You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Piotr Pawlowski <pi...@goyello.com> on 2011/06/28 15:28:57 UTC
Problems with installing ssl certificate under tomcat
Hello all,
Since yesterday I am trying to install to install certificate under Tomcat
(7.0.16) without luck.
I received from my client three files: wildcard certificate (cert.crt) , key
file (cert.key) and something what is not quite clear for me - cabundle.pem
. I've successfully used some java script (
http://www.startux.de/images/phocadownload/importkey.java ) which imports
key and cert to one keystore file, configured server.xml to use it but now I
receive error *"sec_error_bad_signature". *I am not sure if I did it
correctly.
Does anybody know how to correctly use existing wildcard cert, key file ant
this cabundle.pem together with Tomcat 7.0.16 ?
Thank you in advance for a help.*
*
Best Regards
--
Piotr Pawlowski
Re: Problems with installing ssl certificate under tomcat
Posted by Piotr Pawlowski <pi...@goyello.com>.
Christopher and All,
I am really sorry for not replying. I've coped with my problem before I went
to holidays.
Solution, which helped me to correctly install delivered certificate, it's
key and CA chain, can be found under following URL:
http://linuxadmin.com.pl/index.php/tomcat-and-ssl-certificates-small-how-to/
Christopher, thank you for your help. I hope, that this conversation will
also help somebody else.
Best Regards
--
Piotr Pawlowski
On 29 June 2011 16:00, Christopher Schultz <ch...@christopherschultz.net>wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Piotr,
>
> On 6/29/2011 3:11 AM, Piotr Pawlowski wrote:
> > My server.conf for ssl connector looks as follows:
> >
> > * <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> > maxThreads="150" scheme="https" secure="true"
> > clientAuth="false" sslProtocol="TLS" keyAlias="someAlias"
> > keystoreFile="/etc/tomcat/ssl/keystoreFile"
> > keystorePass="SomeSecretPassword" />
>
> Okay. Are you using APR or not?
>
> > All files connected with SSL , including key store file, are located in *
> > /etc/tomcat/ssl/* directory.
>
> What is the output of the following command:
>
> $ keytool -list -keystore /etc/tomcat/ssl/keystoreFile
>
> You will need to import not only your own certificate and key, but also
> the certs from your Certificate Authority (CA).
>
> > "sec_error_bad_signature" is visible when I enter website from web
> browser
> > (FireFox).
>
> Are there any messages in the log file during startup and/or when you
> try to make a request?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk4LMAcACgkQ9CaO5/Lv0PDmxwCdFFWVWXspT74UbfLw0j6p5r3u
> 7CUAoI5Gt8aJQEhcSiEcbN193CSpkvCW
> =LeMr
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Problems with installing ssl certificate under tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Piotr,
On 6/29/2011 3:11 AM, Piotr Pawlowski wrote:
> My server.conf for ssl connector looks as follows:
>
> * <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS" keyAlias="someAlias"
> keystoreFile="/etc/tomcat/ssl/keystoreFile"
> keystorePass="SomeSecretPassword" />
Okay. Are you using APR or not?
> All files connected with SSL , including key store file, are located in *
> /etc/tomcat/ssl/* directory.
What is the output of the following command:
$ keytool -list -keystore /etc/tomcat/ssl/keystoreFile
You will need to import not only your own certificate and key, but also
the certs from your Certificate Authority (CA).
> "sec_error_bad_signature" is visible when I enter website from web browser
> (FireFox).
Are there any messages in the log file during startup and/or when you
try to make a request?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk4LMAcACgkQ9CaO5/Lv0PDmxwCdFFWVWXspT74UbfLw0j6p5r3u
7CUAoI5Gt8aJQEhcSiEcbN193CSpkvCW
=LeMr
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problems with installing ssl certificate under tomcat
Posted by Piotr Pawlowski <pi...@goyello.com>.
Hello,
My server.conf for ssl connector looks as follows:
* <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keyAlias="someAlias"
keystoreFile="/etc/tomcat/ssl/keystoreFile"
keystorePass="SomeSecretPassword" />
*
All files connected with SSL , including key store file, are located in *
/etc/tomcat/ssl/* directory.
"sec_error_bad_signature" is visible when I enter website from web browser
(FireFox).
