You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by jairaj kamal <ja...@gmail.com> on 2015/05/04 01:48:15 UTC
Issue while Configuring SSL in tomcat6
Hello,
I created a keystore via Keytool, CSR file and received below root and
intermediate certificates.
I have got both TestRoot.cer & TestCA.cer certificates imported in keystore
via keytool but still in browser it shows in red and looks issue with
certificate is not resolved yet.
Do i need to convert dot extension of above certs to PKCS12 format, how to
resolve it ?
*Jairaj Kamal*
Re: Issue while Configuring SSL in tomcat6
Posted by Daniel Mikusa <dm...@pivotal.io>.
On Mon, May 4, 2015 at 8:35 PM, jairaj kamal <ja...@gmail.com> wrote:
First, please stop top posting. Reply inline or at the bottom. It's the
convention followed on this list.
Hello, when I checked with below command I find my keystore created type as
> "JKS" and we are using tool "Keytool". Initially we received 2 certificates
> "TestRoot.cer" & "Test.cer", when found things not working, we are now
> trying to import certs of PKCS#12 format (.pfk) via Keytool
>
The format of your keystore is *not* the problem. If it were the problem,
you would see an exception in Tomcat. The problem you're seeing is
different.
>
> *#Testing Keystore type*
>
> *D:\Program Files (x86)\Java\jdk1.6.0_27\bin>keytool -list -v -keystore
> C:\Users\*
>
> *svcr2wadmin\nedr2wqajob1\Test.keystore*
>
> *Enter keystore password:*
>
>
> *Keystore type: JKS*
>
> *Keystore provider: SUN*
>
>
> *#Earlier tried steps:*
>
> keytool -genkey -alias report2web -keyalg RSA -keystore
> C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore
>
>
> keytool -certreq -keyalg RSA -alias report2web -file
> C:\Users\svcr2wadmin\nedr2wqajob1\Test.csr -keystore
> C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore
>
>
> keytool -import -alias root -keystore
> C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore -trustcacerts -file
> C:\Users\svcr2wadmin\nedr2wqajob1\TestRoot.cer
>
>
> keytool -import -alias *nedr2wqajob1 *-keystore
> C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore -file
> C:\Users\svcr2wadmin\nedr2wqajob1\Test.cer
>
>
> Then also did below
>
>
> keytool -import -alias nedr2wjob1_non_prod_p7b -keystore
> C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore -file
> C:\Users\svcr2wadmin\nedr2wqajob1\Test.pfx
>
>
> # But
> Below is the error coming while importing the latest .pfx certificated
> shared
>
> D:\Program Files (x86)\Java\jdk1.6.0_27\bin>keytool -import -alias
> nedr2wjob1QAJob1 -keystore C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore
> -file C:\Users\svcr2wadmin\nedr2wqajob1\*Test.pfx*
>
> Enter keystore password:
>
> *keytool error: java.lang.Exception: Input not an X.509 certificate*
>
> #Certificate status as observed in the browser
>
> 1. nedr2wqajob1 is the alias name of certificate Test.cer - It shows for
> non Root certificate as "Your connection to *nedr2wqajob1 *is encrypted
> with obsolete cryptography, The connections uses TLS 1.0. The connection
> uses AES_128_CBC with SHA1 for message authentication and DHE_RSA as the
> key exchange mechanism.
>
>
You might need to a.) check what crypto is supported by your version of the
JVM and b.) configure it to not use certain known insecure crypto.
More on this here: http://wiki.apache.org/tomcat/HowTo/SSLCiphers
>
>
> 2. Error message showing in chrome browser as below
>
> “This CA Root certificate is not trusted because it is not in the
> Trusted Root Certification Authorities store.”
>
Who did you purchase your certificate from?
Dan
>
>
>
> Let me know what to do to resolve this ?
>
> *Jairaj Kamal*
>
>
> On Mon, May 4, 2015 at 6:51 PM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Jairaj,
> >
> > On 5/4/15 5:35 PM, jairaj kamal wrote:
> > > Attached find the error coming in browser,looks to be issue with
> > > Root certificate.
