You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Andy Tipton <ar...@tiptonshome.com> on 2006/11/14 02:32:09 UTC
Need help w/ installing certificate continued...
I have read all through the documentation and can't find what I am doing
wrong. The only thing that I didn't do was the importing of the
valicert_class2_root.crt file because I wasn't given one when I downloaded
my certificate. I imported the real one after I imported the intermediate
crt.
C:\Program Files\Java\jdk1.5.0_05\bin>keytool -list -keystore .keystore
Enter keystore password: changeit
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
intermed, Nov 13, 2006, trustedCertEntry,
Certificate fingerprint (MD5):
7A:A5:BA:4F:BC:0A:C5:3C:56:E9:50:A0:13:6A:88:A9
C:\Program Files\Java\jdk1.5.0_05\bin>keytool -import -alias tomcat5
-keystore .
keystore -file www.anythingphotos.com.crt
Enter keystore password: changeit
Owner: CN=www.anythingphotos.com, OU=Domain Control Validated,
O=www.anythingpho
tos.com
Issuer: EMAILADDRESS=practices@starfieldtech.com, CN=Starfield Secure
Certificat
ion Authority, OU=http://www.starfieldtech.com/repository, O="Starfield
Technolo
gies, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: 3ed340
Valid from: Sat Nov 11 10:38:24 EST 2006 until: Sun Nov 11 10:38:24 EST 2007
Certificate fingerprints:
MD5: 73:EA:94:A1:38:C8:9A:5D:65:44:7C:C7:65:A7:01:5F
SHA1: 5B:C3:AF:32:92:08:6A:C4:5A:37:81:B0:89:74:57:52:CD:5E:D1:B9
Trust this certificate? [no]: yes
So now I have this:
C:\Program Files\Java\jdk1.5.0_05\bin>keytool -list -keystore .keystore
Enter keystore password: changeit
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
tomcat5, Nov 13, 2006, trustedCertEntry,
Certificate fingerprint (MD5):
73:EA:94:A1:38:C8:9A:5D:65:44:7C:C7:65:A7:01:5F
intermed, Nov 13, 2006, trustedCertEntry,
Certificate fingerprint (MD5):
7A:A5:BA:4F:BC:0A:C5:3C:56:E9:50:A0:13:6A:88:A9
C:\Program Files\Java\jdk1.5.0_05\bin>
Could it have to do with the alias? I am can't figure out what it could be.
I just get a 'page cannot be displayed' when trying to access it. I have
been reading, but can't find anywhere that really explains who the keystore
and certificate relate to each other. if the alias matters.
I really need some help here.
RE: Need help w/ installing certificate continued...
Posted by Saravana Kumar <tu...@gmail.com>.
Andy Tipton wrote:
> I have done the following... (I am running Tomcat 5 on a Windows 2003
> Server)
>
> - Recreated the .keystore many different times trying to get one to
> work... - Tried different aliases with my domain crt (does the alias
> matter?) - Installed the crts in Windows and everthing shows fine there
> when viewing
>
Does the .keystore file that you recreated has the same key you used to
generate CSR? If not, you may have to start from the first step gen fresh
tomcat.key(tomcat alias) and fresh csr and get new cert.
> the crt.
> - Set my config in the server.xml (I have tried SSL and TLS):
> <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
> <Connector port="443" maxHttpHeaderSize="8192"
> address="192.168.1.190"
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" disableUploadTimeout="true"
> acceptCount="100" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"
> keystoreFile="tomcat.keystore"
> keystorePass="changeit"/>
You can try giving the full path to the keystoreFile="c:\..\tomcat.key" and
see if that works.
> - Imported the certificates into my keystore in the following order: root,
>
> intermed, tomcat.
