You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Munzer Khatib <sm...@yahoo.com.INVALID> on 2019/08/06 00:42:49 UTC
Support Request for problem with problem running SSL certificate on
tomcat 8
Hi
Can you help me with this problem.
Problem: Installing SSL certificate on Apache Tomcat 8.0.36 fails
I am trying to install a new SSL certificate into Apache tomcat 8.0.36.I ran same steps ran successfully in 2013 and 2016 on tomcat 7. Nothing changed other than moving the virtual machine from old server to new hardware this year. Windows Server 2008 is still the same Operating system.
I created a keystore and extracted CSR, generated certificate using godaddy for Apache server and imported to server. I keep getting an SSL handshake errors and I think it is because the certificate entrytype is "trustedcertEntry" and not "privateKey Entry'
Here are the steps I used to create the keystore and import certificate to it.
1) Generate a Keystorecd C:\Program Files\Java\jre7\bin
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keypass secret19 -keystore tomcat10.keystore
2) Create a CSRkeytool -certreq -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keystore tomcat10.keystore -file file10.csr
3) Generate certificates on godaddy site for "Apache" server (not tomcat)
4) Install root, intermediate and user certificate
keytool -import -alias root -keystore tomcat14.keystore -trustcacerts -file c:\cert_2022\gd-class2-root.crt
keytool -import -alias intermediate -keystore tomcat14.keystore -trustcacerts -file c:\cert_2022\gd_bundle-g2-g1.crt
keytool -import -alias tomcat -keystore tomcat10.keystore -file c:\cert_2019\508c844632c0145.crt
I am not sure why but it seems the new one is not linking all certificates into the private key.
I tried many different imports and it would never import the server certificate as a "privateKeyentry" as the one running now.C:\Program Files\Java\jre7\bin>keytool -list -keystore tomcat10.keystoreEnter keystore password:
Keystore type: JKSKeystore provider: SUN
Your keystore contains 3 entries
root, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 47:BE:AB:C9:22:EA:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8Bintermediate, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 27:AC:93:69:FA:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8tomcat, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): B6:27:BE:DF:ED:EF:EF:4D:62:D2:F1:5C:CC:C1:A2:AB:98:60:8E
I also tried creating a PEM text file for all certificates and importing that into private key alias tomcat but it only imported the domain certificate as "trustedcertentry"
My server xml file connector config is like this <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" compression="on" URIEncoding="UTF-8" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"/><Connector port="443" protocol="HTTP/1.1" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="password" keystoreFile="C:\Program Files\Java\jre7\bin\tomcat10.keystore"/> </Service></Server>
Tried many different options for keytool command.
Followed tomcat 8 documentation and godaddy list for installing certificate.
When I try to access using browser I get this error
This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://psscr.xyz.c
When I use openssl I get handshake failure$openssl s_client -connect 10.60.xx.xx:443CONNECTED(00000003)140298896533392:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:---no peer certificate available---No client certificate CA names sent---SSL handshake has read 7 bytes and written 289 bytes---New, (NONE), Cipher is (NONE)Secure Renegotiation IS NOT supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1564789174 Timeout : 300 (sec) Verify return code: 0 (ok)
Thanks,
Re: Support Request for problem with problem running SSL certificate
on tomcat 8
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Munzer,
On 8/5/19 20:42, Munzer Khatib wrote:
> Here are the steps I used to create the keystore and import
> certificate to it.
These steps look okay, with the exception that Peter (logo) pointed
out: you have used two different keystores in your commands. Also, you
have tomcat10.keystore in your configuration and I think you might
want to be using tomcat14.keystore. Whichever keystore you use, you
need to be consistent. Feel free to make a backup copy after you
generate your CSR just in case you make a mistake and damage the key
store.
> C:\Program Files\Java\jre7\bin>keytool -list -keystore
> tomcat10.keystoreEnter keystore password: Keystore type:
> JKSKeystore provider: SUN Your keystore contains 3 entries root,
> Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1):
> 47:BE:AB:C9:22:EA:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8Bintermediate,
> Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1):
> 27:AC:93:69:FA:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8tomcat, Jul
> 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1):
> B6:27:BE:DF:ED:EF:EF:4D:62:D2:F1:5C:CC:C1:A2:AB:98:60:8E
Okay, that's the first entry in the file. What about the other two?