> >
> > This list strips attachments. Please copy/paste any messages into the
> > text of your post.
> >
> > > Also we tried PKCS#12 format certs but getting below Error
> >
> > The keystore format won't change what gets sent to the client.
> >
> > > D:\Program Files (x86)\Java\jdk1.6.0_27\bin>keytool -import -alias
> > > nedr2wjob1_no n_prod_p7b -keystore
> > > C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keysto re
> > > -file C:\Users\svcr2wadmin\nedr2wqajob1\nedr2wjob1_non_prod.p7b
> > > Enter keystore password: *keytool error: java.lang.Exception: Input
> > > not an X.509 certificate*
> >
> > If you really have a PKCS12 keystore, they you'll need to specify the
> > keystore type on the command-line.
> >
> > - -chris
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2
> > Comment: GPGTools - http://gpgtools.org
> >
> > iQIcBAEBCAAGBQJVSAYcAAoJEBzwKT+lPKRYLREQAMPD6shOiwK7On4wTmMbsuJR
> > ifabn95GXN4ia+L80IlvqyY17Mjfe1VzMYsVhLgpJRiEQmSMoy3ChxbeD+2h3Pzc
> > 38GXZWg8anBHaHqceQDhaiHW2HYNW1HV7IzG22gYDlfi0zwv8JYbpxqQXr7Kf+9q
> > CtO8sUt4hTxWW9zYl5mTa2xB7vXr7jl5k0UTTCF7nNuraXGhFBWifebYZ1AxFJEp
> > aP6n80rglMC9/K4SVCGRaGjGbHKcN7fiJX1InswWNnGzfWgIvt4HxlZeQwNFrQaa
> > N35MGu9pINQ/iofrW/7M5Vp1oqQNMWRSRpU6t9QK3FO6crfNpIuNxmwf46oeEiQh
> > 7HKF+sBmWlWC4QTdpdMiHNg1Ux2XhZrOzpo657QdrLKPKKLHAqtqcmrlJDTCs6Bs
> > lI7NvQXMpMyc466Q0EvemQPkjoyeYr2uRJo8pcscATrvPPqD+chqEstgc6UjHDsZ
> > NQqgDIPxPjKrZf1RUj3oEM693ezMCcvTICAMWbcjzTXrrDBFRPFgrM7gSrGjd/ib
> > 17XsI5+cO3Rc4Ai3d6ss+uMf2HI7/DRQwYEs1h4dUu4Ug1WmRTOEEXV4nFkDUGBS
> > AkoQqx77phGcy3XiASB0Dc96CrkbkVXCtmPYf2RH5OXivzkIztn78WSexWv4q01L
> > sP/r1a2F394bEExnUXIX
> > =7onF
> > -----END PGP SIGNATURE-----
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
Re: Issue while Configuring SSL in tomcat6
Posted by jairaj kamal <ja...@gmail.com>.
Hello, when I checked with below command I find my keystore created type as
"JKS" and we are using tool "Keytool". Initially we received 2 certificates
"TestRoot.cer" & "Test.cer", when found things not working, we are now
trying to import certs of PKCS#12 format (.pfk) via Keytool
*#Testing Keystore type*
*D:\Program Files (x86)\Java\jdk1.6.0_27\bin>keytool -list -v -keystore
C:\Users\*
*svcr2wadmin\nedr2wqajob1\Test.keystore*
*Enter keystore password:*
*Keystore type: JKS*
*Keystore provider: SUN*
*#Earlier tried steps:*
keytool -genkey -alias report2web -keyalg RSA -keystore
C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore
keytool -certreq -keyalg RSA -alias report2web -file
C:\Users\svcr2wadmin\nedr2wqajob1\Test.csr -keystore
C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore
keytool -import -alias root -keystore
C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore -trustcacerts -file
C:\Users\svcr2wadmin\nedr2wqajob1\TestRoot.cer
keytool -import -alias *nedr2wqajob1 *-keystore
C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore -file
C:\Users\svcr2wadmin\nedr2wqajob1\Test.cer
Then also did below
keytool -import -alias nedr2wjob1_non_prod_p7b -keystore
C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore -file
C:\Users\svcr2wadmin\nedr2wqajob1\Test.pfx
# But
Below is the error coming while importing the latest .pfx certificated shared
D:\Program Files (x86)\Java\jdk1.6.0_27\bin>keytool -import -alias
nedr2wjob1QAJob1 -keystore C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore
-file C:\Users\svcr2wadmin\nedr2wqajob1\*Test.pfx*
Enter keystore password:
*keytool error: java.lang.Exception: Input not an X.509 certificate*
#Certificate status as observed in the browser
1. nedr2wqajob1 is the alias name of certificate Test.cer - It shows for
non Root certificate as "Your connection to *nedr2wqajob1 *is encrypted
with obsolete cryptography, The connections uses TLS 1.0. The connection
uses AES_128_CBC with SHA1 for message authentication and DHE_RSA as the
key exchange mechanism.