>
> C:\Program Files\Java\jdk1.5.0_05\bin>keytool -list -keystore
> tomcat.keystore
> Enter keystore password: changeit
>
>
> C:\Program Files\Java\jdk1.5.0_05\bin>
>
> - When I installed the root crt it said that there was already a system
> wide
>
> root crt installed, do I want to continue to import it into the keystore
> and I said 'yes'.
>
> - All I get is a 'Page cannot be displayed' when trying to access the
> browser 'https:'
>
> - If I create a keystore without importing the real crt, then it works,
> but
> just says that the crt it to trusted.
>
> What am I missing? I can't get it to work...
Hope you have done all the steps as mentioned in my previous post.
Regds,
SK
> >
> -----Original Message-----
> From: news [mailto:news@sea.gmane.org] On Behalf Of Saravana Kumar
> Sent: Wednesday, November 15, 2006 5:07 AM
> To: users@tomcat.apache.org
> Subject: Re: Need help w/ installing certificate continued...
>
> Andy Tipton wrote:
>
>> I have read all through the documentation and can't find what I am doing
>> wrong. The only thing that I didn't do was the importing of the
>> valicert_class2_root.crt file because I wasn't given one when I
>> downloaded
>> my certificate. I imported the real one after I imported the
>> intermediate crt.
>
> Did you get any error during this step ie., importing intermediate crt
> after root?
>
>> So now I have this:
>>
>> C:\Program Files\Java\jdk1.5.0_05\bin>keytool -list -keystore .keystore
>> Enter keystore password: changeit
>>
>> Keystore type: jks
>> Keystore provider: SUN
>>
>> Your keystore contains 2 entries
>>
>> tomcat5, Nov 13, 2006, trustedCertEntry,
>> Certificate fingerprint (MD5):
>> 73:EA:94:A1:38:C8:9A:5D:65:44:7C:C7:65:A7:01:5F
>> intermed, Nov 13, 2006, trustedCertEntry,
>> Certificate fingerprint (MD5):
>> 7A:A5:BA:4F:BC:0A:C5:3C:56:E9:50:A0:13:6A:88:A9
>>
>> C:\Program Files\Java\jdk1.5.0_05\bin>
>>
>> Could it have to do with the alias? I am can't figure out what it could
>> be.
>
> I am not sure of whether this could be the problem with alias.
>
>> I just get a 'page cannot be displayed' when trying to access it. I have
>> been reading, but can't find anywhere that really explains who the
>> keystore and certificate relate to each other. if the alias matters.
>>
>> I really need some help here.
> Below are the steps i did in one of my Linux box(must work in windows
> too).
>
> First i generated tomcat.key & CSR with:
> $ keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.key
> $ keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore
> tomcat.key
>
> Got the certs from our CA(Files sf_issuing.crt & _mydomain.crt). Copied
> the CA's intermediate cert to valicert_class2_root.crt
>
> First import the CA's intermediate certificate to root, like this:
> $ keytool -import -alias root -keystore tomcat.key -trustcacerts -file
> valicert_class2_root.crt
>
> Then import issuing cert to intermed:
> $ keytool -import -alias intermed -keystore tomcat.key -trustcacerts -file
> sf_issuing.crt
>
> Last is to import your domain's cert to tomcat alias:
> $ keytool -import -alias tomcat -keystore tomcat.key -trustcacerts -file
> _mydomain.crt
>
> The above steps worked perfectly for me. I had to just point the correct
> key file in server.xml and https started working.
>
> Let me know if that helped you out.
>
> Regds,
> SK
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Need help w/ installing certificate continued...
Posted by Andrew Friebel <an...@reynolds.com.au>.
Have you check the logs to see what errors (if any) have been logged?
Since you are having so many hassles, I would try and do some internal
testing using self signed certificates.
o Generate you keystore - keytool -genkey -alias tomcat -keystore
tomcat.keystore -keyalg RSA
o Self sign the certificate - keytool -selfcert -alias tomcat
-keystore tomcat.keystore
Restart tomcat, then see if you can access your pages.
