-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
M.,
On 8/4/17 12:16 PM, M. Manna wrote:
> Have you imported the signed server certificate into the server
> keystore with all the root+intermediate certificates? in other
> words, does the "chain-of-trust" exist in server keystore?
>
> You just need to add the root and intermediate CA certs to trust
> store - any server certs signed by them is by default, trusted.
No, you definitely don't want to mess around with any trust stores.
Here are the instructions I always follow when using Java keystores
(which are in fact so awful that even Java is giving up on them[1]),
copied directly from my corporate wiki page on the subject (which I
wrote because I can never remember all the steps):
== Create a New Server Key & Certificate with Java's Keytool
Make sure to use Java's keytool with a Java version 1.6 or better.
$ keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 4096
- -alias ${HOSTNAME} -keystore ${HOSTNAME}.jks
== Generate a CSR to send to a CA using Java's Keytool
$ keytool -certreq -sigalg SHA256withRSA -keystore ${HOSTNAME}.jks
If you have more than one certificate in there, you'll need to use the
"-alias" option.
== Import a Signed Certificate into your Keystore
You'll need to import the root and intermediate certificates from the
CA first:
$ keytool -import -alias [Authority.CA] -trustcacerts -file
[authority's CA cert] -keystore ${HOSTNAME}.jks
$ keytool -import -alias [Authority.intermediate] -trustcacerts -file
[authority's intermediate cert] -keystore ${HOSTNAME}.jks
$ keytool -import -alias ${HOSTNAME} -file ${HOSTNAME}.crt -keystore
${HOSTNAME}.jks
Note that the order of import matters. If you do this in the opposite
order, I think your server catches fire instantly. Java keystores are
*just that bad*.
Hope that helps,
- -chris
[1] http://openjdk.java.net/jeps/229
> On 4 August 2017 at 17:09, Hameed, Amir <amir.ham...@xerox.com>
> wrote:
>
>> Hi, I am trying to configure Tomcat 8.0.36 with SSL and running
>> into some issues. The JDK version I am using is 1.8.0_64. I used
>> the following process to implement SSL:
>>
>> 1. Generated a java key store using the following command:
>> ${JAVA_HOME}/bin/keytool -genkey -alias [alias-name] -keyalg RSA
>> -keysize 2048 \ -keystore [key-store-path]/keystore.jks -dname
>> "CN=[common-name],OU=[org-unit], O=[company-name], L=[city],
>> ST=[state], C=US"
>>
>>
>> 2. Generated CSR using the following command:
>> ${JAVA_HOME}/bin/keytool -certreq -alias [alias-name] -file
>> [key-store-path]/[csr-file-name] \ -keystore
>> [key-store-path]/keystore.jks
>>
>>
>> 3. Requested certificate from COMODO.
>>
>> 4. Imported all Trusted certificates from COMODO into the
>> key store using command. There were a total of three trusted
>> certificates that we received from COMODO:
>> ${JAVA_HOME}/bin/keytool -import -trustcacerts -alias
>> [alias-name] -file [ssl-cert-file] -keystore
>> [key-store-path]/keystore.jks -v
>>
>>
>> 5. Modified Tomcat's server.xml file as shown below:
>>
>> <Connector port="[ssl-port]" protocol="org.apache.coyote.
>> http11.Http11NioProtocol"
>>
>> maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
>>
>> clientAuth="false" sslProtocol="TLS"
>>
>> keystoreFile="[key-store-path]/keystore.jks"
>>
>> keystoreType="JKS" keystorePass="[key-store-password]" />
>>
>>
>>
>> 6. Restarted Tomcat.
>>
>> 7. Accessed the Tomcat homepage from the browser using
>> https and the browser complained about page being insecure. When
>> I looked at the certificate from the browser, I see that the
>> Certificate Path tab of the certificate shows that the trusted
>> chain is incomplete and does not show the trusted certificates
>> that I had imported into the key store.
>>
>> What am I missing here? Any help will be appreciated.
>>
>>
>> Thank you, Amir
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZhO37AAoJEBzwKT+lPKRYXFMP/jfiWrKQR5dTzarkJdJa39oN
to4WNYH6wfdONcRhQUHggVAid4qPjs567XjGWfRfnZvaxNhQu52rQN7+tbsFwt7i
wTeURIYK0c/xiO6fvUSvc9A5QkXvMUu2vrPy4V6btMxZSmvktxpTMG0iALbUeobv
Jr42EzE6WZ1Lgj6NoGyJIBkCebfu6HRySOWHIi3rQKBSab3sVYf65mryn6zGw8pq
ZMR8daqsrUdrt9f3ZCqCZjWNHk96fTdh2OUvKIFm58ux0bhj+s5LDpBq4LYTDww1
OxFLOlmxqZ1iy0UmnvNCeEagrMveg1XVRYEbH4jBHsW3nCktzUPa62iLE9I25CnN
iBdoGbHD9gal0PdA6+tbw4aZFvEFzqnLp4LSSwQ2Jm+6vb8SpS0/g6a5T0jrR+0j
GQ9bvfZA4MtmrS4+MZOhEBiv0RGmeoaRv/UDIdsOZdzVGfQkqH5vDqoIEZhRH9Wb
7BC5Sw7TyDM5ylT1vjIxucoaPVFc+uWLFZbUMA57tqlfYlxX6oc3ZhnvEZhP49+0
ridFkN1BY7X42flXnoztbc8B0iRj/jFymnHXQcfpL5Vnc48OSdSPktDVnfm8Q9ZF
jZJVzLfn3Og5+FhmBZH+mwAz5nxFN8naEuaSmpUGx0MVcqHBXHHGFd7E7axtUA+e
twkhpNDyccC7mPAVv3ke
=F7Z0
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
