Thank you Christopher for your reply.
I always make a backup before changes :) luckily :)
I reverted back and tried without deleting the entries and getting this:
primeusr@sagi-vzadik-01 [~]# keytool -import -trustcacerts -alias tomcat
-file /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
-keystore /opt/primecentral/install/utils/sslgen/prime.keystore
Enter keystore password:
keytool error: java.lang.Exception: Public keys in reply and keystore don't
match
primeusr@sagi-vzadik-01 [~]# keytool -import -trustcacerts -alias tomcat
-file /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
-keystore /opt/primecentral/XMP_Platform/jre/lib/security/cacerts
Enter keystore password:
keytool error: java.lang.Exception: Certificate not imported, alias
<tomcat> already exists
primeusr@sagi-vzadik-01 [~]#
Regarding the import you wrote -
$ keytool -import -alias ${HOSTNAME} -file ${HOSTNAME}.crt
-keystore${HOSTNAME}.jks
Isnt that this one or am I missing something:
keytool -importcert -file
/opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
-keystore /opt/primecentral/install/utils/sslgen/prime.keystore -alias
tomcat
as mentioned, catalina-<date>.log is empty... I cannot see any other
relevant logs (if you can point me to other log -please do :) )
If I try to connect to ssl localy, then with the original certificate it
workes, but with the new one - here is the output:
primeusr@sagi-vzadik-01 [~]# openssl s_client -connect 10.56.57.65:8443
CONNECTED(00000003)
4954:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:583:
primeusr@sagi-vzadik-01 [~]# openssl s_client -connect 127.0.0.1:8443
CONNECTED(00000003)
5050:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:583:
Thanks,
Barc
On Fri, May 22, 2015 at 3:17 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Ori,
>
> On 5/22/15 8:18 AM, Ori Raz wrote:
> > We got an application based on tomcat 7.0.23 and all working fine.
> >
> > We are trying to apply our self-signed certificate and encountering
> > some problems.
> >
> > I hope that the procedure I did is correct :)
> >
> > This is the procedure we followed:
> >
> > 1. copy the certificate file under this location:
> > /opt/primecentral/install/utils/sslgen/vlg-cipr-pcpil1.megafon.ru.cer
> >
> > 2. remove existing entries: keytool -delete -alias tomcat
> > -keystore /opt/primecentral/install/utils/sslgen/prime.keystore
> > keytool -delete -alias tomcat -keystore
> > /opt/primecentral/XMP_Platform/jre/lib/security/cacerts
>
> It's not necessary to remove the existing certs. If you load the
> CA-signed certificate into your keystore (making sure to use the
> original alias, if any), it should update the certificate.
>
> Also, you need to first import the CA's root and intermediate
> certificates, first, like this:
>
> $ keytool -import -alias [Authority.CA] -trustcacerts -file
> [authority's CA cert] -keystore ${HOSTNAME}.jks
> $ keytool -import -alias [Authority.intermediate] -trustcacerts -file
> [authority's intermediate cert] -keystore ${HOSTNAME}.jks
> $ keytool -import -alias ${HOSTNAME} -file ${HOSTNAME}.crt -keystore
> ${HOSTNAME}.jks
>
> (That last one is your signed certificate, returned from the CA).
>
> If, as you did your "delete", you managed to delete your server's key,
> then your keystore is worthless. I hope you had a backup, because
> without the server key, the certificate is worthless and you have to
> re-start the entire process.
>
> > After the restart of tomcat, I get the message that server started
> > and catalina is empty (normal as there is no error...) hence all
> > looks good.
> >
> > I can also see that tomcat process is up and port is listening: tcp
> > 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN
> > 18724/java
> >
> > But, when trying to open browser to the server, then I get "This
> > page cannot be displayed".
> >
> > I cannot locate any errors/exception in the server side.
> >
> > Can anyone please assist? we are in a dead end :)
>
> If there is a problem loading the certificate, Tomcat should emit an
> error message. Please check all log files, not just catalina.out
> (although it should have the error in there).
>
> Can you connect to the server using openssl?
>
> $ openssl s_client -connect 10.56.57.65:8443
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJVXyxNAAoJEBzwKT+lPKRYHdAQAI3/LTLtOwfX28SJQgD1gu74
> F0HTS2Rjo7vdtITvMxEulCqj2kES97qTH6TnpG3Qo99r8SWELHV2bC79pb6ic0e+
> /YvXngt3MPwXOaf9jWqeDFWLcjW0VV53FcEfbo71j4JZd01hSjb7+v+Kml5mCH0m
> X0Av31oigj2vJuEmbgty2hkukLyPHTzDIHnP6oS8gfIMsc4lNveDRng5yLF1tZ+M
> dRi5CWWdWibZoBpMZT1QjrWUI9Z/MhsKcr0pn/FWcJfLEQUwJJqPejV8MiuPf2a8
> rF+QSn5JSJtGHo9dgjdNFs/skOeF1LTZHalqun1eLIKYLJXKhvfhTvl+mXD6ITHB
> K6cJ1f83L5/8HilqpBZUdUdVETUxBb9/fXe0sYM4vHoqD49Si4DaCvggiq/2bZSx
> XJ0BHaFbVw+JVTVCzwng6VrNr32Ji7uKD275/mcGLbCIlCzKWd1QaPKtTD/nD5AB
> PtWMAzWKoSYJgJlWhlAiF2TEyHjZ6tU8B33hpoU7AxMCqaeY2YavRwaibWENKCLc
> RJXExcMK1+59etSLdqI5IwN33fcChBksGMN+bokRZB6RvvyNz+PtH6oNpN87DHnO
> IanB5Lp8p5YPig/AiYa5fLPoH40RjmmB1grUF4H7iuKkEt5Epw5BICPcgRxDePJU
> uEva2cy+32ZIgIC3q9+V
> =xi4N
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