>
> I also tried creating a PEM text file for all certificates and
> importing that into private key alias tomcat but it only imported
> the domain certificate as "trustedcertentry" My server xml file
> connector config is like this <Connector port="8080"
> protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443"
> compression="on" URIEncoding="UTF-8" compressionMinSize="2048"
> noCompressionUserAgents="gozilla, traviata"
> compressableMimeType="text/html,text/xml,text/plain,text/css,text/java
script,text/json,application/json"/><Connector
> port="443" protocol="HTTP/1.1" maxThreads="150" scheme="https"
> secure="true" clientAuth="false" sslProtocol="TLS"
> SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA3
84,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS
_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
> TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="password"
> keystoreFile="C:\Program Files\Java\jre7\bin\tomcat10.keystore"/>
> </Service></Server>
You are missing a "keyAlias" attribute. You'll want:
keyAlias="tomcat"
In that <Connector> configuration. Otherwise, Tomcat will use the
first entry found in the keystore.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1MKqcACgkQHPApP6U8
pFhGWRAAxR38krdkv0T4UpZSgvPvhFFm5rNMaxG2JKMusybjQwO3/7H9sg6hi4TZ
XKlwrH3iqn4qcAl2GtT4oYy9VwZjoo4GPuaJzTl+qZ1gbX0vFw7YtwfKrnYVWv5A
IXprhCvZPXjIDEBgNNOoHaX9sAI0APvk6d8HDNtD/d5etqL5KxEZ3vP8o2vyV1A1
nNK0Q5wFXOxfUFpNCoGzUUdOGOAopzUtj9qmdJERi3XvGwho2IoVPfdd60Hk+/Qi
62LzTn/+rckKXhNk2A6Zgek4qFxbl60w0MpaogTPhMhC4ouQaUmy0CugBuKZfYuE
YjJzsJzlGDpXQHbOgX/wkSYhC+3Au9j1TXvflSuQG9MljtRwKKCjt3WzWHLzM30Q
/kXhFOOglIfXJ8PQdO4OUG3O0sFKbpeKNVrEy6CquhRHbYRpA1DgZPNp86oRoEnc
zPO7aqjC/hxTS9zhfCmUx1ZCb3sJg/hXuUkSi8//6UEkOLORY5qN0p2OApl+ft2j
jkoWRdvXrmQhKl0fuO5Mot27M2uOGJ/UGB2Ed0vsNOGlD2/UNg3Yz8oHi3xv1Zu0
B6tqVaRP164vHunB2ka5tGJ7jyQPw3P1Mr9Z9bbHIyKsM8ckb2QSbrKUlcsQ28gv
FT/merQctDyMS0zHVYzUobfqujE8EqC33Cyq5eedWhqGFGQpwsM=
=lp+s
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Support Request for problem with problem running SSL certificate
on tomcat 8
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Munzer,
On 8/10/19 18:31, Munzer Khatib wrote:
> I noticed i made some typos in the commands i listed here because i
> was testing.. I started testing with Tomcat10 keystore and then the
> last rekey was for Tomcat14 keystore. All the commands reference
> the Tomcat 14 keystore.
Can you please re-post a corrected list of commands? It will
definitely help.
Did you see my separate reply about missing the keyAlias configuration
attribute? It's almost certainly the root cause of (and solution to)
your problem.
> I did export the certificate to PK#12 and still will try to extract
> private key using openssl.
>
> Do you think this problem might be due to incompatibility between
> keytool java version and certificate and Tomcat 8.0 release? The
> machine has an older Windows 2008 server.
Nope. PKCS12 is a standard format and all currently-released versions
of Java support it -- correctly, as far as I can tell. You can use
keytool from any version of Java to prepare a keystore to be used by
an other version of Java.
Newer versions of Tomcat can use either a JSSE-readable file format
(like PKCS12, JKS, JCEKS, etc.) *or* the simpler PEM-encoded DER files
that e.g. Apache httpd uses.
- -chris
> On Wednesday, 7 August 2019, 09:07:58 am UTC, logo
> <lo...@kreuser.name> wrote:
>
> Munzer,
>
>
>
> Am 2019-08-07 09:19, schrieb Peter Kreuser:
>> Hi Munzer,
>>
>> I guess we‘re going a slightly awkward way here, but to fix your
>> problem with the new cert in the first place, you could use
>> this:
>>
>> If your keystore is the old proprietary format, convert it to
>> PKCS12: keytool -importkeystore -srckeystore keystore.jks
>> -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias
>> tomcat -deststorepass <password> -destkeypass <password> Then
>> extract the key using openssl: openssl pkcs12 -in keystore.p12
>> -nocerts -out key.pem After that recombine it with the new cert.
>> I‘ve found this here: https://security.stackexchange.com/a/66865
>>
>> There has to be an easier way, but as your keystore is causing
>> troubles, I‘m not really able to troubleshoot that.
>>
>
> now I've replayed your commands and selfsigned the csr with my ca.
> I see the same behaviour on tomcat10.keystore!
>
> BUUUUT! If I replace tomcat14.keystore in the first two commands
> with tomcat10.keystore the generated cert is imported as a
> PrivateKeyEntry. :-)
>
> Well IF you did it like you send in the first mail, you imported
> the ca and the intermediate certificate into a different (unused?)
> keystore!!!
>
> Could you please doublecheck?
>
>
> Peter
>
> BTW: did you get warnings on the console that the JKS-keystore
> format is a proprietary format and should be converted to pkcs12?
>
>
>> After all, you may have to reread on cert handling with keytool
>> vs. openssl. I prefer the openssl way ;-).
>>
>> Peter
>>
>>
>>
>> Peter Kreuser
>>> Am 06.08.2019 um 19:50 schrieb Munzer Khatib
>>> <sm...@yahoo.com.invalid>:
>>>
>>> Hi Peter I dont have the private key file. That is created
>>> when I create the keystore. I dont know if it can be extracted.
