'RE: Tomcat keeps breaking/SSL keystore troubles'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    RE: Tomcat keeps breaking/SSL keystore troubles
From:       "Andrew Friebel" <andrewf () reynolds ! com ! au>
Date:       2007-08-30 23:19:30
Message-ID: 005501c7eb5c$37e87bd0$a7b97370$ () com ! au
[Download RAW message or body]

I am pretty confident you can use other tools other than keytool.  My belief
is that if you use things like openssl, then you may need to play with the
sslProtocol attribute in the server.xml file (maybe PKCS12).  There may be
something on a forum on using sslProtocol, or within the Tomcat doco itself.

Tomcat uses keytool to load the certificates (which you have probably
already figured out).

Older version of keytool support the use of PKCS12, but are unable to create
this format, while I believe that the latest version of keytool supports the
creation of other formats (ie:PKCS12).

I don't know if this is useful to you or not, but I hope it helps.

Regards,
Andrew

-----Original Message-----
From: Morris Jones [mailto:mojo@whiteoaks.com] 
Sent: Friday, 31 August 2007 2:24 AM
To: Tomcat Users List; cl0039@l-mx.de
Subject: Re: Tomcat keeps breaking/SSL keystore troubles

Christoph, I hate these problems, they're always tough to work through, 
and keytool doesn't make it any easier.

Did you use keytool to create your key and certificate request?  If you 
created the key and request outside of keytool, then keytool won't have 
the private key and can't import the certificate.

In order to get your private key into the keystore, you need to use a 
bit of Java code.  See here:  <http://www.agentbob.info/agentbob/79.html>

There's no need for you to import the CA's root certificate.  It's 
already there.

Good luck!

Mojo
-- 
Morris Jones
Monrovia, CA
http://www.whiteoaks.com
Old Town Astronomers http://www.otastro.org

Christoph Lechner wrote:
> Hi all,
> 
> I've been trying hard to enable the SSL connector in TomCat for a few
> days now. As I don't have very much experience with SSL, it's quite hard
> for me to figure out what's going wrong.
> I read a lot of different setup guides, but I'm getting the same error
> messages all the time:
> 
> 16:37:13,254 INFO  [Http11BaseProtocol] Starting Coyote HTTP/1.1 on
> http-0.0.0.0
> -808016:37:13,338 INFO  [ChannelSocket] JK: ajp13 listening on
/0.0.0.0:8009
> 16:37:13,346 INFO  [JkMain] Jk running ID=0 time=0/24
> config=null16:37:13,360 INFO  [Http11BaseProtocol] Starting Coyote
> HTTP/1.1 on http-0.0.0.0
> -844316:37:13,371 ERROR [PoolTcpEndpoint] Endpoint [SSL:
> ServerSocket[addr=/0.0.0.0,p
> ort=0,localport=8443]] ignored exception: java.net.SocketException: SSL
> handshake errorjavax.net.ssl.SSLException: No available certificate or
> key corresponds t
> o the SSL cipher suites which are enabled.java.net.SocketException: SSL
> handshake errorjavax.net.ssl.SSLException: No avai
> lable certificate or key corresponds to the SSL cipher suites which are
> enabled.        at
>
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFac
tory.java:113)
>         at
>
org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java
:407)
>         at
> org.apache.tomcat.util.net.PoolTcpEndpoint.run(PoolTcpEndpoint.java:647)
>         at java.lang.Thread.run(Thread.java:595)
> 
> I've got a .crt file, a .csr file and a .key file for the domain and I
> also got the root cert from the CA. So I tried to set it up in the
> following way (output messages included):
> ---> Begin of keystore creation <---
> ab-server1:~/ssl# keytool -import -trustcacerts -alias root -file
> rapidssl_01.cer -keystore thekeystore
> Enter keystore password:  changeit
> Certificate already exists in system-wide CA keystore under alias
> <equifaxsecureglobalebusinessca1>
> Do you still want to add it to your own keystore? [no]:  yes
> Certificate was added to keystore
> ab-server1:~/ssl# keytool -import -trustcacerts -alias tomcat -file
> www_mydomain_com.crt -keystore thekeystore
> Enter keystore password:  changeit
> Certificate was added to keystore
> ab-server1:~/ssl# keytool -list -keystore thekeystore
> Enter keystore password:  changeit
> 
> Keystore type: jks
> Keystore provider: SUN
> 
> Your keystore contains 2 entries
> 
> root, Aug 30, 2007, trustedCertEntry,
> Certificate fingerprint (MD5):
> 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
> tomcat, Aug 30, 2007, trustedCertEntry,
> Certificate fingerprint (MD5):
> C4:6F:76:3F:5E:ED:33:04:F9:CB:0F:98:28:21:5D:D4
> ---> End of keystore creation <---
> 
> In server.xml file, I added:
> <Connector port="8443" address="${jboss.bind.address}"
>             maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
>             emptySessionPath="true"
>             scheme="https" secure="true" clientAuth="false"
>             keystoreFile="/root/ssl/thekeystore"
>             keystorePass="changeit" sslProtocol = "TLS" />
> 
> 
> OTOH I've tried a self-signed certificate and it worked.
> 
> What's my fault?
> 
> TIA
> - C. Lechner
> 
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org


-- 
Morris Jones
Monrovia, CA
http://www.whiteoaks.com
Old Town Astronomers http://www.otastro.org



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic