You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Sean Killeen <se...@gmail.com> on 2011/02/14 15:03:10 UTC
Issues with Tomcat 6.0 & Renewing SSL cert using keytool
Hi all,
I'm hoping someone has run into this problem before.
I'm using VeriSign certs and have imported a certificate correctly before
using keytool. However, the certificate we were using expired, and we
obtained a replacement.
Importing the replacement appears to be more difficult.
Verisign's intermediate CA appears to be different than before, and now uses
a primary and secondary. So initially I had one intermediate CA and one
tomcat certificate.
I then imported the two new CAs (alias "intermediatecaprimary" and
"intermediatecasecondary") -- this worked without error.
The next step seems to throw tomcat off. I believe I need to replace the
"tomcat" alias certificate. Barring a replace function in keytool (which I
don't think exists, though I could be wrong), I think this means I have to
delete the old "tomcat" certificate and replace it with the new one.
Doing this (using the command "keytool -delete -alias tomcat -keystore
.keystore" and then "keytool -import -alias tomcat -keyalg RSA -keystore
.keystore -file D:\keystore\Certificates\tomcat.cer") appears to complete
without error.
However, the next time I start Tomcat (running as a service), the CPU &
memory spin upward until the machine is barely accessible. Tomcat doesn't
start up.
In the Tomcat log file the following can be seen:
*Feb 14, 2011 8:45:07 AM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
*
*SEVERE: Socket accept failed*
*java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No
available certificate or key corresponds to the SSL cipher suites which are
enabled.*
* at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:149)
*
* at
org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:309)*
* at java.lang.Thread.run(Thread.java:619)*
I'm sure this is just a mistake I'm making somewhere either in keytool or my
Tomcat setup, but it's worked fine until trying to use this replacement
cert.
One possibility: Do I need to specify a keylength when specifying the
keyalg, or is there a default?
My Tomcat connector is as follows (password redacted):
* <Connector *
* port="8443"*
* protocol="HTTP/1.1"*
* SSLEnabled="true" *
* enableLookups="false" *
* acceptCount="100"*
* maxThreads="200" *
* scheme="https"*
* keystoreFile="d:\keystore\.keystore" *
* keystorePass="[Password]"*
* secure="true" *
* clientAuth="false" *
* sslProtocol="TLSv1" *
* cipher="RSA"*
* allowUnsafeLegacyRenegotiation="false"*
* />*
Thanks in advance for any help you can give!
--
Sean
Re: Issues with Tomcat 6.0 & Renewing SSL cert using keytool
Posted by Mark Thomas <ma...@apache.org>.
On 14/02/2011 19:46, Sean Killeen wrote:
> It doesn't -- it tells me that a certificate already exists with that alias,
> and the import fails.
Hmm. Did you re-use the same private key for this updated certificate?
If that is the case then I think you can fix this with some java code
but it looks like keytool is insufficient. The Java API for keystore
manipulation lets you extract private keys.
As an aside, the usual process would be to generate a new private key
with a new alias and then the process should be relatively simple.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Issues with Tomcat 6.0 & Renewing SSL cert using keytool
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sean,
On 2/15/2011 7:37 AM, Sean Killeen wrote:
> leaving the old intermediate CA & old certificate, I added the new
> intermediate CAs and the new certificate with an alias of "tomcat2". I added
> 'keyAlias="tomcat2"' to my connector to specify the name.
>
> The result at this point was good news / bad news -- Tomcat didn't spiral
> out of control, but the site was inaccessible.
>
> When changing the specified alias back to tomcat, at least I could bring the
> site back up, even with the other certs in the keystore. Previously I'd been
> unable to get it to do that.
Which exact version of Tomcat 6.0 are you using?
When you use "tomcat2", do you still get the "no valid ciphers" error?
I'm pretty sure that "RSA" isn't a valid cipher. I think you need
something that looks like "TLS_RSA_WITH_AES_128_CBC_SHA".
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1arWEACgkQ9CaO5/Lv0PBC7ACeLS2vQPZEBKym7McmhcnVLMPa
TToAn2n0ail5X00q6+jBiugp3/JAfrWG
=WRRq
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Issues with Tomcat 6.0 & Renewing SSL cert using keytool
Posted by Sean Killeen <se...@gmail.com>.