>>> Munzer On Tuesday, 6 August 2019, 4:35:51 PM UTC, Peter
>>> Kreuser <lo...@kreuser.name> wrote:
>>>
>>> Hi,
>>>
>>>
>>>> Am 06.08.2019 um 02:42 schrieb Munzer Khatib
>>>> <sm...@yahoo.com.invalid>:
>>>>
>>>> Hi Can you help me with this problem. Problem: Installing
>>>> SSL certificate on Apache Tomcat 8.0.36 fails I am trying to
>>>> install a new SSL certificate into Apache tomcat 8.0.36.I
>>>> ran same steps ran successfully in 2013 and 2016 on tomcat
>>>> 7. Nothing changed other than moving the virtual machine
>>>> from old server to new hardware this year. Windows Server
>>>> 2008 is still the same Operating system. I created a keystore
>>>> and extracted CSR, generated certificate using godaddy for
>>>> Apache server and imported to server. I keep getting an SSL
>>>> handshake errors and I think it is because the certificate
>>>> entrytype is "trustedcertEntry" and not "privateKey Entry'
>>>> Here are the steps I used to create the keystore and import
>>>> certificate to it. 1) Generate a Keystorecd C:\Program
>>>> Files\Java\jre7\bin keytool -keysize 2048 -genkey -alias
>>>> tomcat -keyalg RSA -sigalg SHA256withRSA -keypass secret19
>>>> -keystore tomcat10.keystore
>>>
>>>> 2) Create a CSRkeytool -certreq -alias tomcat -keyalg RSA
>>>> -sigalg SHA256withRSA -keystore tomcat10.keystore -file
>>>> file10.csr
>>>>
>>>> 3) Generate certificates on godaddy site for "Apache" server
>>>> (not tomcat) 4) Install root, intermediate and user
>>>> certificate keytool -import -alias root -keystore
>>>> tomcat14.keystore -trustcacerts -file
>>>> c:\cert_2022\gd-class2-root.crt
>>>>
>>>> keytool -import -alias intermediate -keystore
>>>> tomcat14.keystore -trustcacerts -file
>>>> c:\cert_2022\gd_bundle-g2-g1.crt keytool -import -alias
>>>> tomcat -keystore tomcat10.keystore -file
>>>> c:\cert_2019\508c844632c0145.crt
>>>
>>> I‘ve not found a keytool command for that. I use openssl to
>>> convert the PEM to pkcs12/keystore format
>>>
>>> Care to try the following command? openssl pkcs12 -export -in
>>> cert.pem -inkey privkey.pem -name tomcat -certfile
>>> fullchain.pem -passout pass:changeit -out jssekeystore
>>>
>>> Peter
>>>
>>>> I am not sure why but it seems the new one is not linking
>>>> all certificates into the private key. I tried many
>>>> different imports and it would never import the server
>>>> certificate as a "privateKeyentry" as the one running
>>>> now.C:\Program Files\Java\jre7\bin>keytool -list -keystore
>>>> tomcat10.keystoreEnter keystore password: Keystore type:
>>>> JKSKeystore provider: SUN Your keystore contains 3 entries
>>>> root, Jul 22, 2019, trustedCertEntry,Certificate fingerprint
>>>> (SHA1):
>>>> 47:BE:AB:C9:22:EA:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8Bintermediat
e,
>>>>
>>>>
Jul 22, 2019, trustedCertEntry,Certificate fingerprint
>>>> (SHA1):
>>>> 27:AC:93:69:FA:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8tomcat,
>>>>
>>>>
Jul 22, 2019, trustedCertEntry,Certificate fingerprint
>>>> (SHA1):
>>>> B6:27:BE:DF:ED:EF:EF:4D:62:D2:F1:5C:CC:C1:A2:AB:98:60:8E
>>>>
>>>> I also tried creating a PEM text file for all certificates
>>>> and importing that into private key alias tomcat but it only
>>>> imported the domain certificate as "trustedcertentry" My
>>>> server xml file connector config is like this <Connector
>>>> port="8080" protocol="HTTP/1.1" connectionTimeout="20000"
>>>> redirectPort="8443" compression="on" URIEncoding="UTF-8"
>>>> compressionMinSize="2048" noCompressionUserAgents="gozilla,
>>>> traviata"
>>>> compressableMimeType="text/html,text/xml,text/plain,text/css,text/j
avascript,text/json,application/json"/><Connector
>>>>
>>>>
port="443" protocol="HTTP/1.1" maxThreads="150"
>>>> scheme="https" secure="true" clientAuth="false"
>>>> sslProtocol="TLS" SSLEnabled="true"
>>>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
>>>> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_S
HA384,
>>>>
>>>>
>>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
>>>>
>>>>
TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="password"
>>>> keystoreFile="C:\Program
>>>> Files\Java\jre7\bin\tomcat10.keystore"/> </Service></Server>
>>>>
>>>> Tried many different options for keytool command. Followed
>>>> tomcat 8 documentation and godaddy list for installing
>>>> certificate. When I try to access using browser I get this
>>>> error This page can’t be displayed Turn on TLS 1.0, TLS 1.1,
>>>> and TLS 1.2 in Advanced settings and try connecting to
>>>> https://psscr.xyz.c When I use openssl I get handshake
>>>> failure$openssl s_client -connect
>>>> 10.60.xx.xx:443CONNECTED(00000003)140298896533392:error:14077410:SS
L
>>>>
>>>>
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
>>>> failure:s23_clnt.c:769:---no peer certificate available---No
>>>> client certificate CA names sent---SSL handshake has read 7
>>>> bytes and written 289 bytes---New, (NONE), Cipher is
>>>> (NONE)Secure Renegotiation IS NOT supportedCompression:
>>>> NONEExpansion: NONENo ALPN negotiatedSSL-Session:
>>>> Protocol : TLSv1.2 Cipher : 0000 Session-ID:
>>>> Session-ID-ctx: Master-Key: Key-Arg : None Krb5
>>>> Principal: None PSK identity: None PSK identity hint:
>>>> None Start Time: 1564789174 Timeout : 300 (sec) Verify
>>>> return code: 0 (ok) Thanks,
>
> ---------------------------------------------------------------------
>
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1QuYsACgkQHPApP6U8
pFjRihAAmVvQjprqmKld2ZaPAqJLUMOP1pVXAiDz/8h3p88O1P+NM4EZL2GR1+gs
v+188CgYLgrFcN8y6Ri5wMRlrWVlurzCbStw1DvQ/xHPl5wDxIuweSHosZ+fvCSk
ApB2H1co9tM8jVULPP27cvA/M88eQ6nQtoGKXkfYuKbuDoytWZgzarSlCxxguyfe
YFgT6S8WJzT9rAScqQl2LiNs6/ib2+ay/iPgzPHL8PnoKzJLc/8l3ppTY15f86Lc
aMeFRLyFMYKFC+YVV07efYNpLyJZzOI9MpculCFe2MSSbT8IBGRjpr6wyrBkP+Cj
fB+pxiD8ywavUzwu54Iro0/5sDGzgZ+RQKRxrfGsflXha9LRZAGwiNDfp2jm7pyY
Ek0HtfN2ioS/MiqDodCQTTbpjHvSDgdpINfaezh9iV16p5ksEm2A7nbJP1Vnx1ii
Zpb+EoshtkrLAcowGpfGCL57X0GFo6iCrUrhOToxV3cnm3wsFYX0exKZrCzEGW+i
s+sd8uQCjKIHlyyZckpR7vtcJ5vWLBrViFMG0uWuwb6I+Nbzs9Eql/tgFv22OYLN
3Mwj4ZoQuLtywpcs20NecviYDsxFIY7r0Cc3QJoBfJe/gVx8HnEeSedlezTuW7zD
17lQoryqO3XDqZxXnlr0ORQP4shKCb0uQyvNq7IfwRtaciCzXhM=
=TMym
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Support Request for problem with problem running SSL
certificate on tomcat 8
Posted by Munzer Khatib <sm...@yahoo.com.INVALID>.
