Hi Can you help me with this problem. Problem: Installing SSL certificate on Apache Tomcat 8.0.36 fails I am trying to install a new SSL certificate into Apache tomcat 8.0.36.I ran same steps ran successfully in 2013 and 2016 on tomcat 7. Nothing changed other than moving the virtual machine from old server to new hardware this year. Windows Server 2008 is still the same Operating system. I created a keystore and extracted CSR, generated certificate using godaddy for Apache server and imported to server. I keep getting an SSL handshake errors and I think it is because the certificate entrytype is "trustedcertEntry" and not "privateKey Entry' Here are the steps I used to create the keystore and import certificate to it. 1) Generate a Keystorecd C:\Program Files\Java\jre7\bin keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keypass secret19 -keystore tomcat10.keystore
2) Create a CSRkeytool -certreq -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keystore tomcat10.keystore -file file10.csr 3) Generate certificates on godaddy site for "Apache" server (not tomcat) 4) Install root, intermediate and user certificate keytool -import -alias root -keystore tomcat14.keystore -trustcacerts -file c:\cert_2022\gd-class2-root.crt keytool -import -alias intermediate -keystore tomcat14.keystore -trustcacerts -file c:\cert_2022\gd_bundle-g2-g1.crt keytool -import -alias tomcat -keystore tomcat10.keystore -file c:\cert_2019\508c844632c0145.crt I am not sure why but it seems the new one is not linking all certificates into the private key. I tried many different imports and it would never import the server certificate as a "privateKeyentry" as the one running now.C:\Program Files\Java\jre7\bin>keytool -list -keystore tomcat10.keystoreEnter keystore password: Keystore type: JKSKeystore provider: SUN Your keystore contains 3 entries root, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 47:BE:AB:C9:22:EA:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8Bintermediate, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 27:AC:93:69:FA:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8tomcat, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): B6:27:BE:DF:ED:EF:EF:4D:62:D2:F1:5C:CC:C1:A2:AB:98:60:8E I also tried creating a PEM text file for all certificates and importing that into private key alias tomcat but it only imported the domain certificate as "trustedcertentry" My server xml file connector config is like this <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" compression="on" URIEncoding="UTF-8" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"/><Connector port="443" protocol="HTTP/1.1" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="password" keystoreFile="C:\Program Files\Java\jre7\bin\tomcat10.keystore"/> </Service></Server> Tried many different options for keytool command. Followed tomcat 8 documentation and godaddy list for installing certificate. When I try to access using browser I get this error This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://psscr.xyz.c When I use openssl I get handshake failure$openssl s_client -connect 10.60.xx.xx:443CONNECTED(00000003)140298896533392:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:---no peer certificate available---No client certificate CA names sent---SSL handshake has read 7 bytes and written 289 bytes---New, (NONE), Cipher is (NONE)Secure Renegotiation IS NOT supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1564789174 Timeout : 300 (sec) Verify return code: 0 (ok) Thanks,
