I just did this. I have the tomcat manager application running across SSL. Here's what I did....
On Mon, Dec 17, 2012 at 9:03 PM, James Dekker <james.dek...@gmail.com>wrote: > James said... "STUFF": > > (1) cd $CATALINA_HOME/conf > > (2) Create a certificate and store it in a new key store. > > keytool -genkey -alias tomcat -keyalg RSA -keystore .jks > > ./keytool 0genkey -alias [identifier] -keyalg RSA -keystore .keystore > (3) Uncomment the SSL connector configuration in Tomcat's conf/server.xml, > specifying your key store file and password. > > <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" > maxThreads="150" scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" > keystoreFile="./conf/keystore.jks" > keystorePass="mypassword" > /> > 3 is good. Note I used the .keystore file not .keystore.jks, but it should be all the same. > > (4) Export the certificate from the key store. > > keytool -exportcert -alias tomcat -file tomcat.crt -keystore keystore.jks > > When I tried to (which would have been Step # 5) import the certificate > into the trust store. > > keytool -importcert -alias tomcat -file tomcat.crt -trustcacerts -keystore > $JAVA_HOME/jre/lib/security/cacerts > > try this: $JAVA_JRE_HOME/bin/keytool -import -alias tomcat -file ~/tomcat.crt -keystore $JAVA_HOME/jre/lib/security/cacerts > I get the following prompt for my password (after which I entered in > "mypassword"): > > Enter keystore password: > > keytool error: java.io.IOException: Keystore was tampered with, or password > was incorrect > If you are using java's default cacerts truststore the password is not the .keystore password, it is "changeit" if you haven't tampered with it before. > > (I disregarded this step by the way because I found it on Google but not on > the official Tomcat7-SSL-Howto documentation - please let me know if its > necessary). > restart tomcat at this point and it should work with curl -k option. I usually test the manager app by passing in the /list parameter and testing both SSL and un/pwd all in one. > > Tomcat's server output: > > INFO: Initializing ProtocolHandler ["http-bio-8080"] > Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init > INFO: Initializing ProtocolHandler ["http-bio-8443"] > Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init > INFO: Initializing ProtocolHandler ["ajp-bio-8009"] > Dec 17, 2012 5:43:08 PM org.apache.catalina.startup.Catalina start > Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start > INFO: Starting ProtocolHandler ["http-bio-8080"] > Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start > INFO: Starting ProtocolHandler ["http-bio-8443"] > Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractP > INFO: Server startup in 9611 ms > > When I go to my bash shell and type this in: > > curl -X GET https://localhost:8443 > > I get the following error output: > > curl: (60) Peer certificate cannot be authenticated with known CA > certificates > More details here: http://curl.haxx.se/docs/sslcerts.html > > curl performs SSL certificate verification by default, using a "bundle" > of Certificate Authority (CA) public keys (CA certs). If the default > bundle file isn't adequate, you can specify an alternate file > using the --cacert option. > If this HTTPS server uses a certificate signed by a CA represented in > the bundle, the certificate verification probably failed due to a > problem with the certificate (it might be expired, or the name might > not match the domain name in the URL). > If you'd like to turn off curl's verification of the certificate, use > the -k (or --insecure) option. > > Am I missing a step here? > > - Josh
