Hi Peter
I dont have the private key file. That is created when I create the keystore. I
dont know if it can be extracted.
Munzer
On Tuesday, 6 August 2019, 4:35:51 PM UTC, Peter Kreuser
<[email protected]> wrote:
Hi,
> Am 06.08.2019 um 02:42 schrieb Munzer Khatib <[email protected]>:
>
> Hi
> Can you help me with this problem.
> Problem: Installing SSL certificate on Apache Tomcat 8.0.36 fails
> I am trying to install a new SSL certificate into Apache tomcat 8.0.36.I ran
> same steps ran successfully in 2013 and 2016 on tomcat 7. Nothing changed
> other than moving the virtual machine from old server to new hardware this
> year. Windows Server 2008 is still the same Operating system.
> I created a keystore and extracted CSR, generated certificate using godaddy
> for Apache server and imported to server. I keep getting an SSL handshake
> errors and I think it is because the certificate entrytype is
> "trustedcertEntry" and not "privateKey Entry'
> Here are the steps I used to create the keystore and import certificate to it.
> 1) Generate a Keystorecd C:\Program Files\Java\jre7\bin
> keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -sigalg
> SHA256withRSA -keypass secret19 -keystore tomcat10.keystore
> 2) Create a CSRkeytool -certreq -alias tomcat -keyalg RSA -sigalg
> SHA256withRSA -keystore tomcat10.keystore -file file10.csr
>
> 3) Generate certificates on godaddy site for "Apache" server (not tomcat)
> 4) Install root, intermediate and user certificate
> keytool -import -alias root -keystore tomcat14.keystore -trustcacerts -file
> c:\cert_2022\gd-class2-root.crt
>
> keytool -import -alias intermediate -keystore tomcat14.keystore -trustcacerts
> -file c:\cert_2022\gd_bundle-g2-g1.crt
> keytool -import -alias tomcat -keystore tomcat10.keystore -file
> c:\cert_2019\508c844632c0145.crt
>
I‘ve not found a keytool command for that. I use openssl to convert the PEM to
pkcs12/keystore format
Care to try the following command?
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -name tomcat -certfile
fullchain.pem -passout pass:changeit -out jssekeystore
Peter
> I am not sure why but it seems the new one is not linking all certificates
> into the private key.
> I tried many different imports and it would never import the server
> certificate as a "privateKeyentry" as the one running now.C:\Program
> Files\Java\jre7\bin>keytool -list -keystore tomcat10.keystoreEnter keystore
> password:
> Keystore type: JKSKeystore provider: SUN
> Your keystore contains 3 entries
> root, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1):
> 47:BE:AB:C9:22:EA:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8Bintermediate, Jul 22,
> 2019, trustedCertEntry,Certificate fingerprint (SHA1):
> 27:AC:93:69:FA:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8tomcat, Jul 22, 2019,
> trustedCertEntry,Certificate fingerprint (SHA1):
> B6:27:BE:DF:ED:EF:EF:4D:62:D2:F1:5C:CC:C1:A2:AB:98:60:8E
>
> I also tried creating a PEM text file for all certificates and importing that
> into private key alias tomcat but it only imported the domain certificate as
> "trustedcertentry"
> My server xml file connector config is like this <Connector
> port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443"
> compression="on" URIEncoding="UTF-8" compressionMinSize="2048"
> noCompressionUserAgents="gozilla, traviata"
> compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"/><Connector
> port="443" protocol="HTTP/1.1" maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS" SSLEnabled="true"
> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
> TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="password"
> keystoreFile="C:\Program Files\Java\jre7\bin\tomcat10.keystore"/>
> </Service></Server>
>
> Tried many different options for keytool command.
> Followed tomcat 8 documentation and godaddy list for installing certificate.
> When I try to access using browser I get this error
> This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in
> Advanced settings and try connecting to https://psscr.xyz.c
> When I use openssl I get handshake failure$openssl s_client -connect
> 10.60.xx.xx:443CONNECTED(00000003)140298896533392:error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> failure:s23_clnt.c:769:---no peer certificate available---No client
> certificate CA names sent---SSL handshake has read 7 bytes and written 289
> bytes---New, (NONE), Cipher is (NONE)Secure Renegotiation IS NOT
> supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session:
> Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx:
> Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None
> PSK identity hint: None Start Time: 1564789174 Timeout : 300 (sec)
> Verify return code: 0 (ok)
> Thanks,