Once you get that going, then you should try using signed certificates:
o Generate you keystore - keytool -genkey -alias tomcat -keystore
tomcat.keystore -keyalg RSA (algorithm as required)
o Import root certificate(s) as required (may need to import more
than one certificate here) - keytool -import -alias <alias> -keystore
tomcat.keystore -file <file>
o Import the signed certificate - keytool -import -alias tomcat
-keystore tomcat.keystore -file <signed certificate>
That's my suggestion.
-----Original Message-----
From: Andy Tipton [mailto:artipton@tiptonshome.com]
Sent: Thursday, 16 November 2006 11:23 AM
To: 'Tomcat Users List'; tuxkumar@gmail.com
Subject: RE: Need help w/ installing certificate continued...
I have done the following... (I am running Tomcat 5 on a Windows 2003
Server)
- Recreated the .keystore many different times trying to get one to
work...
- Tried different aliases with my domain crt (does the alias matter?)
- Installed the crts in Windows and everthing shows fine there when
viewing
the crt.
- Set my config in the server.xml (I have tried SSL and TLS):
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="443" maxHttpHeaderSize="8192"
address="192.168.1.190"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="tomcat.keystore"
keystorePass="changeit"/>
- Imported the certificates into my keystore in the following order:
root,
intermed, tomcat.
C:\Program Files\Java\jdk1.5.0_05\bin>keytool -list -keystore
tomcat.keystore
Enter keystore password: changeit
Keystore type: jks
Keystore provider: SUN
Your keystore contains 3 entries
root, Nov 13, 2006, trustedCertEntry,
Certificate fingerprint (MD5):
A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
tomcat, Nov 13, 2006, trustedCertEntry,
Certificate fingerprint (MD5):
73:EA:94:A1:38:C8:9A:5D:65:44:7C:C7:65:A7:01:5F
intermed, Nov 13, 2006, trustedCertEntry,
Certificate fingerprint (MD5):
7A:A5:BA:4F:BC:0A:C5:3C:56:E9:50:A0:13:6A:88:A9
C:\Program Files\Java\jdk1.5.0_05\bin>
- When I installed the root crt it said that there was already a system
wide
root crt installed, do I want to continue to import it into the
keystore
and I said 'yes'.
- All I get is a 'Page cannot be displayed' when trying to access the
browser 'https:'
- If I create a keystore without importing the real crt, then it works,
but
just says that the crt it to trusted.
What am I missing? I can't get it to work...
-----Original Message-----
From: news [mailto:news@sea.gmane.org] On Behalf Of Saravana Kumar
Sent: Wednesday, November 15, 2006 5:07 AM
To: users@tomcat.apache.org
Subject: Re: Need help w/ installing certificate continued...
Andy Tipton wrote:
> I have read all through the documentation and can't find what I am
doing
> wrong. The only thing that I didn't do was the importing of the
> valicert_class2_root.crt file because I wasn't given one when I
downloaded
> my certificate. I imported the real one after I imported the
intermediate
> crt.
Did you get any error during this step ie., importing intermediate crt
after
root?
> So now I have this:
>
> C:\Program Files\Java\jdk1.5.0_05\bin>keytool -list -keystore
.keystore
> Enter keystore password: changeit
>
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 2 entries
>
> tomcat5, Nov 13, 2006, trustedCertEntry,
> Certificate fingerprint (MD5):
> 73:EA:94:A1:38:C8:9A:5D:65:44:7C:C7:65:A7:01:5F
> intermed, Nov 13, 2006, trustedCertEntry,
> Certificate fingerprint (MD5):
> 7A:A5:BA:4F:BC:0A:C5:3C:56:E9:50:A0:13:6A:88:A9
>
> C:\Program Files\Java\jdk1.5.0_05\bin>
>
> Could it have to do with the alias? I am can't figure out what it
could
> be.
I am not sure of whether this could be the problem with alias.