Hi Peter,
Thank you for your reply.
I noticed i made some typos in the commands i listed here because i was testing.. I started testing with Tomcat10 keystore and then the last rekey was for Tomcat14 keystore. All the commands reference the Tomcat 14 keystore.
I did export the certificate to PK#12 and still will try to extract private key using openssl.
Do you think this problem might be due to incompatibility between keytool java version and certificate and Tomcat 8.0 release? The machine has an older Windows 2008 server.
Thanks,
On Wednesday, 7 August 2019, 09:07:58 am UTC, logo <lo...@kreuser.name> wrote:
Munzer,
Am 2019-08-07 09:19, schrieb Peter Kreuser:
> Hi Munzer,
>
> I guess we‘re going a slightly awkward way here, but to fix your
> problem with the new cert in the first place, you could use this:
>
> If your keystore is the old proprietary format, convert it to PKCS12:
> keytool -importkeystore -srckeystore keystore.jks -destkeystore
> keystore.p12 -deststoretype PKCS12 -srcalias tomcat -deststorepass
> <password> -destkeypass <password>
> Then extract the key using openssl:
> openssl pkcs12 -in keystore.p12 -nocerts -out key.pem
> After that recombine it with the new cert.
> I‘ve found this here: https://security.stackexchange.com/a/66865
>
> There has to be an easier way, but as your keystore is causing
> troubles, I‘m not really able to troubleshoot that.
>
now I've replayed your commands and selfsigned the csr with my ca. I see
the same behaviour on tomcat10.keystore!
BUUUUT! If I replace tomcat14.keystore in the first two commands with
tomcat10.keystore the generated cert is imported as a PrivateKeyEntry.
:-)
Well IF you did it like you send in the first mail, you imported the ca
and the intermediate certificate into a different (unused?) keystore!!!
Could you please doublecheck?
Peter
BTW: did you get warnings on the console that the JKS-keystore format is
a proprietary format and should be converted to pkcs12?
> After all, you may have to reread on cert handling with keytool vs.
> openssl.
> I prefer the openssl way ;-).
>
> Peter
>
>
>
> Peter Kreuser
>> Am 06.08.2019 um 19:50 schrieb Munzer Khatib
>> <sm...@yahoo.com.invalid>:
>>
>> Hi Peter
>> I dont have the private key file. That is created when I create the
>> keystore. I dont know if it can be extracted.
>> Munzer
>> On Tuesday, 6 August 2019, 4:35:51 PM UTC, Peter Kreuser
>> <lo...@kreuser.name> wrote:
>>
>> Hi,
>>
>>
>>> Am 06.08.2019 um 02:42 schrieb Munzer Khatib
>>> <sm...@yahoo.com.invalid>:
>>>
>>> Hi
>>> Can you help me with this problem.
>>> Problem: Installing SSL certificate on Apache Tomcat 8.0.36 fails
>>> I am trying to install a new SSL certificate into Apache tomcat
>>> 8.0.36.I ran same steps ran successfully in 2013 and 2016 on tomcat
>>> 7. Nothing changed other than moving the virtual machine from old
>>> server to new hardware this year. Windows Server 2008 is still the
>>> same Operating system.
>>> I created a keystore and extracted CSR, generated certificate using
>>> godaddy for Apache server and imported to server. I keep getting an
>>> SSL handshake errors and I think it is because the certificate
>>> entrytype is "trustedcertEntry" and not "privateKey Entry'
>>> Here are the steps I used to create the keystore and import
>>> certificate to it.
>>> 1) Generate a Keystorecd C:\Program Files\Java\jre7\bin
>>> keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -sigalg
>>> SHA256withRSA -keypass secret19 -keystore tomcat10.keystore
>>
>>> 2) Create a CSRkeytool -certreq -alias tomcat -keyalg RSA -sigalg
>>> SHA256withRSA -keystore tomcat10.keystore -file file10.csr
>>>
>>> 3) Generate certificates on godaddy site for "Apache" server (not
>>> tomcat)
>>> 4) Install root, intermediate and user certificate
>>> keytool -import -alias root -keystore tomcat14.keystore -trustcacerts
>>> -file c:\cert_2022\gd-class2-root.crt
>>>
>>> keytool -import -alias intermediate -keystore tomcat14.keystore
>>> -trustcacerts -file c:\cert_2022\gd_bundle-g2-g1.crt
>>> keytool -import -alias tomcat -keystore tomcat10.keystore -file
>>> c:\cert_2019\508c844632c0145.crt
>>
>> I‘ve not found a keytool command for that. I use openssl to convert
>> the PEM to pkcs12/keystore format
>>
>> Care to try the following command?