2. Error message showing in chrome browser as below
“This CA Root certificate is not trusted because it is not in the
Trusted Root Certification Authorities store.”
Let me know what to do to resolve this ?
*Jairaj Kamal*
On Mon, May 4, 2015 at 6:51 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Jairaj,
>
> On 5/4/15 5:35 PM, jairaj kamal wrote:
> > Attached find the error coming in browser,looks to be issue with
> > Root certificate.
>
> This list strips attachments. Please copy/paste any messages into the
> text of your post.
>
> > Also we tried PKCS#12 format certs but getting below Error
>
> The keystore format won't change what gets sent to the client.
>
> > D:\Program Files (x86)\Java\jdk1.6.0_27\bin>keytool -import -alias
> > nedr2wjob1_no n_prod_p7b -keystore
> > C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keysto re
> > -file C:\Users\svcr2wadmin\nedr2wqajob1\nedr2wjob1_non_prod.p7b
> > Enter keystore password: *keytool error: java.lang.Exception: Input
> > not an X.509 certificate*
>
> If you really have a PKCS12 keystore, they you'll need to specify the
> keystore type on the command-line.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJVSAYcAAoJEBzwKT+lPKRYLREQAMPD6shOiwK7On4wTmMbsuJR
> ifabn95GXN4ia+L80IlvqyY17Mjfe1VzMYsVhLgpJRiEQmSMoy3ChxbeD+2h3Pzc
> 38GXZWg8anBHaHqceQDhaiHW2HYNW1HV7IzG22gYDlfi0zwv8JYbpxqQXr7Kf+9q
> CtO8sUt4hTxWW9zYl5mTa2xB7vXr7jl5k0UTTCF7nNuraXGhFBWifebYZ1AxFJEp
> aP6n80rglMC9/K4SVCGRaGjGbHKcN7fiJX1InswWNnGzfWgIvt4HxlZeQwNFrQaa
> N35MGu9pINQ/iofrW/7M5Vp1oqQNMWRSRpU6t9QK3FO6crfNpIuNxmwf46oeEiQh
> 7HKF+sBmWlWC4QTdpdMiHNg1Ux2XhZrOzpo657QdrLKPKKLHAqtqcmrlJDTCs6Bs
> lI7NvQXMpMyc466Q0EvemQPkjoyeYr2uRJo8pcscATrvPPqD+chqEstgc6UjHDsZ
> NQqgDIPxPjKrZf1RUj3oEM693ezMCcvTICAMWbcjzTXrrDBFRPFgrM7gSrGjd/ib
> 17XsI5+cO3Rc4Ai3d6ss+uMf2HI7/DRQwYEs1h4dUu4Ug1WmRTOEEXV4nFkDUGBS
> AkoQqx77phGcy3XiASB0Dc96CrkbkVXCtmPYf2RH5OXivzkIztn78WSexWv4q01L
> sP/r1a2F394bEExnUXIX
> =7onF
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Issue while Configuring SSL in tomcat6
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jairaj,
On 5/4/15 5:35 PM, jairaj kamal wrote:
> Attached find the error coming in browser,looks to be issue with
> Root certificate.
This list strips attachments. Please copy/paste any messages into the
text of your post.