Thank you in advance for a help.
Best Regards
--
Piotr Pawlowski
On 28 June 2011 17:14, Christopher Schultz <ch...@christopherschultz.net>wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Piotr,
>
> On 6/28/2011 9:28 AM, Piotr Pawlowski wrote:
> > Since yesterday I am trying to install to install certificate under
> Tomcat
> > (7.0.16) without luck.
>
> Which <Connector>? SSL configuration is different when using APR's SSL
> engine.
>
> > I received from my client three files: wildcard certificate (cert.crt) ,
> key
> > file (cert.key) and something what is not quite clear for me -
> cabundle.pem.
>
> That's the Certificate Authority's (CA) bundle file, including all
> public certs that the (web) client might need in order to build a chain
> of trust from the built-in root certs shipping with the browser to the
> certificate issued to your (business) client. It's in PEM format
> (http://www.openssl.org/docs/crypto/pem.html#PEM_ENCRYPTION_FORMAT).
>
> > I've successfully used some java script (
> > http://www.startux.de/images/phocadownload/importkey.java ) which
> > imports key and cert to one keystore file
>
> You could also use keytool, which comes with the JRE and which fits that
> exact purpose. The above is not java script (whatever that is), it's
> just Java.
>
> > [I] configured server.xml to use it
>
> How?
>
> > but now I receive error *"sec_error_bad_signature".
>
> Client side or server side?
>
> > I am not sure if I did it correctly.
>
> So, tell us what you did and maybe we can find the problem: what does
> your <Connector> definition look like in conf/server.xml? Remember to
> remove any passwords from it before you post. Also, give us the paths to
> all files you have on the disk to support the SSL configuration (key
> store, cert store, etc.).
>
> > Does anybody know how to correctly use existing wildcard cert, key
> > file ant this cabundle.pem together with Tomcat 7.0.16 ?
>
> I haven't used a wildcard cert before, but I suspect that the
> configuration is identical to that of a non-wildcard cert, since it's
> the (web) client that decides whether or not the cert is valid, not the
> server.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk4J7/AACgkQ9CaO5/Lv0PD/QwCggnxm3ZjfU+7Xk3yIL5XJ3C3O
> hMwAoIKNLqtEppI910PS53OrEUiK8x1z
> =QdSc
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Problems with installing ssl certificate under tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Piotr,
On 6/28/2011 9:28 AM, Piotr Pawlowski wrote:
> Since yesterday I am trying to install to install certificate under Tomcat
> (7.0.16) without luck.
Which <Connector>? SSL configuration is different when using APR's SSL
engine.
> I received from my client three files: wildcard certificate (cert.crt) , key
> file (cert.key) and something what is not quite clear for me - cabundle.pem.
That's the Certificate Authority's (CA) bundle file, including all
public certs that the (web) client might need in order to build a chain
of trust from the built-in root certs shipping with the browser to the
certificate issued to your (business) client. It's in PEM format
(http://www.openssl.org/docs/crypto/pem.html#PEM_ENCRYPTION_FORMAT).
> I've successfully used some java script (
> http://www.startux.de/images/phocadownload/importkey.java ) which
> imports key and cert to one keystore file
You could also use keytool, which comes with the JRE and which fits that
exact purpose. The above is not java script (whatever that is), it's
just Java.
> [I] configured server.xml to use it
How?
> but now I receive error *"sec_error_bad_signature".
Client side or server side?
> I am not sure if I did it correctly.
So, tell us what you did and maybe we can find the problem: what does
your <Connector> definition look like in conf/server.xml? Remember to
remove any passwords from it before you post. Also, give us the paths to
all files you have on the disk to support the SSL configuration (key
store, cert store, etc.).
> Does anybody know how to correctly use existing wildcard cert, key
> file ant this cabundle.pem together with Tomcat 7.0.16 ?
I haven't used a wildcard cert before, but I suspect that the
configuration is identical to that of a non-wildcard cert, since it's
the (web) client that decides whether or not the cert is valid, not the
server.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk4J7/AACgkQ9CaO5/Lv0PD/QwCggnxm3ZjfU+7Xk3yIL5XJ3C3O
hMwAoIKNLqtEppI910PS53OrEUiK8x1z
=QdSc
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org