>> openssl pkcs12 -export -in cert.pem -inkey privkey.pem -name tomcat
>> -certfile fullchain.pem -passout pass:changeit -out jssekeystore
>>
>> Peter
>>
>>> I am not sure why but it seems the new one is not linking all
>>> certificates into the private key.
>>> I tried many different imports and it would never import the server
>>> certificate as a "privateKeyentry" as the one running now.C:\Program
>>> Files\Java\jre7\bin>keytool -list -keystore tomcat10.keystoreEnter
>>> keystore password:
>>> Keystore type: JKSKeystore provider: SUN
>>> Your keystore contains 3 entries
>>> root, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1):
>>> 47:BE:AB:C9:22:EA:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8Bintermediate,
>>> Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1):
>>> 27:AC:93:69:FA:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8tomcat, Jul
>>> 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1):
>>> B6:27:BE:DF:ED:EF:EF:4D:62:D2:F1:5C:CC:C1:A2:AB:98:60:8E
>>>
>>> I also tried creating a PEM text file for all certificates and
>>> importing that into private key alias tomcat but it only imported the
>>> domain certificate as "trustedcertentry"
>>> My server xml file connector config is like this <Connector
>>> port="8080" protocol="HTTP/1.1" connectionTimeout="20000"
>>> redirectPort="8443" compression="on" URIEncoding="UTF-8"
>>> compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata"
>>> compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"/><Connector
>>> port="443" protocol="HTTP/1.1" maxThreads="150" scheme="https"
>>> secure="true" clientAuth="false" sslProtocol="TLS" SSLEnabled="true"
>>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
>>> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
>>> TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="password"
>>> keystoreFile="C:\Program Files\Java\jre7\bin\tomcat10.keystore"/>
>>> </Service></Server>
>>>
>>> Tried many different options for keytool command.
>>> Followed tomcat 8 documentation and godaddy list for installing
>>> certificate.
>>> When I try to access using browser I get this error
>>> This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in
>>> Advanced settings and try connecting to https://psscr.xyz.c
>>> When I use openssl I get handshake failure$openssl s_client -connect
>>> 10.60.xx.xx:443CONNECTED(00000003)140298896533392:error:14077410:SSL
>>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
>>> failure:s23_clnt.c:769:---no peer certificate available---No client
>>> certificate CA names sent---SSL handshake has read 7 bytes and
>>> written 289 bytes---New, (NONE), Cipher is (NONE)Secure Renegotiation
>>> IS NOT supportedCompression: NONEExpansion: NONENo ALPN
>>> negotiatedSSL-Session: Protocol : TLSv1.2 Cipher : 0000
>>> Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None
>>> Krb5 Principal: None PSK identity: None PSK identity hint: None
>>> Start Time: 1564789174 Timeout : 300 (sec) Verify return
>>> code: 0 (ok)
>>> Thanks,
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Support Request for problem with problem running SSL certificate
on tomcat 8
Posted by logo <lo...@kreuser.name>.
Munzer,
Am 2019-08-07 09:19, schrieb Peter Kreuser:
> Hi Munzer,
>
> I guess we‘re going a slightly awkward way here, but to fix your
> problem with the new cert in the first place, you could use this:
>
> If your keystore is the old proprietary format, convert it to PKCS12:
> keytool -importkeystore -srckeystore keystore.jks -destkeystore
> keystore.p12 -deststoretype PKCS12 -srcalias tomcat -deststorepass
> <password> -destkeypass <password>
> Then extract the key using openssl:
> openssl pkcs12 -in keystore.p12 -nocerts -out key.pem
> After that recombine it with the new cert.
> I‘ve found this here: https://security.stackexchange.com/a/66865
>
> There has to be an easier way, but as your keystore is causing
> troubles, I‘m not really able to troubleshoot that.
>
now I've replayed your commands and selfsigned the csr with my ca. I see
the same behaviour on tomcat10.keystore!
BUUUUT! If I replace tomcat14.keystore in the first two commands with
tomcat10.keystore the generated cert is imported as a PrivateKeyEntry.
:-)
Well IF you did it like you send in the first mail, you imported the ca
and the intermediate certificate into a different (unused?) keystore!!!
Could you please doublecheck?
Peter
BTW: did you get warnings on the console that the JKS-keystore format is
a proprietary format and should be converted to pkcs12?
> After all, you may have to reread on cert handling with keytool vs.
> openssl.
> I prefer the openssl way ;-).
>
> Peter
>
>
>
> Peter Kreuser
>> Am 06.08.2019 um 19:50 schrieb Munzer Khatib
>> <sm...@yahoo.com.invalid>:
>>
>> Hi Peter
>> I dont have the private key file. That is created when I create the
>> keystore. I dont know if it can be extracted.
>> Munzer
>> On Tuesday, 6 August 2019, 4:35:51 PM UTC, Peter Kreuser
>> <lo...@kreuser.name> wrote:
>>
>> Hi,
>>
>>
>>> Am 06.08.2019 um 02:42 schrieb Munzer Khatib
>>> <sm...@yahoo.com.invalid>:
>>>
>>> Hi
>>> Can you help me with this problem.
