-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 M.,
On 8/4/17 12:16 PM, M. Manna wrote: > Have you imported the signed server certificate into the server > keystore with all the root+intermediate certificates? in other > words, does the "chain-of-trust" exist in server keystore? > > You just need to add the root and intermediate CA certs to trust > store - any server certs signed by them is by default, trusted. No, you definitely don't want to mess around with any trust stores. Here are the instructions I always follow when using Java keystores (which are in fact so awful that even Java is giving up on them[1]), copied directly from my corporate wiki page on the subject (which I wrote because I can never remember all the steps): == Create a New Server Key & Certificate with Java's Keytool Make sure to use Java's keytool with a Java version 1.6 or better. $ keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 4096 - -alias ${HOSTNAME} -keystore ${HOSTNAME}.jks == Generate a CSR to send to a CA using Java's Keytool $ keytool -certreq -sigalg SHA256withRSA -keystore ${HOSTNAME}.jks If you have more than one certificate in there, you'll need to use the "-alias" option. == Import a Signed Certificate into your Keystore You'll need to import the root and intermediate certificates from the CA first: $ keytool -import -alias [Authority.CA] -trustcacerts -file [authority's CA cert] -keystore ${HOSTNAME}.jks $ keytool -import -alias [Authority.intermediate] -trustcacerts -file [authority's intermediate cert] -keystore ${HOSTNAME}.jks $ keytool -import -alias ${HOSTNAME} -file ${HOSTNAME}.crt -keystore ${HOSTNAME}.jks Note that the order of import matters. If you do this in the opposite order, I think your server catches fire instantly. Java keystores are *just that bad*. Hope that helps, - -chris [1] http://openjdk.java.net/jeps/229 > On 4 August 2017 at 17:09, Hameed, Amir <amir.ham...@xerox.com> > wrote: > >> Hi, I am trying to configure Tomcat 8.0.36 with SSL and running >> into some issues. The JDK version I am using is 1.8.0_64. I used >> the following process to implement SSL: >> >> 1. Generated a java key store using the following command: >> ${JAVA_HOME}/bin/keytool -genkey -alias [alias-name] -keyalg RSA >> -keysize 2048 \ -keystore [key-store-path]/keystore.jks -dname >> "CN=[common-name],OU=[org-unit], O=[company-name], L=[city], >> ST=[state], C=US" >> >> >> 2. Generated CSR using the following command: >> ${JAVA_HOME}/bin/keytool -certreq -alias [alias-name] -file >> [key-store-path]/[csr-file-name] \ -keystore >> [key-store-path]/keystore.jks >> >> >> 3. Requested certificate from COMODO. >> >> 4. Imported all Trusted certificates from COMODO into the >> key store using command. There were a total of three trusted >> certificates that we received from COMODO: >> ${JAVA_HOME}/bin/keytool -import -trustcacerts -alias >> [alias-name] -file [ssl-cert-file] -keystore >> [key-store-path]/keystore.jks -v >> >> >> 5. Modified Tomcat's server.xml file as shown below: >> >> <Connector port="[ssl-port]" protocol="org.apache.coyote. >> http11.Http11NioProtocol" >> >> maxThreads="150" SSLEnabled="true" scheme="https" secure="true" >> >> clientAuth="false" sslProtocol="TLS" >> >> keystoreFile="[key-store-path]/keystore.jks" >> >> keystoreType="JKS" keystorePass="[key-store-password]" /> >> >> >> >> 6. Restarted Tomcat. >> >> 7. Accessed the Tomcat homepage from the browser using >> https and the browser complained about page being insecure. When >> I looked at the certificate from the browser, I see that the >> Certificate Path tab of the certificate shows that the trusted >> chain is incomplete and does not show the trusted certificates >> that I had imported into the key store. >> >> What am I missing here? Any help will be appreciated. >> >> >> Thank you, Amir >> >> > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZhO37AAoJEBzwKT+lPKRYXFMP/jfiWrKQR5dTzarkJdJa39oN to4WNYH6wfdONcRhQUHggVAid4qPjs567XjGWfRfnZvaxNhQu52rQN7+tbsFwt7i wTeURIYK0c/xiO6fvUSvc9A5QkXvMUu2vrPy4V6btMxZSmvktxpTMG0iALbUeobv Jr42EzE6WZ1Lgj6NoGyJIBkCebfu6HRySOWHIi3rQKBSab3sVYf65mryn6zGw8pq ZMR8daqsrUdrt9f3ZCqCZjWNHk96fTdh2OUvKIFm58ux0bhj+s5LDpBq4LYTDww1 OxFLOlmxqZ1iy0UmnvNCeEagrMveg1XVRYEbH4jBHsW3nCktzUPa62iLE9I25CnN iBdoGbHD9gal0PdA6+tbw4aZFvEFzqnLp4LSSwQ2Jm+6vb8SpS0/g6a5T0jrR+0j GQ9bvfZA4MtmrS4+MZOhEBiv0RGmeoaRv/UDIdsOZdzVGfQkqH5vDqoIEZhRH9Wb 7BC5Sw7TyDM5ylT1vjIxucoaPVFc+uWLFZbUMA57tqlfYlxX6oc3ZhnvEZhP49+0 ridFkN1BY7X42flXnoztbc8B0iRj/jFymnHXQcfpL5Vnc48OSdSPktDVnfm8Q9ZF jZJVzLfn3Og5+FhmBZH+mwAz5nxFN8naEuaSmpUGx0MVcqHBXHHGFd7E7axtUA+e twkhpNDyccC7mPAVv3ke =F7Z0 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org