> Also we tried PKCS#12 format certs but getting below Error
The keystore format won't change what gets sent to the client.
> D:\Program Files (x86)\Java\jdk1.6.0_27\bin>keytool -import -alias
> nedr2wjob1_no n_prod_p7b -keystore
> C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keysto re
> -file C:\Users\svcr2wadmin\nedr2wqajob1\nedr2wjob1_non_prod.p7b
> Enter keystore password: *keytool error: java.lang.Exception: Input
> not an X.509 certificate*
If you really have a PKCS12 keystore, they you'll need to specify the
keystore type on the command-line.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVSAYcAAoJEBzwKT+lPKRYLREQAMPD6shOiwK7On4wTmMbsuJR
ifabn95GXN4ia+L80IlvqyY17Mjfe1VzMYsVhLgpJRiEQmSMoy3ChxbeD+2h3Pzc
38GXZWg8anBHaHqceQDhaiHW2HYNW1HV7IzG22gYDlfi0zwv8JYbpxqQXr7Kf+9q
CtO8sUt4hTxWW9zYl5mTa2xB7vXr7jl5k0UTTCF7nNuraXGhFBWifebYZ1AxFJEp
aP6n80rglMC9/K4SVCGRaGjGbHKcN7fiJX1InswWNnGzfWgIvt4HxlZeQwNFrQaa
N35MGu9pINQ/iofrW/7M5Vp1oqQNMWRSRpU6t9QK3FO6crfNpIuNxmwf46oeEiQh
7HKF+sBmWlWC4QTdpdMiHNg1Ux2XhZrOzpo657QdrLKPKKLHAqtqcmrlJDTCs6Bs
lI7NvQXMpMyc466Q0EvemQPkjoyeYr2uRJo8pcscATrvPPqD+chqEstgc6UjHDsZ
NQqgDIPxPjKrZf1RUj3oEM693ezMCcvTICAMWbcjzTXrrDBFRPFgrM7gSrGjd/ib
17XsI5+cO3Rc4Ai3d6ss+uMf2HI7/DRQwYEs1h4dUu4Ug1WmRTOEEXV4nFkDUGBS
AkoQqx77phGcy3XiASB0Dc96CrkbkVXCtmPYf2RH5OXivzkIztn78WSexWv4q01L
sP/r1a2F394bEExnUXIX
=7onF
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Issue while Configuring SSL in tomcat6
Posted by jairaj kamal <ja...@gmail.com>.
Hi,
Attached find the error coming in browser,looks to be issue with Root
certificate. Also we tried PKCS#12 format certs but getting below Error
D:\Program Files (x86)\Java\jdk1.6.0_27\bin>keytool -import -alias
nedr2wjob1_no
n_prod_p7b -keystore
C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keysto
re -file C:\Users\svcr2wadmin\nedr2wqajob1\nedr2wjob1_non_prod.p7b
Enter keystore password:
*keytool error: java.lang.Exception: Input not an X.509 certificate*
*Jairaj Kamal*
On Mon, May 4, 2015 at 9:48 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Jairaj,
>
> On 5/4/15 10:38 AM, jairaj kamal wrote:
> > Hi, Please find my response inline as below. Also *this is for
> > Tomcat version 6*
> >
> > 1.) Include the <Connector /> tag from `conf/server.xml` so we can
> > see how you've configured Tomcat - Below is what I added <Connector
> > port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150"
> > scheme="https" secure="true"
> >
> > keystoreFile="C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.key
> store"
> >
> >
> keystorePass="report2web" clientAuth="false" sslProtocol="TLS" />
> >
> > 2.) Include the exact version of Tomcat you're using - Tomcat
> > version 6
>
> There have been 43 versions of Tomcat 6 released. Which one?
>
> Are you using the APR-enabled connector or the JSSE one? Since you are
> using a Java Keystore, I'm assuming JSSE, but it's worth asking; the
> setup is completely different for the two.