>>> Problem: Installing SSL certificate on Apache Tomcat 8.0.36 fails
>>> I am trying to install a new SSL certificate into Apache tomcat
>>> 8.0.36.I ran same steps ran successfully in 2013 and 2016 on tomcat
>>> 7. Nothing changed other than moving the virtual machine from old
>>> server to new hardware this year. Windows Server 2008 is still the
>>> same Operating system.
>>> I created a keystore and extracted CSR, generated certificate using
>>> godaddy for Apache server and imported to server. I keep getting an
>>> SSL handshake errors and I think it is because the certificate
>>> entrytype is "trustedcertEntry" and not "privateKey Entry'
>>> Here are the steps I used to create the keystore and import
>>> certificate to it.
>>> 1) Generate a Keystorecd C:\Program Files\Java\jre7\bin
>>> keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -sigalg
>>> SHA256withRSA -keypass secret19 -keystore tomcat10.keystore
>>
>>> 2) Create a CSRkeytool -certreq -alias tomcat -keyalg RSA -sigalg
>>> SHA256withRSA -keystore tomcat10.keystore -file file10.csr
>>>
>>> 3) Generate certificates on godaddy site for "Apache" server (not
>>> tomcat)
>>> 4) Install root, intermediate and user certificate
>>> keytool -import -alias root -keystore tomcat14.keystore -trustcacerts
>>> -file c:\cert_2022\gd-class2-root.crt
>>>
>>> keytool -import -alias intermediate -keystore tomcat14.keystore
>>> -trustcacerts -file c:\cert_2022\gd_bundle-g2-g1.crt
>>> keytool -import -alias tomcat -keystore tomcat10.keystore -file
>>> c:\cert_2019\508c844632c0145.crt
>>
>> I‘ve not found a keytool command for that. I use openssl to convert
>> the PEM to pkcs12/keystore format
>>
>> Care to try the following command?
>> openssl pkcs12 -export -in cert.pem -inkey privkey.pem -name tomcat
>> -certfile fullchain.pem -passout pass:changeit -out jssekeystore
>>
>> Peter
>>
>>> I am not sure why but it seems the new one is not linking all
>>> certificates into the private key.
>>> I tried many different imports and it would never import the server
>>> certificate as a "privateKeyentry" as the one running now.C:\Program
>>> Files\Java\jre7\bin>keytool -list -keystore tomcat10.keystoreEnter
>>> keystore password:
>>> Keystore type: JKSKeystore provider: SUN
>>> Your keystore contains 3 entries
>>> root, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1):
>>> 47:BE:AB:C9:22:EA:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8Bintermediate,
>>> Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1):
>>> 27:AC:93:69:FA:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8tomcat, Jul
>>> 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1):
>>> B6:27:BE:DF:ED:EF:EF:4D:62:D2:F1:5C:CC:C1:A2:AB:98:60:8E
>>>
>>> I also tried creating a PEM text file for all certificates and
>>> importing that into private key alias tomcat but it only imported the
>>> domain certificate as "trustedcertentry"
>>> My server xml file connector config is like this <Connector
>>> port="8080" protocol="HTTP/1.1" connectionTimeout="20000"
>>> redirectPort="8443" compression="on" URIEncoding="UTF-8"
>>> compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata"
>>> compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"/><Connector
>>> port="443" protocol="HTTP/1.1" maxThreads="150" scheme="https"
>>> secure="true" clientAuth="false" sslProtocol="TLS" SSLEnabled="true"
>>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
>>> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
>>> TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="password"
>>> keystoreFile="C:\Program Files\Java\jre7\bin\tomcat10.keystore"/>
>>> </Service></Server>
>>>
>>> Tried many different options for keytool command.
>>> Followed tomcat 8 documentation and godaddy list for installing
>>> certificate.
>>> When I try to access using browser I get this error
>>> This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in
>>> Advanced settings and try connecting to https://psscr.xyz.c
>>> When I use openssl I get handshake failure$openssl s_client -connect
>>> 10.60.xx.xx:443CONNECTED(00000003)140298896533392:error:14077410:SSL
>>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
>>> failure:s23_clnt.c:769:---no peer certificate available---No client
>>> certificate CA names sent---SSL handshake has read 7 bytes and
>>> written 289 bytes---New, (NONE), Cipher is (NONE)Secure Renegotiation
>>> IS NOT supportedCompression: NONEExpansion: NONENo ALPN
>>> negotiatedSSL-Session: Protocol : TLSv1.2 Cipher : 0000
>>> Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None
>>> Krb5 Principal: None PSK identity: None PSK identity hint: None
>>> Start Time: 1564789174 Timeout : 300 (sec) Verify return
>>> code: 0 (ok)
>>> Thanks,
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Support Request for problem with problem running SSL certificate
on tomcat 8
Posted by Peter Kreuser <lo...@kreuser.name>.
Hi Munzer,
I guess we‘re going a slightly awkward way here, but to fix your problem with the new cert in the first place, you could use this:
If your keystore is the old proprietary format, convert it to PKCS12:
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias tomcat -deststorepass <password> -destkeypass <password>
Then extract the key using openssl:
openssl pkcs12 -in keystore.p12 -nocerts -out key.pem
After that recombine it with the new cert.
I‘ve found this here: https://security.stackexchange.com/a/66865
There has to be an easier way, but as your keystore is causing troubles, I‘m not really able to troubleshoot that.
After all, you may have to reread on cert handling with keytool vs. openssl.
I prefer the openssl way ;-).
Peter
Peter Kreuser
> Am 06.08.2019 um 19:50 schrieb Munzer Khatib <sm...@yahoo.com.invalid>:
>
> Hi Peter
> I dont have the private key file. That is created when I create the keystore. I dont know if it can be extracted.
