Hi, please try to import the certificate into the browser.
Truststore and keystore or not different it depends on the name you give. example: tomcat_keystore.keystore or tomcat_trust.keystore and need to provide the respective path and the password in the keystore. please make sure that same alias name has to used through out the process. please make sure if your keystore contains any private key entries using keytool -list - v command. If you had imported proper ssl cert with proper alias name then ideally you should have private key entry over here. Thanks On Fri, 4 Aug 2017 9:53 pm Hameed, Amir, <amir.ham...@xerox.com> wrote: > Thank you for your reply. Please see my answers below: > > Have you imported the signed server certificate into the server keystore > with all the root+intermediate certificates? in other words, does the > "chain-of-trust" exist in server keystore? > >> Yes, I have imported all trusted certificates (COMODORSAAddTrustCA.crt > + AddTrustExternalCARoot.crt + > COMODORSAOrganizationValidationSecureServerCA.crt) into the server key > store along with the signed server certificate. > > You just need to add the root and intermediate CA certs to trust store - > any server certs signed by them is by default, trusted. > >> I am new to Tomcat. Where can I find the trust store and is it separate > from the server key store? > > Thanks > -----Original Message----- > From: M. Manna [mailto:manme...@gmail.com] > Sent: Friday, August 4, 2017 12:16 PM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: SSL is not working > > Have you imported the signed server certificate into the server keystore > with all the root+intermediate certificates? in other words, does the > "chain-of-trust" exist in server keystore? > > You just need to add the root and intermediate CA certs to trust store - > any server certs signed by them is by default, trusted. > > > On 4 August 2017 at 17:09, Hameed, Amir <amir.ham...@xerox.com> wrote: > > > Hi, > > I am trying to configure Tomcat 8.0.36 with SSL and running into some > > issues. The JDK version I am using is 1.8.0_64. I used the following > > process to implement SSL: > > > > 1. Generated a java key store using the following command: > > ${JAVA_HOME}/bin/keytool -genkey -alias [alias-name] -keyalg RSA > > -keysize > > 2048 \ > > -keystore [key-store-path]/keystore.jks -dname > > "CN=[common-name],OU=[org-unit], O=[company-name], L=[city], ST=[state], > C=US" > > > > > > 2. Generated CSR using the following command: > > ${JAVA_HOME}/bin/keytool -certreq -alias [alias-name] -file > > [key-store-path]/[csr-file-name] \ -keystore > > [key-store-path]/keystore.jks > > > > > > 3. Requested certificate from COMODO. > > > > 4. Imported all Trusted certificates from COMODO into the key store > > using command. There were a total of three trusted certificates that > > we received from COMODO: > > ${JAVA_HOME}/bin/keytool -import -trustcacerts -alias [alias-name] > > -file [ssl-cert-file] -keystore [key-store-path]/keystore.jks -v > > > > > > 5. Modified Tomcat's server.xml file as shown below: > > > > <Connector port="[ssl-port]" protocol="org.apache.coyote. > > http11.Http11NioProtocol" > > > > maxThreads="150" SSLEnabled="true" scheme="https" > > secure="true" > > > > clientAuth="false" sslProtocol="TLS" > > > > keystoreFile="[key-store-path]/keystore.jks" > > > > keystoreType="JKS" keystorePass="[key-store-password]" > > /> > > > > > > > > 6. Restarted Tomcat. > > > > 7. Accessed the Tomcat homepage from the browser using https and > the > > browser complained about page being insecure. When I looked at the > > certificate from the browser, I see that the Certificate Path tab of > > the certificate shows that the trusted chain is incomplete and does > > not show the trusted certificates that I had imported into the key store. > > > > What am I missing here? Any help will be appreciated. > > > > > > Thank you, > > Amir > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
