or the name might > not match the domain name in the URL). > If you'd like to turn off curl's verification of the certificate, use > the -k (or --insecure) option. > > Am I missing a step here? > > I just want to enable SSL on Tomcat 7 and test it using curl.
When I was investigating APR and SSL, i found the link http://code.google.com/p/jianwikis/wiki/TomcatSSLWithAPR . There is section almost at the end giving and example of using CURL. Maybe that will help Johanes > > Would appreciate it if someone could point me in the right direction. > > If you wish to see this posting with better syntax coloring or my full > server.xml, please check out these identical (but with more detail) forum > posts: > > http://stackoverflow.com/questions/13925146/how-to-enable-ssl-on-tomcat-7-on-linux-test-using-curl > > http://www.coderanch.com/t/600556/Tomcat/Enable-SSL-Tomcat-Linux > > Happy programming, > > James --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