>
> > 3.) Are you connecting directly to Tomcat or is there an HTTPD or
> > some other server acting as a reverse proxy in between? - *not by
> > HTTPD but Connecting via url https://hostname:8443/r2wpublisher/
> > <https://hostname:8443/r2wpublisher/>*
> >
> > 4.) Look at the certificate as displayed by your browser. In
> > Chrome, click the lock in the tool bar, other browsers are similar.
> > Look at the details on the certificate and see what certificate
> > you're being presented. Is it the once that you purchased? or
> > perhaps an older self-signed on? - *Yes this is what I purchased
> > but its displays error as "This CA Root certificate is not trusted
> > because it is not in the Trusted Root Certification Authorities
> > store."*
>
> What is the certificate chain that Chrome shows you? Start with your
> own certificate and go up toward the root CA. Does it show every
> certificate that you put into your keystore? Perhaps you are missing
> one or more intermediate certificates.
>
> > *Earlier I used below commands to configure SSL*
> >
> > #Keystore creation keytool -genkey -alias report2web -keyalg RSA
> > -keystore
> > C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore #CSR
> > generation keytool -certreq -keyalg RSA -alias report2web -file
> > C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.csr -keystore
> > C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore
> >
> > #Root Certificate Import keytool -import -alias root -keystore
> > C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore
> > -trustcacerts -file C:\Users\svcr2wadmin\nedr2wqajob1\TestRoot.cer
> >
> > #SSL Certificate Import keytool -import -alias nedr2wqajob1
> > -keystore
> > C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore
> > -file C:\Users\svcr2wadmin\nedr2wqajob1\TestCA.cer
>
> At some point, you need to re-import your own certificate. Which
> certificate is the one you got signed? TestCA.cer or TestRoot.cer?
> Also, nearly every certificate authority requires that you install an
> "intermediate" certificate between your cert and the CA's root cert.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJVR4bUAAoJEBzwKT+lPKRYXbYQAIHG5Xs1/NJixM6nPwhPOgWm
> hnVdHXykk11+/fBIjs/ooS4iyNTkUqtACGFT8VCPQVA4/P/90aOnoSuVzaKLFZ3a
> nJkqdV0xDiLFuqzdb2I2alNvwMAYvNMApgG1yjuBiusq/fbjQFNUIP+8FVce4sP2
> za4O5ZNw42GkWLaIvOXQuY4jaOS7Gg/CJnI+igU4QkEGN5At40s5Rgf2IuVUo0Dk
> R65ywzn9yTYsNjNzy2w/QtxZkY7qn9h0gfenKL6XUFR35t2ppSDO8uNKxvotKuj6
> 5ahVHcfSnSxsFB2LISFbNH4H67hGpYgNaUL1Ox758zTD9jZ5jFXG2RBfb+gfav4W
> FocCZXG38lWfCcaDcMZhi+s/shTACWOvXmf14gJNeCqYRz92rVm3+y0moMj5by+S
> VWwvbaL3ga3pvxqx8ALtFXBffCDiiFBy2QnxYNOBqefoK9jyFnOMnPuf+nyBsqfZ
> XXvU640p/LXIEfTn0vtPuVF4C1k0nzFOQiHRIxCCbh26mxd1PwiS55Xhfto6QiXn
> 9LwBQnJuSVypGs9A4us+6z6kPlSQXq+i03CO8h7A91gCVnqoaQ2GPK1tJQ/IA5RX
> t49PtHq688UFOUrf/7GQMiJy5uE0ESxCruPlRndcPgh67gXw30aNKy3Wf7nzFfwy
> VE7gxva/v8YJqGhMP25L
> =nzQT
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Issue while Configuring SSL in tomcat6
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jairaj,
On 5/4/15 10:38 AM, jairaj kamal wrote:
> Hi, Please find my response inline as below. Also *this is for
> Tomcat version 6*
>
> 1.) Include the <Connector /> tag from `conf/server.xml` so we can
> see how you've configured Tomcat - Below is what I added <Connector
> port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150"
> scheme="https" secure="true"
>
> keystoreFile="C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.key
store"
>
>
keystorePass="report2web" clientAuth="false" sslProtocol="TLS" />
>
> 2.) Include the exact version of Tomcat you're using - Tomcat
> version 6
There have been 43 versions of Tomcat 6 released. Which one?
