You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Brian Burch <br...@pingtoo.com> on 2012/11/03 11:11:19 UTC

Re: SSL BIO/NIO setup with openssl CA puzzle

On 31/10/12 16:39, Daniel Mikusa wrote:
> On Oct 31, 2012, at 10:23 AM, Brian Burch wrote:
>
>> On 26/10/12 13:24, Daniel Mikusa wrote:
>>> On Oct 26, 2012, at 5:11 AM, Brian Burch wrote:
<snip/>
>> 2.8. keytool -list -v -keystore jks-keystore shows the keystore contents as two entries:
>> 2.8.1. the first has an alias of tomcat, a private key entry and the two certificates which comprise the complete chain.
>> 2.8.2. the second has an alias of "Certificate Authority", with only the CA's certificate.
>>
>> Observation 2.8.2 indicates that I have put too much into this certificate store and that step 2.6 was redundant. Nevertheless, tomcat is perfectly happy to start its SSL Connector using this keystore.
>
>
> Have you tried deleting the second alias?  Does it continue to work without this alias?
>
> Also, it might be interesting to convert this working JKS keystore into a PKCS12 keystore and see if it continues to work with Tomcat.  I think you can do that with a command like this…
>
> keytool -importkeystore -srckeystore jks-keystore -srcstoretype jks -srcstorepass changeit -srcalias tomcat -destkeystore pkcs12-keystore -deststoretype pkcs12 -deststorepass changeit

I just copied the "fat" keystore to a new file and verified it was 
identical. Then I ran:

keytool -delete -keystore jks-keystore -alias "Certificate Authority"

I printed the contents of keystore to confirm a) the tomcat collection 
of private key and certificate chain were still present, and b) the 
second alias had gone.

Tomcat started successfully using this new "minimal" keystore, so we can 
conclude that my step 2.6 was definitely not necessary. This is because 
the openssl certificate authority (by default) had bundled the entire 
authority chain into the new server certificate.

I'll try your other suggestions later, but I thought it would be helpful 
to clear up this particular issue quickly.

Regards,

Brian

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org