You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Vince Stewart <st...@gmail.com> on 2022/07/15 23:56:37 UTC

SSL configuration for Tomcat 9

My system uses embedded Tomcat to connect to a HttpServlet instance.
I have just uprgraded from Tomcat 8.0.2 to 9.0.64
I am implementing SSL for the first time.

I created a keystore with no alias. Keytool gave it the alias "mykey". (2nd
entry below)
I imported an issued PEM certificate (4 items in chain)
The final item in the chain has the alias "tomcat" as per
https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Importing_the_Certificate
(The same documentation recommends the keystore alias also be 'tomcat' but
If the keystore and the issued certificate are both given the same alias
(ie 'tomcat'), keytool will import the final entry as "self generated" and
throw an error. