You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Olivier Studer <ol...@gmail.com> on 2023/03/14 14:07:07 UTC
How to configure and verified chain certificat
Hi,
I use Tomcat 9 version. I have configured the server.sml as following to
use certificate signed.
<Connector
port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true"
SSLCertificateFile="/app/config/certs/wildcard.unifr.ch.crt"
SSLCertificateKeyFile="/app/config/certs/wildcard.unifr.ch.key"
SSLCACertificateFile="/app/config/certs/DigiCertCA.crt"
SSLVerifyClient="none"
sslProtocol="TLSv1+TLSv1.1+TLSv1.2"
URIEncoding="UTF-8"
/>
But I have an error with openssl commande to verify it is correctly
configured.
Commande and output:
echo | openssl s_client -showcerts -connect server.unifr.ch:8443 |head -1
depth=0 C = CH, ST = Fribourg, L = Fribourg, O = Universit\C3\A9 de
Fribourg - Universit\C3\A4t Freiburg, CN = *.unifr.ch
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = CH, ST = Fribourg, L = Fribourg, O = Universit\C3\A9 de
Fribourg - Universit\C3\A4t Freiburg, CN = *.unifr.ch
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = CH, ST = Fribourg, L = Fribourg, O = Universit\C3\A9 de
Fribourg - Universit\C3\A4t Freiburg, CN = *.unifr.ch
verify return:1
DONE
CONNECTED(00000003)
Some body can help me ?
Many thanks, regards
Olivier
Re: How to configure and verified chain certificat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Olivier,
On 3/14/23 10:07, Olivier Studer wrote:
> I use Tomcat 9 version. I have configured the server.xml as following to
> use certificate signed.
>
> <Connector
> port="8443"
> protocol="org.apache.coyote.http11.Http11AprProtocol"
> maxThreads="150"
> SSLEnabled="true"
> scheme="https"
> secure="true"
> SSLCertificateFile="/app/config/certs/wildcard.unifr.ch.crt"
> SSLCertificateKeyFile="/app/config/certs/wildcard.unifr.ch.key"
> SSLCACertificateFile="/app/config/certs/DigiCertCA.crt"
> SSLVerifyClient="none"
> sslProtocol="TLSv1+TLSv1.1+TLSv1.2"
> URIEncoding="UTF-8"
> />
>
> But I have an error with openssl command to verify it is correctly
> configured.
>
> Command and output:
>
> echo | openssl s_client -showcerts -connect server.unifr.ch:8443 |head -1
> depth=0 C = CH, ST = Fribourg, L = Fribourg, O = Universit\C3\A9 de
> Fribourg - Universit\C3\A4t Freiburg, CN = *.unifr.ch
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 C = CH, ST = Fribourg, L = Fribourg, O = Universit\C3\A9 de
> Fribourg - Universit\C3\A4t Freiburg, CN = *.unifr.ch
> verify error:num=21:unable to verify the first certificate
> verify return:1
> depth=0 C = CH, ST = Fribourg, L = Fribourg, O = Universit\C3\A9 de
> Fribourg - Universit\C3\A4t Freiburg, CN = *.unifr.ch
> verify return:1
> DONE
> CONNECTED(00000003)
This looks okay to me: your server is returning a certificate for *.unifr.ch
The openssl client is telling you that openssl doesn't trust that
certificate, probably because it's not in the client hosts's list of
trusted certificates.
You probably need to supply a "chain" file which shows openssl that one
of its trusted certificates (e.g. from a Certificate Authority) trusts
an intermediate certificate which in turn trusts the *.unifr.ch certificate.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org