Thank you Christopher for your reply. I always make a backup before changes :) luckily :)
I reverted back and tried without deleting the entries and getting this: primeusr@sagi-vzadik-01 [~]# keytool -import -trustcacerts -alias tomcat -file /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer -keystore /opt/primecentral/install/utils/sslgen/prime.keystore Enter keystore password: keytool error: java.lang.Exception: Public keys in reply and keystore don't match primeusr@sagi-vzadik-01 [~]# keytool -import -trustcacerts -alias tomcat -file /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer -keystore /opt/primecentral/XMP_Platform/jre/lib/security/cacerts Enter keystore password: keytool error: java.lang.Exception: Certificate not imported, alias <tomcat> already exists primeusr@sagi-vzadik-01 [~]# Regarding the import you wrote - $ keytool -import -alias ${HOSTNAME} -file ${HOSTNAME}.crt -keystore${HOSTNAME}.jks Isnt that this one or am I missing something: keytool -importcert -file /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer -keystore /opt/primecentral/install/utils/sslgen/prime.keystore -alias tomcat as mentioned, catalina-<date>.log is empty... I cannot see any other relevant logs (if you can point me to other log -please do :) ) If I try to connect to ssl localy, then with the original certificate it workes, but with the new one - here is the output: primeusr@sagi-vzadik-01 [~]# openssl s_client -connect 10.56.57.65:8443 CONNECTED(00000003) 4954:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:583: primeusr@sagi-vzadik-01 [~]# openssl s_client -connect 127.0.0.1:8443 CONNECTED(00000003) 5050:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:583: Thanks, Barc On Fri, May 22, 2015 at 3:17 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Ori, > > On 5/22/15 8:18 AM, Ori Raz wrote: > > We got an application based on tomcat 7.0.23 and all working fine. > > > > We are trying to apply our self-signed certificate and encountering > > some problems. > > > > I hope that the procedure I did is correct :) > > > > This is the procedure we followed: > > > > 1. copy the certificate file under this location: > > /opt/primecentral/install/utils/sslgen/vlg-cipr-pcpil1.megafon.ru.cer > > > > 2. remove existing entries: keytool -delete -alias tomcat > > -keystore /opt/primecentral/install/utils/sslgen/prime.keystore > > keytool -delete -alias tomcat -keystore > > /opt/primecentral/XMP_Platform/jre/lib/security/cacerts > > It's not necessary to remove the existing certs. If you load the > CA-signed certificate into your keystore (making sure to use the > original alias, if any), it should update the certificate. > > Also, you need to first import the CA's root and intermediate > certificates, first, like this: > > $ keytool -import -alias [Authority.CA] -trustcacerts -file > [authority's CA cert] -keystore ${HOSTNAME}.jks > $ keytool -import -alias [Authority.intermediate] -trustcacerts -file > [authority's intermediate cert] -keystore ${HOSTNAME}.jks > $ keytool -import -alias ${HOSTNAME} -file ${HOSTNAME}.crt -keystore > ${HOSTNAME}.jks > > (That last one is your signed certificate, returned from the CA). > > If, as you did your "delete", you managed to delete your server's key, > then your keystore is worthless. I hope you had a backup, because > without the server key, the certificate is worthless and you have to > re-start the entire process. > > > After the restart of tomcat, I get the message that server started > > and catalina is empty (normal as there is no error...) hence all > > looks good. > > > > I can also see that tomcat process is up and port is listening: tcp > > 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN > > 18724/java > > > > But, when trying to open browser to the server, then I get "This > > page cannot be displayed". > > > > I cannot locate any errors/exception in the server side. > > > > Can anyone please assist? we are in a dead end :) > > If there is a problem loading the certificate, Tomcat should emit an > error message. Please check all log files, not just catalina.out > (although it should have the error in there). > > Can you connect to the server using openssl? > > $ openssl s_client -connect 10.56.57.65:8443 > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJVXyxNAAoJEBzwKT+lPKRYHdAQAI3/LTLtOwfX28SJQgD1gu74 > F0HTS2Rjo7vdtITvMxEulCqj2kES97qTH6TnpG3Qo99r8SWELHV2bC79pb6ic0e+ > /YvXngt3MPwXOaf9jWqeDFWLcjW0VV53FcEfbo71j4JZd01hSjb7+v+Kml5mCH0m > X0Av31oigj2vJuEmbgty2hkukLyPHTzDIHnP6oS8gfIMsc4lNveDRng5yLF1tZ+M > dRi5CWWdWibZoBpMZT1QjrWUI9Z/MhsKcr0pn/FWcJfLEQUwJJqPejV8MiuPf2a8 > rF+QSn5JSJtGHo9dgjdNFs/skOeF1LTZHalqun1eLIKYLJXKhvfhTvl+mXD6ITHB > K6cJ1f83L5/8HilqpBZUdUdVETUxBb9/fXe0sYM4vHoqD49Si4DaCvggiq/2bZSx > XJ0BHaFbVw+JVTVCzwng6VrNr32Ji7uKD275/mcGLbCIlCzKWd1QaPKtTD/nD5AB > PtWMAzWKoSYJgJlWhlAiF2TEyHjZ6tU8B33hpoU7AxMCqaeY2YavRwaibWENKCLc > RJXExcMK1+59etSLdqI5IwN33fcChBksGMN+bokRZB6RvvyNz+PtH6oNpN87DHnO > IanB5Lp8p5YPig/AiYa5fLPoH40RjmmB1grUF4H7iuKkEt5Epw5BICPcgRxDePJU > uEva2cy+32ZIgIC3q9+V > =xi4N > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >