You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Kevin Pang <la...@hotmail.com> on 2001/05/14 19:41:52 UTC

Tomcat and SSL

Hi All,
I need to setup Tomcat standlone with SSL support, I do it according to
Tomcat's user-guide in the following step using tomcat account:
I modified the java.security before did these

>keytool -genkey -alias tomcat -keyalg RSA
>openssl req -new -out REQ.pem -keyout KEY.pem
>openssl req -x509 -in REQ.pem -key KEY.pem -out CERT.pem
then verify
>openssl req -verify -in REQ.pem
>openssl req -verify -in REQ.pem -key KEY.pem
>openssl req -text -in REQ.pem
everything looks well, but
when I do:
>keytool -import -v -trustcacerts -alias tomcat -file CERT.pem
get the error messages,
Enter keystore password:  changeit
keytool error: java.lang.Exception: Public keys in reply and keystore don't
match

So tried to delete all files in /home/tomcat: .keystore and *.pem
So I want to repeat the above steps
>  keytool -genkey -alias tomcat -keyalg RSA get the error messages
Enter keystore password:  changeit
keytool error: java.lang.Exception: Key pair not generated, alias <tomcat>
already exists

I never use SSL before and very confused now, are there some documentation
to do this step by step? any help are highly appreciated!

Kevin

Re: Tomcat and SSL - FOLLOW UP

Posted by Tim O'Neil <ti...@xythos.com>.

I should note also that I did this with
3.2.2 beta 5 and protocol 12.

-Tim

At 04:27 PM 5/14/2001 -0700, you wrote:
>Kevin;
>
>Get this; I got it to work by changing the steps
>around;
>
>1) Delete your old keyring (/root/.keystore) file completely
>    unless you can't for whatever reason.
>
>Now build a new keyring file;
>
>2) keytool -delete -alias tomcat -keyalg RSA
>
>Note your keyring password, you'll need it later. This
>step seems important for reasons I outline later.
>
>3) openssl req -x509 -in REQ.pem -key KEY.pem -out CERT.pem
>
>4) openssl -import -v -trustcacerts -alias tomcat -file CERT.pem
>
>5) keytool -delete -alias tomcat
>
>This leaves you with an empty, but valid keyring
>
>6) Now do a keytool -genkey -alias tomcat -keyalg RSA
>
>Use the keyring password you used in step 2
>
>7) Add the key to your keyring: keytool import -v -trustcacerts
>    -alias tomcat -file CERT.pem
>
>I still need to do some testing, but I've found that Tomcat
>only seems to work if you have one key on your ring. I hope
>I've wrong. But if I am wrong, why is there no alias field
>in the info for the ssl connector group in server.xml?
>Also-
>The deal seems to be, regardless of what the guide says,
>Tomcat must use RSA algo keys. OR I myself have only
>gotten RSA keys to work, whichever.
>
>This leaves you with a self-signed server of course. The next
>fun project for me is to get it to use a Thawte cert, hopefully
>the tool on http://www.comu.de/docs/tomcat_ssl.htm will allow
>this to happen.

Re: Tomcat and SSL

Posted by Tim O'Neil <ti...@xythos.com>.

Kevin;

Get this; I got it to work by changing the steps
around;

1) Delete your old keyring (/root/.keystore) file completely
    unless you can't for whatever reason.

Now build a new keyring file;

2) keytool -delete -alias tomcat -keyalg RSA

Note your keyring password, you'll need it later. This
step seems important for reasons I outline later.

3) openssl req -x509 -in REQ.pem -key KEY.pem -out CERT.pem

4) openssl -import -v -trustcacerts -alias tomcat -file CERT.pem

5) keytool -delete -alias tomcat

This leaves you with an empty, but valid keyring

6) Now do a keytool -genkey -alias tomcat -keyalg RSA

Use the keyring password you used in step 2

7) Add the key to your keyring: keytool import -v -trustcacerts
    -alias tomcat -file CERT.pem

I still need to do some testing, but I've found that Tomcat
only seems to work if you have one key on your ring. I hope
I've wrong. But if I am wrong, why is there no alias field
in the info for the ssl connector group in server.xml?
Also-
The deal seems to be, regardless of what the guide says,
Tomcat must use RSA algo keys. OR I myself have only
gotten RSA keys to work, whichever.

This leaves you with a self-signed server of course. The next
fun project for me is to get it to use a Thawte cert, hopefully
the tool on http://www.comu.de/docs/tomcat_ssl.htm will allow
this to happen.

At 07:41 PM 5/14/2001 +0200, you wrote:
>Hi All,
>I need to setup Tomcat standlone with SSL support, I do it according to
>Tomcat's user-guide in the following step using tomcat account:
>I modified the java.security before did these
>
> >keytool -genkey -alias tomcat -keyalg RSA
> >openssl req -new -out REQ.pem -keyout KEY.pem
> >openssl req -x509 -in REQ.pem -key KEY.pem -out CERT.pem
>then verify
> >openssl req -verify -in REQ.pem
> >openssl req -verify -in REQ.pem -key KEY.pem
> >openssl req -text -in REQ.pem
>everything looks well, but
>when I do:
> >keytool -import -v -trustcacerts -alias tomcat -file CERT.pem
>get the error messages,
>Enter keystore password:  changeit
>keytool error: java.lang.Exception: Public keys in reply and keystore don't
>match
>
>So tried to delete all files in /home/tomcat: .keystore and *.pem
>So I want to repeat the above steps
> >  keytool -genkey -alias tomcat -keyalg RSA get the error messages
>Enter keystore password:  changeit
>keytool error: java.lang.Exception: Key pair not generated, alias <tomcat>
>already exists
>
>I never use SSL before and very confused now, are there some documentation
>to do this step by step? any help are highly appreciated!
>
>Kevin