Vince,
On 7/15/22 19:56, Vince Stewart wrote:
My system uses embedded Tomcat to connect to a HttpServlet instance.
I have just uprgraded from Tomcat 8.0.2 to 9.0.64
I am implementing SSL for the first time.
I created a keystore with no alias. Keytool gave it the alias "mykey". (2nd
entry below)
I imported an issued PEM certificate (4 items in chain)
The final item in the chain has the alias "tomcat" as per
https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Importing_the_Certificate
(The same documentation recommends the keystore alias also be 'tomcat' but
If the keystore and the issued certificate are both given the same alias
(ie 'tomcat'), keytool will import the final entry as "self generated" and
throw an error. Here is my abbreviated keystore list using alias 'mykey'
for the keystore.
You have to import the signed cert on top of the one that already
exists. Because you used "mykey" as the alias for the key/cert
initially, you must use the same alias when you import the signed cert.
Your self-signed cert will be replaced with the signed one. Remove the
"tomcat" one and tell Tomcat to use "mykey".
Remember to make a backup ;)
I hate keystores.
-chris
____________________________________keystore listing_______________________
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 5 entries
intermediate, 16/07/2022, trustedCertEntry,
Certificate fingerprint (SHA-256):
68:B9:C7:61.................................
intermediate2, 16/07/2022, trustedCertEntry,
Certificate fingerprint (SHA-256):
7F:A4:FF:68................................
mykey, 16/07/2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256):
36:F8:64:73:.................................
root, 16/07/2022, trustedCertEntry,
Certificate fingerprint (SHA-256): D7:A7:A0:FB..............................
tomcat, 16/07/2022, trustedCertEntry,
Certificate fingerprint (SHA-256):
36:A9:B7:A9:..............................
________________________________________________________________________
Here is my startup code (no server.xml file)
Tomcat tomcat = new Tomcat();
tomcat.setPort(PATHS.getPortNumber());
Connector c=tomcat.getConnector();
c.setSecure(true);
c.setScheme("https");
c.setProperty("SSLEnabled","true"); //crucial bit of code
SSLHostConfig ss=new SSLHostConfig();
//ss.setHostName("localhost"); this breaks the init process - leave as
"_default_"
ss.setCertificateKeyAlias("mykey"); // if set to 'tomcat'
init will throw "Alias name [tomcat] does not identify a key entry"
ss.setCertificateKeystorePassword("changit");
ss.setCertificateKeystoreFile(PATHS.getHomePath()+"/ks/mykeystor.jks");
ss.setCertificateKeystoreType("PKCS12");
ss.setCertificateKeystoreProvider("SUN")
c.addSslHostConfig(ss);
org.apache.catalina.Context ctx = tomcat.addContext("", new
File(".").getAbsolutePath());
Tomcat.addServlet(ctx, "myApp", new MyApp());
ctx.addServletMappingDecoded("/*", "myApp");
Logr.s("connector scheme "+c.getScheme());
Logr.s("connector SSLEnabled "+c.getProperty("SSLEnabled"));
Logr.s("connector redirect "+c.getRedirectPort()); //defaults to 443
Logr.s("connector protocol "+c.getProtocol());
tomcat.start();
tomcat.getServer().await();
When I use "tomcat" as the alias for the keystore I cannot load the final
issued certificate without an error. If I use "mykey" as the keystore alias
everything seems to be working but the certificate returned to the browser
is not the domain-specific certified certificate but a certificate
generated with the certificate keystore fingerprint. In a properly
operating implementation, what certificate should be returned to the
browser?
I'm obviously doing something wrong. But what ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