> I just get a 'page cannot be displayed' when trying to access it. I
have
> been reading, but can't find anywhere that really explains who the
> keystore and certificate relate to each other. if the alias matters.
>
> I really need some help here.
Below are the steps i did in one of my Linux box(must work in windows
too).
First i generated tomcat.key & CSR with:
$ keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.key
$ keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore
tomcat.key
Got the certs from our CA(Files sf_issuing.crt & _mydomain.crt). Copied
the
CA's intermediate cert to valicert_class2_root.crt
First import the CA's intermediate certificate to root, like this:
$ keytool -import -alias root -keystore tomcat.key -trustcacerts -file
valicert_class2_root.crt
Then import issuing cert to intermed:
$ keytool -import -alias intermed -keystore tomcat.key -trustcacerts
-file
sf_issuing.crt
Last is to import your domain's cert to tomcat alias:
$ keytool -import -alias tomcat -keystore tomcat.key -trustcacerts -file
_mydomain.crt
The above steps worked perfectly for me. I had to just point the correct
key
file in server.xml and https started working.
Let me know if that helped you out.
Regds,
SK
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Need help w/ installing certificate continued...
Posted by Andy Tipton <ar...@tiptonshome.com>.
I have done the following... (I am running Tomcat 5 on a Windows 2003
Server)
- Recreated the .keystore many different times trying to get one to work...
- Tried different aliases with my domain crt (does the alias matter?)
- Installed the crts in Windows and everthing shows fine there when viewing
the crt.
- Set my config in the server.xml (I have tried SSL and TLS):
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="443" maxHttpHeaderSize="8192" address="192.168.1.190"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="tomcat.keystore"
keystorePass="changeit"/>
- Imported the certificates into my keystore in the following order: root,
intermed, tomcat.
C:\Program Files\Java\jdk1.5.0_05\bin>keytool -list -keystore
tomcat.keystore
Enter keystore password: changeit
Keystore type: jks
Keystore provider: SUN
Your keystore contains 3 entries
root, Nov 13, 2006, trustedCertEntry,
Certificate fingerprint (MD5):
A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
tomcat, Nov 13, 2006, trustedCertEntry,
Certificate fingerprint (MD5):
73:EA:94:A1:38:C8:9A:5D:65:44:7C:C7:65:A7:01:5F
intermed, Nov 13, 2006, trustedCertEntry,
Certificate fingerprint (MD5):
7A:A5:BA:4F:BC:0A:C5:3C:56:E9:50:A0:13:6A:88:A9
C:\Program Files\Java\jdk1.5.0_05\bin>
- When I installed the root crt it said that there was already a system wide
root crt installed, do I want to continue to import it into the keystore
and I said 'yes'.
- All I get is a 'Page cannot be displayed' when trying to access the
browser 'https:'
- If I create a keystore without importing the real crt, then it works, but
just says that the crt it to trusted.
What am I missing? I can't get it to work...
-----Original Message-----
From: news [mailto:news@sea.gmane.org] On Behalf Of Saravana Kumar
Sent: Wednesday, November 15, 2006 5:07 AM
To: users@tomcat.apache.org
Subject: Re: Need help w/ installing certificate continued...
Andy Tipton wrote:
> I have read all through the documentation and can't find what I am doing
> wrong. The only thing that I didn't do was the importing of the
> valicert_class2_root.crt file because I wasn't given one when I downloaded
> my certificate. I imported the real one after I imported the intermediate
> crt.
Did you get any error during this step ie., importing intermediate crt after
root?
> So now I have this:
>
> C:\Program Files\Java\jdk1.5.0_05\bin>keytool -list -keystore .keystore
> Enter keystore password: changeit
>
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 2 entries
>
> tomcat5, Nov 13, 2006, trustedCertEntry,
> Certificate fingerprint (MD5):
> 73:EA:94:A1:38:C8:9A:5D:65:44:7C:C7:65:A7:01:5F
> intermed, Nov 13, 2006, trustedCertEntry,
> Certificate fingerprint (MD5):
> 7A:A5:BA:4F:BC:0A:C5:3C:56:E9:50:A0:13:6A:88:A9
>
> C:\Program Files\Java\jdk1.5.0_05\bin>
>
> Could it have to do with the alias? I am can't figure out what it could
> be.