Are you using the APR-enabled connector or the JSSE one? Since you are
using a Java Keystore, I'm assuming JSSE, but it's worth asking; the
setup is completely different for the two.
> 3.) Are you connecting directly to Tomcat or is there an HTTPD or
> some other server acting as a reverse proxy in between? - *not by
> HTTPD but Connecting via url https://hostname:8443/r2wpublisher/
> <https://hostname:8443/r2wpublisher/>*
>
> 4.) Look at the certificate as displayed by your browser. In
> Chrome, click the lock in the tool bar, other browsers are similar.
> Look at the details on the certificate and see what certificate
> you're being presented. Is it the once that you purchased? or
> perhaps an older self-signed on? - *Yes this is what I purchased
> but its displays error as "This CA Root certificate is not trusted
> because it is not in the Trusted Root Certification Authorities
> store."*
What is the certificate chain that Chrome shows you? Start with your
own certificate and go up toward the root CA. Does it show every
certificate that you put into your keystore? Perhaps you are missing
one or more intermediate certificates.
> *Earlier I used below commands to configure SSL*
>
> #Keystore creation keytool -genkey -alias report2web -keyalg RSA
> -keystore
> C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore #CSR
> generation keytool -certreq -keyalg RSA -alias report2web -file
> C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.csr -keystore
> C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore
>
> #Root Certificate Import keytool -import -alias root -keystore
> C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore
> -trustcacerts -file C:\Users\svcr2wadmin\nedr2wqajob1\TestRoot.cer
>
> #SSL Certificate Import keytool -import -alias nedr2wqajob1
> -keystore
> C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore
> -file C:\Users\svcr2wadmin\nedr2wqajob1\TestCA.cer
At some point, you need to re-import your own certificate. Which
certificate is the one you got signed? TestCA.cer or TestRoot.cer?
Also, nearly every certificate authority requires that you install an
"intermediate" certificate between your cert and the CA's root cert.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVR4bUAAoJEBzwKT+lPKRYXbYQAIHG5Xs1/NJixM6nPwhPOgWm
hnVdHXykk11+/fBIjs/ooS4iyNTkUqtACGFT8VCPQVA4/P/90aOnoSuVzaKLFZ3a
nJkqdV0xDiLFuqzdb2I2alNvwMAYvNMApgG1yjuBiusq/fbjQFNUIP+8FVce4sP2
za4O5ZNw42GkWLaIvOXQuY4jaOS7Gg/CJnI+igU4QkEGN5At40s5Rgf2IuVUo0Dk
R65ywzn9yTYsNjNzy2w/QtxZkY7qn9h0gfenKL6XUFR35t2ppSDO8uNKxvotKuj6
5ahVHcfSnSxsFB2LISFbNH4H67hGpYgNaUL1Ox758zTD9jZ5jFXG2RBfb+gfav4W
FocCZXG38lWfCcaDcMZhi+s/shTACWOvXmf14gJNeCqYRz92rVm3+y0moMj5by+S
VWwvbaL3ga3pvxqx8ALtFXBffCDiiFBy2QnxYNOBqefoK9jyFnOMnPuf+nyBsqfZ
XXvU640p/LXIEfTn0vtPuVF4C1k0nzFOQiHRIxCCbh26mxd1PwiS55Xhfto6QiXn
9LwBQnJuSVypGs9A4us+6z6kPlSQXq+i03CO8h7A91gCVnqoaQ2GPK1tJQ/IA5RX
t49PtHq688UFOUrf/7GQMiJy5uE0ESxCruPlRndcPgh67gXw30aNKy3Wf7nzFfwy
VE7gxva/v8YJqGhMP25L
=nzQT
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Issue while Configuring SSL in tomcat6
Posted by jairaj kamal <ja...@gmail.com>.
