You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Michael Casale <mc...@knoa.com> on 2006/11/08 19:05:53 UTC

Tomcat 5.5 not recognizing my trustedCertEntry?

Hi All,

 

I'm very new to Tomcat, so please excuse my ignorance. I'm setting up a
server with Tomcat and SSL for our developers. For their product they
must use Tomcat 5.5 - they can not upgrade to 6 at this time.

 

The problem: I've purchased a cert from Geotrust.com, successfully
imported it into the keystore using keytool, yet the tomcat welcome page
kept coming up blank when I navigated to the SSL site on the server:
https://servername:8443. There were no errors in the error log. The page
works fine at the default address of http://servername:8080.

 

Here is what I've done:

 

1. I downloaded the root chain cert from geotrust.com and created my
keystore successfully, adding it and my newly purchased cert into the
keystore file.

 

2. I restarted tomcat and received no errors. But navigating to the
server in a browser shows a "Page cannot be found error". Running
netstat -an in a command prompt shows port 8443 open and accepting
connections.

 

2. To test if it was my cert or Keystore file, I borrowed a keystore
from our developer and used it instead, and everything worked - page
opened fine when navigating to it at https://server:8443
<https://server:8443/> . 

 

3. So, I have a problem with my Keystore. I then imported my cert into
his test keystore, but when I navigated to the page it used his key and
not mine. 

 

4. Next: I added the keyAlias="tomcat1" tag into the SSL connector
configs in the server.xml file, and restarted tomcat. And of course I
get this error in the Catalina error log:

 

"java.io.IOException: Alias name tomcat1 does not identify a key entry"

 

 

5. Next: I ran keystore -list and noted that his keys are listed as
"keys" (duh) and my key is listed as a "trustedCertEntry" - which is
probably why the system won't use it when I use the keyAlias="tomcat"
tag in the server.xml file.

 

So - my big question is: how do I get tomcat to recognize my
trustedCertEntry as a valid Key? Do I need to create my own certificate
and place it in the original keystore I created, along with the root and
the cert I bought? Is there a tag for the server.xml file that will
force it to use the trustedCertEntry I imported into the keytool?

 

Here is a copy of the connector settings for server.xml, for the
configuration that loads without errors:

 

<Connector className="org.apache.coyote.tomcat5.CoyoteConnector"

                        port="8443" 

                        minProcessors="5" maxProcessors="20"

                        enableLookups="false"
disableUploadTimeout="true"

                        acceptCount="100" debug="0" scheme="https"
secure="true"

                        sslProtocol="TLS"

                        keystoreFile="c:\files\keystore" 

                        keystorePass="PASSWORD"/>

 

Thanks for any and all help provided,

 

Michael Casale

Systems Administrator / IT Manager

Knoa Software

mcasale@knoa.com <ma...@knoa.com> 

Ph.  (212) 807-9608 ext. 6000

Fax  (212) 675-6121