Hi,
> Am 06.08.2019 um 02:42 schrieb Munzer Khatib <smk_01_2...@yahoo.com.invalid>: > > Hi > Can you help me with this problem. > Problem: Installing SSL certificate on Apache Tomcat 8.0.36 fails > I am trying to install a new SSL certificate into Apache tomcat 8.0.36.I ran > same steps ran successfully in 2013 and 2016 on tomcat 7. Nothing changed > other than moving the virtual machine from old server to new hardware this > year. Windows Server 2008 is still the same Operating system. > I created a keystore and extracted CSR, generated certificate using godaddy > for Apache server and imported to server. I keep getting an SSL handshake > errors and I think it is because the certificate entrytype is > "trustedcertEntry" and not "privateKey Entry' > Here are the steps I used to create the keystore and import certificate to it. > 1) Generate a Keystorecd C:\Program Files\Java\jre7\bin > keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -sigalg > SHA256withRSA -keypass secret19 -keystore tomcat10.keystore > 2) Create a CSRkeytool -certreq -alias tomcat -keyalg RSA -sigalg > SHA256withRSA -keystore tomcat10.keystore -file file10.csr > > 3) Generate certificates on godaddy site for "Apache" server (not tomcat) > 4) Install root, intermediate and user certificate > keytool -import -alias root -keystore tomcat14.keystore -trustcacerts -file > c:\cert_2022\gd-class2-root.crt > > keytool -import -alias intermediate -keystore tomcat14.keystore -trustcacerts > -file c:\cert_2022\gd_bundle-g2-g1.crt > keytool -import -alias tomcat -keystore tomcat10.keystore -file > c:\cert_2019\508c844632c0145.crt > I‘ve not found a keytool command for that. I use openssl to convert the PEM to pkcs12/keystore format Care to try the following command? openssl pkcs12 -export -in cert.pem -inkey privkey.pem -name tomcat -certfile fullchain.pem -passout pass:changeit -out jssekeystore Peter > I am not sure why but it seems the new one is not linking all certificates > into the private key. > I tried many different imports and it would never import the server > certificate as a "privateKeyentry" as the one running now.C:\Program > Files\Java\jre7\bin>keytool -list -keystore tomcat10.keystoreEnter keystore > password: > Keystore type: JKSKeystore provider: SUN > Your keystore contains 3 entries > root, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): > 47:BE:AB:C9:22:EA:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8Bintermediate, Jul 22, > 2019, trustedCertEntry,Certificate fingerprint (SHA1): > 27:AC:93:69:FA:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8tomcat, Jul 22, 2019, > trustedCertEntry,Certificate fingerprint (SHA1): > B6:27:BE:DF:ED:EF:EF:4D:62:D2:F1:5C:CC:C1:A2:AB:98:60:8E > > I also tried creating a PEM text file for all certificates and importing that > into private key alias tomcat but it only imported the domain certificate as > "trustedcertentry" > My server xml file connector config is like this <Connector > port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" > compression="on" URIEncoding="UTF-8" compressionMinSize="2048" > noCompressionUserAgents="gozilla, traviata" > compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"/><Connector > port="443" protocol="HTTP/1.1" maxThreads="150" scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" SSLEnabled="true" > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" > ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, > TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="password" > keystoreFile="C:\Program Files\Java\jre7\bin\tomcat10.keystore"/> > </Service></Server> > > Tried many different options for keytool command. > Followed tomcat 8 documentation and godaddy list for installing certificate. > When I try to access using browser I get this error > This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in > Advanced settings and try connecting to https://psscr.xyz.c > When I use openssl I get handshake failure$openssl s_client -connect > 10.60.xx.xx:443CONNECTED(00000003)140298896533392:error:14077410:SSL > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake > failure:s23_clnt.c:769:---no peer certificate available---No client > certificate CA names sent---SSL handshake has read 7 bytes and written 289 > bytes---New, (NONE), Cipher is (NONE)Secure Renegotiation IS NOT > supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session: > Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: > Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None > PSK identity hint: None Start Time: 1564789174 Timeout : 300 (sec) > Verify return code: 0 (ok) > Thanks,