Hi, Please find my response inline as below. Also *this is for Tomcat
version 6*
1.) Include the <Connector /> tag from `conf/server.xml` so we can see
how you've
configured Tomcat - Below is what I added
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore"
keystorePass="report2web" clientAuth="false" sslProtocol="TLS" />
2.) Include the exact version of Tomcat you're using - Tomcat version 6
3.) Are you connecting directly to Tomcat or is there an HTTPD or some other
server acting as a reverse proxy in between? - *not by HTTPD but Connecting
via url https://hostname:8443/r2wpublisher/
<https://hostname:8443/r2wpublisher/>*
4.) Look at the certificate as displayed by your browser. In Chrome, click the
lock in the tool bar, other browsers are similar. Look at the details on
the certificate and see what certificate you're being presented. Is it the
once that you purchased? or perhaps an older self-signed on? - *Yes this
is what I purchased but its displays error as "This CA Root certificate is
not trusted because it is not in the Trusted Root Certification Authorities
store."*
*Earlier I used below commands to configure SSL*
#Keystore creation
keytool -genkey -alias report2web -keyalg RSA -keystore
C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore
#CSR generation
keytool -certreq -keyalg RSA -alias report2web -file
C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.csr -keystore
C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore
#Root Certificate Import
keytool -import -alias root -keystore
C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore -trustcacerts
-file C:\Users\svcr2wadmin\nedr2wqajob1\TestRoot.cer
#SSL Certificate Import
keytool -import -alias nedr2wqajob1 -keystore
C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore -file
C:\Users\svcr2wadmin\nedr2wqajob1\TestCA.cer
*Jairaj Kamal*
On Mon, May 4, 2015 at 6:39 AM, Daniel Mikusa <dm...@pivotal.io> wrote:
> On Sun, May 3, 2015 at 7:48 PM, jairaj kamal <ja...@gmail.com>
> wrote:
>
> > Hello,
> >
> > I created a keystore via Keytool, CSR file and received below root and
> > intermediate certificates.
> >
> > I have got both TestRoot.cer & TestCA.cer certificates imported in
> keystore
> > via keytool but still in browser it shows in red and looks issue with
> > certificate is not resolved yet.
> >
> > Do i need to convert dot extension of above certs to PKCS12 format, how
> to
> > resolve it ?
> >
>
> There's a lot that could be going on here. You need to try and narrow down
> the problem.
>
> 1.) Include the <Connector /> tag from `conf/server.xml` so we can see how
> you've configured Tomcat.
> 2.) Include the exact version of Tomcat you're using.
> 3.) Are you connecting directly to Tomcat or is there an HTTPD or some
> other server acting as a reverse proxy in between?
> 4.) Look at the certificate as displayed by your browser. In Chrome, click
> the lock in the tool bar, other browsers are similar. Look at the details
> on the certificate and see what certificate you're being presented. Is it
> the once that you purchased? or perhaps an older self-signed on?
>
> That should get you started.
>
> Dan
>
>
>
> >
> > *Jairaj Kamal*
> >
>
Re: Issue while Configuring SSL in tomcat6
Posted by Daniel Mikusa <dm...@pivotal.io>.
On Sun, May 3, 2015 at 7:48 PM, jairaj kamal <ja...@gmail.com> wrote:
> Hello,
>
> I created a keystore via Keytool, CSR file and received below root and
> intermediate certificates.
>
> I have got both TestRoot.cer & TestCA.cer certificates imported in keystore
> via keytool but still in browser it shows in red and looks issue with
> certificate is not resolved yet.
>
> Do i need to convert dot extension of above certs to PKCS12 format, how to
> resolve it ?
>
There's a lot that could be going on here. You need to try and narrow down
the problem.
1.) Include the <Connector /> tag from `conf/server.xml` so we can see how
you've configured Tomcat.
2.) Include the exact version of Tomcat you're using.
3.) Are you connecting directly to Tomcat or is there an HTTPD or some
other server acting as a reverse proxy in between?
4.) Look at the certificate as displayed by your browser. In Chrome, click
the lock in the tool bar, other browsers are similar. Look at the details
on the certificate and see what certificate you're being presented. Is it
the once that you purchased? or perhaps an older self-signed on?
That should get you started.
Dan
>
> *Jairaj Kamal*
>