> Munzer
> On Tuesday, 6 August 2019, 4:35:51 PM UTC, Peter Kreuser <lo...@kreuser.name> wrote:
>
> Hi,
>
>
>> Am 06.08.2019 um 02:42 schrieb Munzer Khatib <sm...@yahoo.com.invalid>:
>>
>> Hi
>> Can you help me with this problem.
>> Problem: Installing SSL certificate on Apache Tomcat 8.0.36 fails
>> I am trying to install a new SSL certificate into Apache tomcat 8.0.36.I ran same steps ran successfully in 2013 and 2016 on tomcat 7. Nothing changed other than moving the virtual machine from old server to new hardware this year. Windows Server 2008 is still the same Operating system.
>> I created a keystore and extracted CSR, generated certificate using godaddy for Apache server and imported to server. I keep getting an SSL handshake errors and I think it is because the certificate entrytype is "trustedcertEntry" and not "privateKey Entry'
>> Here are the steps I used to create the keystore and import certificate to it.
>> 1) Generate a Keystorecd C:\Program Files\Java\jre7\bin
>> keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keypass secret19 -keystore tomcat10.keystore
>
>> 2) Create a CSRkeytool -certreq -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keystore tomcat10.keystore -file file10.csr
>>
>> 3) Generate certificates on godaddy site for "Apache" server (not tomcat)
>> 4) Install root, intermediate and user certificate
>> keytool -import -alias root -keystore tomcat14.keystore -trustcacerts -file c:\cert_2022\gd-class2-root.crt
>>
>> keytool -import -alias intermediate -keystore tomcat14.keystore -trustcacerts -file c:\cert_2022\gd_bundle-g2-g1.crt
>> keytool -import -alias tomcat -keystore tomcat10.keystore -file c:\cert_2019\508c844632c0145.crt
>
> I‘ve not found a keytool command for that. I use openssl to convert the PEM to pkcs12/keystore format
>
> Care to try the following command?
> openssl pkcs12 -export -in cert.pem -inkey privkey.pem -name tomcat -certfile fullchain.pem -passout pass:changeit -out jssekeystore
>
> Peter
>
>> I am not sure why but it seems the new one is not linking all certificates into the private key.
>> I tried many different imports and it would never import the server certificate as a "privateKeyentry" as the one running now.C:\Program Files\Java\jre7\bin>keytool -list -keystore tomcat10.keystoreEnter keystore password:
>> Keystore type: JKSKeystore provider: SUN
>> Your keystore contains 3 entries
>> root, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 47:BE:AB:C9:22:EA:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8Bintermediate, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 27:AC:93:69:FA:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8tomcat, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): B6:27:BE:DF:ED:EF:EF:4D:62:D2:F1:5C:CC:C1:A2:AB:98:60:8E
>>
>> I also tried creating a PEM text file for all certificates and importing that into private key alias tomcat but it only imported the domain certificate as "trustedcertentry"
>> My server xml file connector config is like this <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" compression="on" URIEncoding="UTF-8" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"/><Connector port="443" protocol="HTTP/1.1" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="password" keystoreFile="C:\Program Files\Java\jre7\bin\tomcat10.keystore"/> </Service></Server>
>>
>> Tried many different options for keytool command.
>> Followed tomcat 8 documentation and godaddy list for installing certificate.
>> When I try to access using browser I get this error
>> This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://psscr.xyz.c
>> When I use openssl I get handshake failure$openssl s_client -connect 10.60.xx.xx:443CONNECTED(00000003)140298896533392:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:---no peer certificate available---No client certificate CA names sent---SSL handshake has read 7 bytes and written 289 bytes---New, (NONE), Cipher is (NONE)Secure Renegotiation IS NOT supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1564789174 Timeout : 300 (sec) Verify return code: 0 (ok)
>> Thanks,
Re: Support Request for problem with problem running SSL
certificate on tomcat 8
Posted by Munzer Khatib <sm...@yahoo.com.INVALID>.
Hi Peter
I dont have the private key file. That is created when I create the keystore. I dont know if it can be extracted.
Munzer
On Tuesday, 6 August 2019, 4:35:51 PM UTC, Peter Kreuser <lo...@kreuser.name> wrote:
Hi,
> Am 06.08.2019 um 02:42 schrieb Munzer Khatib <sm...@yahoo.com.invalid>:
>
> Hi
> Can you help me with this problem.
> Problem: Installing SSL certificate on Apache Tomcat 8.0.36 fails
> I am trying to install a new SSL certificate into Apache tomcat 8.0.36.I ran same steps ran successfully in 2013 and 2016 on tomcat 7. Nothing changed other than moving the virtual machine from old server to new hardware this year. Windows Server 2008 is still the same Operating system.
> I created a keystore and extracted CSR, generated certificate using godaddy for Apache server and imported to server. I keep getting an SSL handshake errors and I think it is because the certificate entrytype is "trustedcertEntry" and not "privateKey Entry'
> Here are the steps I used to create the keystore and import certificate to it.
> 1) Generate a Keystorecd C:\Program Files\Java\jre7\bin
> keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keypass secret19 -keystore tomcat10.keystore
> 2) Create a CSRkeytool -certreq -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keystore tomcat10.keystore -file file10.csr
>
> 3) Generate certificates on godaddy site for "Apache" server (not tomcat)
> 4) Install root, intermediate and user certificate
> keytool -import -alias root -keystore tomcat14.keystore -trustcacerts -file c:\cert_2022\gd-class2-root.crt
>
> keytool -import -alias intermediate -keystore tomcat14.keystore -trustcacerts -file c:\cert_2022\gd_bundle-g2-g1.crt
> keytool -import -alias tomcat -keystore tomcat10.keystore -file c:\cert_2019\508c844632c0145.crt
>
I‘ve not found a keytool command for that. I use openssl to convert the PEM to pkcs12/keystore format
Care to try the following command?
