> John,
>> Am 26.09.2017 um 21:26 schrieb John Ellis <>:
>> Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is 
>> what Jira and/or Confluence would use so I did that and it worked fine on 
>> http port of 8080. I then edited the server.xml file again for the SSL port 
>> and got the same result as before; never gets to a webpage login using the 
>> secure port of 8443 but I can still get the webpage on port 8080. When I 
>> look at the Tomcat 8 Catalina log file I see several lines where it says- 
>> " Cannot store non-PrivateKeys". I have been 
>> googling that error and found a couple of posts saying to change from JKS to 
>> JCEKS but when I ran the commands I didn't have JKS in the command; only RSA 
>> for the algorithm. Can someone provide me with the proper keytool commands 
>> that I need to use to create an SSL certificate for Tomcat?   
> We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride 
> a dead horse, also SSL setup has changed quite a bit in 8.5/9.0.
> So my setup is as follows:
> server.xml:
> <Connector port="8443"
>            protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> sslImplementationName=""
>            allowTrace="false"
>            maxThreads="150"
>            SSLEnabled="true"
>            compression="off"
>            scheme="https"
>            server="Apache Tomcat"
>            secure="true"
>            defaultSSLHostConfigName=“ localhost” >
>    <SSLHostConfig
>            hostName="localhost"
>            honorCipherOrder="true"
>            certificateVerification="none"
>            protocols="TLSv1.2"
>     <Certificate 
> certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts"
>                  certificateKeystorePassword="changeit"
>                  certificateKeyAlias="tomcat"
>                  type="RSA" />
>    </SSLHostConfig>
>  </Connector>
> <>
> I use openssl to create the certs (as let’s encrypt for an official cert will 
> generate the same structure) and then convert to JKS:
> openssl genrsa -aes256 -out server.key 4096 -subj 
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost"
> openssl req -new -key server.key -out server.csr -sha512  -subj 
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost/"
> #there is more to it to get SAN extensions, but that’s not necessary to get 
> it running
> openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out 
> server.crt # you may need your own ca and a signing-process to make this work 
> in all browsers
> #Verify Server Cert
> openssl x509 -in server.crt -text -noout
> openssl pkcs12 -export -in server.crt -inkey server.key -out jssecacerts 
> -name tomcat keytool -list -v -keystore jssecacerts -storepass changeit
> Hope this helps for a start.
> Regards
> Peter
> Peter I have never seen entries in the "</SSLHostConfig>" part of the 
> server.xml file. Does that have to be in there for SSL to work in Tomcat?
That's the way you define one Connector on one port with different certificates 
in TC 8.5 and 9.0.
I guess that's one of the important new features!
Reply via email to