Hi Sal,
Thanks for the response. I believe there was a bug or issue which caused us
to use TLSv1 instead of just "TLS" for the setting. At any rate, this
setting has not been an issue in the past, and I can verify that it
strictly enforces TLS (which is our requirement -- we don't want it to be
able to fall back to SSL). I'll verify that it still works upon removing the
v1, and if it does I'll keep it like that. Thanks for the heads up!
*An update: *
leaving the old intermediate CA & old certificate, I added the new
intermediate CAs and the new certificate with an alias of "tomcat2". I added
'keyAlias="tomcat2"' to my connector to specify the name.
The result at this point was good news / bad news -- Tomcat didn't spiral
out of control, but the site was inaccessible.
When changing the specified alias back to tomcat, at least I could bring the
site back up, even with the other certs in the keystore. Previously I'd been
unable to get it to do that.
--
Sean
On Mon, Feb 14, 2011 at 11:20 PM, Crypto Sal <cr...@gmail.com> wrote:
> Hi Sean,
>
> Have you tried to specify just "TLS" or "SSL" for the sslProtocol? You
> presently have this set at "TLSv1", which I do not believe is valid.
>
> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
>
> --Sal
>
>
>
> On 02/14/2011 02:46 PM, Sean Killeen wrote:
>
>> It doesn't -- it tells me that a certificate already exists with that
>> alias,
>> and the import fails.
>>
>> --
>> Sean
>>
>>
>> On Mon, Feb 14, 2011 at 12:54 PM, Mark Thomas<ma...@apache.org> wrote:
>>
>> On 14/02/2011 14:03, Sean Killeen wrote:
>>>
>>>> The next step seems to throw tomcat off. I believe I need to replace the
>>>> "tomcat" alias certificate. Barring a replace function in keytool (which
>>>>
>>> I
>>>
>>>> don't think exists, though I could be wrong), I think this means I have
>>>>
>>> to
>>>
>>>> delete the old "tomcat" certificate and replace it with the new one.
>>>>
>>> That will delete the key. I'm fairly sure you can just import the new
>>> certificate and it will replace old one.
>>>
>>> Mark
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Issues with Tomcat 6.0 & Renewing SSL cert using keytool
Posted by Crypto Sal <cr...@gmail.com>.
Hi Sean,
Have you tried to specify just "TLS" or "SSL" for the sslProtocol? You
presently have this set at "TLSv1", which I do not believe is valid.
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
--Sal
On 02/14/2011 02:46 PM, Sean Killeen wrote:
> It doesn't -- it tells me that a certificate already exists with that alias,
> and the import fails.
>
> --
> Sean
>
>
> On Mon, Feb 14, 2011 at 12:54 PM, Mark Thomas<ma...@apache.org> wrote:
>
>> On 14/02/2011 14:03, Sean Killeen wrote:
>>> The next step seems to throw tomcat off. I believe I need to replace the
>>> "tomcat" alias certificate. Barring a replace function in keytool (which
>> I
>>> don't think exists, though I could be wrong), I think this means I have
>> to
>>> delete the old "tomcat" certificate and replace it with the new one.
>> That will delete the key. I'm fairly sure you can just import the new
>> certificate and it will replace old one.
>>
>> Mark
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Issues with Tomcat 6.0 & Renewing SSL cert using keytool
Posted by Sean Killeen <se...@gmail.com>.
It doesn't -- it tells me that a certificate already exists with that alias,
and the import fails.
--
Sean
On Mon, Feb 14, 2011 at 12:54 PM, Mark Thomas <ma...@apache.org> wrote:
> On 14/02/2011 14:03, Sean Killeen wrote:
> > The next step seems to throw tomcat off. I believe I need to replace the
> > "tomcat" alias certificate. Barring a replace function in keytool (which
> I
> > don't think exists, though I could be wrong), I think this means I have
> to
> > delete the old "tomcat" certificate and replace it with the new one.
>
> That will delete the key. I'm fairly sure you can just import the new
> certificate and it will replace old one.
>
> Mark
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Issues with Tomcat 6.0 & Renewing SSL cert using keytool
Posted by Mark Thomas <ma...@apache.org>.
On 14/02/2011 14:03, Sean Killeen wrote:
> The next step seems to throw tomcat off. I believe I need to replace the
> "tomcat" alias certificate. Barring a replace function in keytool (which I
> don't think exists, though I could be wrong), I think this means I have to
> delete the old "tomcat" certificate and replace it with the new one.
That will delete the key. I'm fairly sure you can just import the new
certificate and it will replace old one.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org