These are standalone Tomcat instances (Tomcat is the web server, no Apache)
running on Red Hat.
Each instance has it's own IP address (verified via netstat) and each address
has a separate DNS entry (webadvisor.ashland.edu and webui.ashland.edu), each
which resolve correctly. Each certificate is generated using the DNS name for
the service it is intended for.
As far as I can tell, the certificate store is valid. When I use the keytool
command to list the original keystore (the one with both certificates loaded in
the same keystore), I get the attached listing. When I look at the new one
(separate keystores, each with only one certificate) it looks the same except
that it is missing the tomcat (the first instance) certificate and only has the
webui certificate.
The commands I used to create the keystore were:
keytool -genkey -alias webui -keyalg RSA -keystore webui.keystore
keytool -certreq -alias webui -keystore webui.keystore
keytool -import -trustcacerts -alias IPSROOT -file IPSServidores.crt -keystore
webui.keystore
keytool -import -trustcacerts -alias IPSCAA1 -file IPSCACLASEA1.crt -keystore
webui.keystore
keytool -import -trustcacerts -alias webui -file webui.crt -keystore
webui.keystore
The IPSServidores.crt is the IPS root certificate, IPSCACLASEA1.crt is the
intermediate certificate, and webui.crt is the certificate reply from IPS.
These are the same steps I followed for the webadvisor instance and it is
working properly.
The only things that I can think are different between these two tomcat
instances are:
a) The webadvisor instance is visible through our firewall from off campus, and
the webui instance is not (I am connecting from on campus)
b) The webadvisor instance is using the network device eth0, and webui is using
eth0:0
Don
--
Don Prezioso
Director of Administrative I.T.
Ashland University
Ashland, Ohio
-----Original Message-----
From: Crypto Sal [mailto:crypto....@gmail.com]
Sent: Thursday, August 20, 2009 8:00 PM
To: Tomcat Users List
Subject: Re: SSL with multiple Tomcat instances
Hi Don,
Is this Tomcat for Windows or Tomcat for a UNIX variant?
Have you verified the keystore as correct via * keytool -v -list
-keystore KEYSTORE_PATH/FILE* ? (Redirect that text to a file if need be!)
Did you use the *-trustcacerts* flag upon importing the certificates or
was this omitted?
Keystore type: jks
Keystore provider: SUN
Your keystore contains 4 entries
Alias name: webui
Creation date: Aug 10, 2009
Entry type: keyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=webui.ashland.edu, OU=Administrative IT, O=Ashland University,
L=Ashland, ST=Ohio, C=US
Issuer: emailaddress=gene...@ipsca.com, CN=ipsCA CLASEA1 Certification
Authority, OU=ipsCA CLASEA1 Certification Authority, O="gene...@ipsca.com
C.I.F. B-B62210695", O=IPS Certification Authority s.l., L=Barcelona,
ST=Barcelona, C=ES
Serial number: 131938
Valid from: Mon Aug 10 16:25:00 EDT 2009 until: Wed Aug 10 16:25:00 EDT 2011
Certificate fingerprints:
MD5: 2D:97:A3:54:26:FE:8F:A6:09:09:DB:BA:A4:E5:A2:7D
SHA1: 28:CD:12:8D:D6:42:CC:FA:A4:20:56:04:E4:E3:08:C6:BE:EA:EA:02
Certificate[2]:
Owner: emailaddress=gene...@ipsca.com, CN=ipsCA CLASEA1 Certification
Authority, OU=ipsCA CLASEA1 Certification Authority, O="gene...@ipsca.com
C.I.F. B-B62210695", O=IPS Certification Authority s.l., L=Barcelona,
ST=Barcelona, C=ES
Issuer: emailaddress=...@mail.ips.es, CN=IPS SERVIDORES, OU=Certificaciones,
O=IPS Seguridad CA, L=BARCELONA, ST=BARCELONA, C=ES
Serial number: 9018
Valid from: Sun Dec 30 08:36:11 EST 2001 until: Mon Dec 29 08:36:11 EST 2025
Certificate fingerprints:
MD5: BB:3A:D2:38:EB:40:C2:EA:BA:F2:CE:62:2E:33:C8:BB
SHA1: BD:B7:46:A9:82:7E:9E:19:DD:43:C1:B8:48:10:55:22:D0:13:E7:EC
Certificate[3]:
Owner: emailaddress=...@mail.ips.es, CN=IPS SERVIDORES, OU=Certificaciones,
O=IPS Seguridad CA, L=BARCELONA, ST=BARCELONA, C=ES