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -name tomcat -certfile fullchain.pem -passout pass:changeit -out jssekeystore
Peter
> I am not sure why but it seems the new one is not linking all certificates into the private key.
> I tried many different imports and it would never import the server certificate as a "privateKeyentry" as the one running now.C:\Program Files\Java\jre7\bin>keytool -list -keystore tomcat10.keystoreEnter keystore password:
> Keystore type: JKSKeystore provider: SUN
> Your keystore contains 3 entries
> root, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 47:BE:AB:C9:22:EA:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8Bintermediate, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 27:AC:93:69:FA:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8tomcat, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): B6:27:BE:DF:ED:EF:EF:4D:62:D2:F1:5C:CC:C1:A2:AB:98:60:8E
>
> I also tried creating a PEM text file for all certificates and importing that into private key alias tomcat but it only imported the domain certificate as "trustedcertentry"
> My server xml file connector config is like this <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" compression="on" URIEncoding="UTF-8" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"/><Connector port="443" protocol="HTTP/1.1" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="password" keystoreFile="C:\Program Files\Java\jre7\bin\tomcat10.keystore"/> </Service></Server>
>
> Tried many different options for keytool command.
> Followed tomcat 8 documentation and godaddy list for installing certificate.
> When I try to access using browser I get this error
> This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://psscr.xyz.c
> When I use openssl I get handshake failure$openssl s_client -connect 10.60.xx.xx:443CONNECTED(00000003)140298896533392:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:---no peer certificate available---No client certificate CA names sent---SSL handshake has read 7 bytes and written 289 bytes---New, (NONE), Cipher is (NONE)Secure Renegotiation IS NOT supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1564789174 Timeout : 300 (sec) Verify return code: 0 (ok)
> Thanks,
Re: Support Request for problem with problem running SSL certificate
on tomcat 8
Posted by Peter Kreuser <lo...@kreuser.name>.
Hi,
> Am 06.08.2019 um 02:42 schrieb Munzer Khatib <sm...@yahoo.com.invalid>:
>
> Hi
> Can you help me with this problem.
> Problem: Installing SSL certificate on Apache Tomcat 8.0.36 fails
> I am trying to install a new SSL certificate into Apache tomcat 8.0.36.I ran same steps ran successfully in 2013 and 2016 on tomcat 7. Nothing changed other than moving the virtual machine from old server to new hardware this year. Windows Server 2008 is still the same Operating system.
> I created a keystore and extracted CSR, generated certificate using godaddy for Apache server and imported to server. I keep getting an SSL handshake errors and I think it is because the certificate entrytype is "trustedcertEntry" and not "privateKey Entry'
> Here are the steps I used to create the keystore and import certificate to it.
> 1) Generate a Keystorecd C:\Program Files\Java\jre7\bin
> keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keypass secret19 -keystore tomcat10.keystore
> 2) Create a CSRkeytool -certreq -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keystore tomcat10.keystore -file file10.csr
>
> 3) Generate certificates on godaddy site for "Apache" server (not tomcat)
> 4) Install root, intermediate and user certificate
> keytool -import -alias root -keystore tomcat14.keystore -trustcacerts -file c:\cert_2022\gd-class2-root.crt
>
> keytool -import -alias intermediate -keystore tomcat14.keystore -trustcacerts -file c:\cert_2022\gd_bundle-g2-g1.crt
> keytool -import -alias tomcat -keystore tomcat10.keystore -file c:\cert_2019\508c844632c0145.crt
>
I‘ve not found a keytool command for that. I use openssl to convert the PEM to pkcs12/keystore format
Care to try the following command?
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -name tomcat -certfile fullchain.pem -passout pass:changeit -out jssekeystore
Peter
> I am not sure why but it seems the new one is not linking all certificates into the private key.
> I tried many different imports and it would never import the server certificate as a "privateKeyentry" as the one running now.C:\Program Files\Java\jre7\bin>keytool -list -keystore tomcat10.keystoreEnter keystore password:
> Keystore type: JKSKeystore provider: SUN
> Your keystore contains 3 entries
> root, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 47:BE:AB:C9:22:EA:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8Bintermediate, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 27:AC:93:69:FA:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8tomcat, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): B6:27:BE:DF:ED:EF:EF:4D:62:D2:F1:5C:CC:C1:A2:AB:98:60:8E
>
> I also tried creating a PEM text file for all certificates and importing that into private key alias tomcat but it only imported the domain certificate as "trustedcertentry"
> My server xml file connector config is like this <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" compression="on" URIEncoding="UTF-8" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"/><Connector port="443" protocol="HTTP/1.1" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="password" keystoreFile="C:\Program Files\Java\jre7\bin\tomcat10.keystore"/> </Service></Server>
>
> Tried many different options for keytool command.
> Followed tomcat 8 documentation and godaddy list for installing certificate.
> When I try to access using browser I get this error
> This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://psscr.xyz.c
> When I use openssl I get handshake failure$openssl s_client -connect 10.60.xx.xx:443CONNECTED(00000003)140298896533392:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:---no peer certificate available---No client certificate CA names sent---SSL handshake has read 7 bytes and written 289 bytes---New, (NONE), Cipher is (NONE)Secure Renegotiation IS NOT supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1564789174 Timeout : 300 (sec) Verify return code: 0 (ok)
> Thanks,