I am not sure of whether this could be the problem with alias.
> I just get a 'page cannot be displayed' when trying to access it. I have
> been reading, but can't find anywhere that really explains who the
> keystore and certificate relate to each other. if the alias matters.
>
> I really need some help here.
Below are the steps i did in one of my Linux box(must work in windows too).
First i generated tomcat.key & CSR with:
$ keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.key
$ keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore
tomcat.key
Got the certs from our CA(Files sf_issuing.crt & _mydomain.crt). Copied the
CA's intermediate cert to valicert_class2_root.crt
First import the CA's intermediate certificate to root, like this:
$ keytool -import -alias root -keystore tomcat.key -trustcacerts -file
valicert_class2_root.crt
Then import issuing cert to intermed:
$ keytool -import -alias intermed -keystore tomcat.key -trustcacerts -file
sf_issuing.crt
Last is to import your domain's cert to tomcat alias:
$ keytool -import -alias tomcat -keystore tomcat.key -trustcacerts -file
_mydomain.crt
The above steps worked perfectly for me. I had to just point the correct key
file in server.xml and https started working.
Let me know if that helped you out.
Regds,
SK
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Need help w/ installing certificate continued...
Posted by Saravana Kumar <tu...@gmail.com>.
Andy Tipton wrote:
> I have read all through the documentation and can't find what I am doing
> wrong. The only thing that I didn't do was the importing of the
> valicert_class2_root.crt file because I wasn't given one when I downloaded
> my certificate. I imported the real one after I imported the intermediate
> crt.
Did you get any error during this step ie., importing intermediate crt after
root?
> So now I have this:
>
> C:\Program Files\Java\jdk1.5.0_05\bin>keytool -list -keystore .keystore
> Enter keystore password: changeit
>
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 2 entries
>
> tomcat5, Nov 13, 2006, trustedCertEntry,
> Certificate fingerprint (MD5):
> 73:EA:94:A1:38:C8:9A:5D:65:44:7C:C7:65:A7:01:5F
> intermed, Nov 13, 2006, trustedCertEntry,
> Certificate fingerprint (MD5):
> 7A:A5:BA:4F:BC:0A:C5:3C:56:E9:50:A0:13:6A:88:A9
>
> C:\Program Files\Java\jdk1.5.0_05\bin>
>
> Could it have to do with the alias? I am can't figure out what it could
> be.
I am not sure of whether this could be the problem with alias.
> I just get a 'page cannot be displayed' when trying to access it. I have
> been reading, but can't find anywhere that really explains who the
> keystore and certificate relate to each other. if the alias matters.
>
> I really need some help here.
Below are the steps i did in one of my Linux box(must work in windows too).
First i generated tomcat.key & CSR with:
$ keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.key
$ keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore
tomcat.key
Got the certs from our CA(Files sf_issuing.crt & _mydomain.crt). Copied the
CA's intermediate cert to valicert_class2_root.crt
First import the CA's intermediate certificate to root, like this:
$ keytool -import -alias root -keystore tomcat.key -trustcacerts -file
valicert_class2_root.crt
Then import issuing cert to intermed:
$ keytool -import -alias intermed -keystore tomcat.key -trustcacerts -file
sf_issuing.crt
Last is to import your domain's cert to tomcat alias:
$ keytool -import -alias tomcat -keystore tomcat.key -trustcacerts -file
_mydomain.crt
The above steps worked perfectly for me. I had to just point the correct key
file in server.xml and https started working.
Let me know if that helped you out.
Regds,
SK
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org