Issuer: emailaddress=...@mail.ips.es, CN=IPS SERVIDORES, OU=Certificaciones,
O=IPS Seguridad CA, L=BARCELONA, ST=BARCELONA, C=ES
Serial number: 0
Valid from: Thu Jan 01 18:21:07 EST 1998 until: Tue Dec 29 18:21:07 EST 2009
Certificate fingerprints:
MD5: 7B:B5:08:99:9A:8C:18:BF:85:27:7D:0E:AE:DA:B2:AB
SHA1: 24:BA:6D:6C:8A:5B:58:37:A4:8D:B5:FA:E9:19:EA:67:5C:94:D2:17
*******************************************
*******************************************
Alias name: ipscaa1
Creation date: Jan 9, 2008
Entry type: trustedCertEntry
Owner: emailaddress=gene...@ipsca.com, CN=ipsCA CLASEA1 Certification
Authority, OU=ipsCA CLASEA1 Certification Authority, O="gene...@ipsca.com
C.I.F. B-B62210695", O=IPS Certification Authority s.l., L=Barcelona,
ST=Barcelona, C=ES
Issuer: emailaddress=...@mail.ips.es, CN=IPS SERVIDORES, OU=Certificaciones,
O=IPS Seguridad CA, L=BARCELONA, ST=BARCELONA, C=ES
Serial number: 9018
Valid from: Sun Dec 30 08:36:11 EST 2001 until: Mon Dec 29 08:36:11 EST 2025
Certificate fingerprints:
MD5: BB:3A:D2:38:EB:40:C2:EA:BA:F2:CE:62:2E:33:C8:BB
SHA1: BD:B7:46:A9:82:7E:9E:19:DD:43:C1:B8:48:10:55:22:D0:13:E7:EC
*******************************************
*******************************************
Alias name: tomcat
Creation date: Jan 9, 2008
Entry type: keyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=webadvisor.ashland.edu, OU=Administrative IT, O=Ashland University,
L=Ashland, ST=Ohio, C=US
Issuer: emailaddress=gene...@ipsca.com, CN=ipsCA CLASEA1 Certification
Authority, OU=ipsCA CLASEA1 Certification Authority, O="gene...@ipsca.com
C.I.F. B-B62210695", O=IPS Certification Authority s.l., L=Barcelona,
ST=Barcelona, C=ES
Serial number: c397
Valid from: Wed Jan 09 13:39:27 EST 2008 until: Fri Jan 08 13:39:27 EST 2010
Certificate fingerprints:
MD5: 20:C9:64:D8:A6:2D:C4:94:D5:F4:42:85:70:95:AC:42
SHA1: C9:F6:53:4F:0D:8E:B6:DB:F2:4A:D4:2A:91:F2:D9:9F:BE:0B:D0:93
Certificate[2]:
Owner: emailaddress=gene...@ipsca.com, CN=ipsCA CLASEA1 Certification
Authority, OU=ipsCA CLASEA1 Certification Authority, O="gene...@ipsca.com
C.I.F. B-B62210695", O=IPS Certification Authority s.l., L=Barcelona,
ST=Barcelona, C=ES
Issuer: emailaddress=...@mail.ips.es, CN=IPS SERVIDORES, OU=Certificaciones,
O=IPS Seguridad CA, L=BARCELONA, ST=BARCELONA, C=ES
Serial number: 9018
Valid from: Sun Dec 30 08:36:11 EST 2001 until: Mon Dec 29 08:36:11 EST 2025
Certificate fingerprints:
MD5: BB:3A:D2:38:EB:40:C2:EA:BA:F2:CE:62:2E:33:C8:BB
SHA1: BD:B7:46:A9:82:7E:9E:19:DD:43:C1:B8:48:10:55:22:D0:13:E7:EC
Certificate[3]:
Owner: emailaddress=...@mail.ips.es, CN=IPS SERVIDORES, OU=Certificaciones,
O=IPS Seguridad CA, L=BARCELONA, ST=BARCELONA, C=ES
Issuer: emailaddress=...@mail.ips.es, CN=IPS SERVIDORES, OU=Certificaciones,
O=IPS Seguridad CA, L=BARCELONA, ST=BARCELONA, C=ES
Serial number: 0
Valid from: Thu Jan 01 18:21:07 EST 1998 until: Tue Dec 29 18:21:07 EST 2009
Certificate fingerprints:
MD5: 7B:B5:08:99:9A:8C:18:BF:85:27:7D:0E:AE:DA:B2:AB
SHA1: 24:BA:6D:6C:8A:5B:58:37:A4:8D:B5:FA:E9:19:EA:67:5C:94:D2:17
*******************************************
*******************************************
Alias name: ipsroot
Creation date: Jan 9, 2008
Entry type: trustedCertEntry
Owner: emailaddress=...@mail.ips.es, CN=IPS SERVIDORES, OU=Certificaciones,
O=IPS Seguridad CA, L=BARCELONA, ST=BARCELONA, C=ES
Issuer: emailaddress=...@mail.ips.es, CN=IPS SERVIDORES, OU=Certificaciones,
O=IPS Seguridad CA, L=BARCELONA, ST=BARCELONA, C=ES
Serial number: 0
Valid from: Thu Jan 01 18:21:07 EST 1998 until: Tue Dec 29 18:21:07 EST 2009
Certificate fingerprints:
MD5: 7B:B5:08:99:9A:8C:18:BF:85:27:7D:0E:AE:DA:B2:AB
SHA1: 24:BA:6D:6C:8A:5B:58:37:A4:8D:B5:FA:E9:19:EA:67:5C:94:D2:17
*******************************************
*******************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
