
It turns out that the root certificate was a combination of g1 and g2, and that 
this causes a problem for keytool. I downloaded the single root certificate 
gdroot-g2.crt and used it to replace the root certificate. That fixed the 


Sent from Windows Mail

From: Mark Thomas
Sent: ‎Friday‎, ‎August‎ ‎7‎, ‎2015 ‎1‎:‎40‎ ‎PM
To: Tomcat Users List

On 7 August 2015 19:01:34 BST, wrote:
>I’ve been using Tomcat for about fours years. I’ve developed websites
>and services that used certificates based upon SHA1. Today I purchased
>a new certificate from GoDaddy based upon using “-sigalg
>So for this new service I executed the following commands in the
>directory of the keystore:
>keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA  -sigalg
>SHA256withRSA -keystore tomcat.keystore
>keytool -certreq -keyalg RSA -alias tomcat -file csr.txt -keystore
>sent the csr.txt to GoDadday and received the certificate files.
>keytool -delete -alias tomcat -keystore tomcat.keystore

You deleted the key at this point. There should be no need to do this.


>keytool -import -alias root -keystore tomcat.keystore -trustcacerts
>-file gd_bundle-g2-g1.crt
>keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts
>-file gdig2.crt
>keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts
>-file xxxxxxxxxxxxxx.crt
>If I copy over the new tomcat.keystore with a backup of the original
>everything works.
>My Tomcat 8.0.23 on CentOS 6.5 is configure with three virtual hosts in
>server.xml; the following is for the one with the GoDaddy certificate.
>I’m doing them one-at-time.
><Server port="8005" shutdown="SHUTDOWN">
><Listener className="org.apache.catalina.startup.VersionLoggerListener"
><Listener className="org.apache.catalina.core.AprLifecycleListener"
>SSLEngine="on" />
>className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
>  <Service name="System">
><Connector port="8080" address="" protocol="HTTP/1.1" 
>connectionTimeout="20000"  redirectPort="8443" />
><Connector port="8443" address="" protocol="HTTP/1.1"
>SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
>keyAlias="tomcat" keystoreFile="/opt/tomcat/system/tomcat.keystore"
>keystorePass="xxxxxxxxxxxxxxxxxxx" clientAuth="false" sslProtocol="TLS"
>    <Engine name="System" defaultHost="">
><Host name="" appBase="webapps/"
>unpackWARs="true" autoDeploy="true" >
>        <Alias></Alias>
><Valve className="org.apache.catalina.valves.AccessLogValve"
>directory="logs" prefix="" suffix=".log" pattern="common"
>      </Host>
>    </Engine>
>  </Service>
>Each service is on a different IP address and I’ve been redirecting 80
>to 8080 and 443 to 8443. This has been working fine until I replaced
>the key.
>This is from the catalina.out file:
>07-Aug-2015 12:43:02.493 SEVERE [main]
>org.apache.coyote.AbstractProtocol.init Failed to initialize end point
>associated with ProtocolHandler [""]
> Alias name tomcat does not identify a key entry
>   at
>  at org.apache.coyote.AbstractProtocol.init(
> at org.apache.catalina.util.LifecycleBase.init(
> at org.apache.catalina.util.LifecycleBase.init(
> at org.apache.catalina.util.LifecycleBase.init(
>        at org.apache.catalina.startup.Catalina.load(
>        at org.apache.catalina.startup.Catalina.load(
>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>        at java.lang.reflect.Method.invoke(
>      at org.apache.catalina.startup.Bootstrap.load(
>      at org.apache.catalina.startup.Bootstrap.main(
>07-Aug-2015 12:43:02.496 SEVERE [main]
>org.apache.catalina.core.StandardService.initInternal Failed to
>initialize connector [Connector[HTTP/1.1-8443]]
>org.apache.catalina.LifecycleException: Failed to initialize component
> at org.apache.catalina.util.LifecycleBase.init(
> at org.apache.catalina.util.LifecycleBase.init(
> at org.apache.catalina.util.LifecycleBase.init(
>        at org.apache.catalina.startup.Catalina.load(
>        at org.apache.catalina.startup.Catalina.load(
>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>Then I used keytool to verify that the alias is in the tomcat.keystore.
>The following is a list from the keystore:
>#keytool -list -v -keystore tomcat.keystore -alias tomcat
>Enter keystore password:
>Alias name: tomcat
>Creation date: Aug 7, 2015
>Entry type: trustedCertEntry
>Owner:, OU=Domain Control Validated
>Issuer: CN=Go Daddy Secure Certificate Authority - G2,
>OU=, O=", Inc.",
>L=Scottsdale, ST=Arizona, C=US
>Serial number: xxxxxxxxxxxxxxxxxx
>Valid from: Fri Aug 07 12:29:38 CDT 2015 until: Sun Aug 07 12:29:38 CDT
>Certificate fingerprints:
>         MD5:  A2:70:1D:06:68:FF:C1:4B:2C:1B:B8:4D:9B:25:25:59
>      SHA1: 26:32:29:71:37:59:DB:0D:D4:30:B4:5F:8B:1F:3E:44:57:DD:69:1C
>         Signature algorithm name: SHA256withRSA
>         Version: 3
>#1: ObjectId: Criticality=false
>AuthorityInfoAccess [
>  [
>   accessMethod: ocsp
>   accessLocation: URIName:
>   accessMethod: caIssuers
>accessLocation: URIName:
>#2: ObjectId: Criticality=false
>AuthorityKeyIdentifier [
>KeyIdentifier [
>0000: 40 C2 BD 27 8E CC 34 83   30 A2 33 D7 FB 6C B3 F0 
>0010: B4 2C 80 CE                                        .,..
>#3: ObjectId: Criticality=true
>  CA:false
>  PathLen: undefined
>#4: ObjectId: Criticality=false
>CRLDistributionPoints [
>  [DistributionPoint:
>     [URIName:]
>#5: ObjectId: Criticality=false
>CertificatePolicies [
>  [CertificatePolicyId: []
>[PolicyQualifierInfo: [
>  qualifierID:
>qualifier: 0000: 16 2B 68 74 74 70 3A 2F   2F 63 65 72 74 69 66 69 
>0010: 63 61 74 65 73 2E 67 6F   64 61 64 64 79 2E 63 6F 
>0020: 6D 2F 72 65 70 6F 73 69   74 6F 72 79 2F           m/repository/
>]]  ]
>#6: ObjectId: Criticality=false
>ExtendedKeyUsages [
>  serverAuth
>  clientAuth
>#7: ObjectId: Criticality=true
>KeyUsage [
>  DigitalSignature
>  Key_Encipherment
>#8: ObjectId: Criticality=false
>SubjectAlternativeName [
>  DNSName:
>  DNSName:
>#9: ObjectId: Criticality=false
>SubjectKeyIdentifier [
>KeyIdentifier [
>0000: 3B 7C A9 5C 32 FE F5 92   DB D1 C4 A6 F1 70 09 57 
>0010: C7 5A 97 88                                        .Z..
>I would be grateful for any assistance.
>Jeff Crump
>Sent from Windows Mail

To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to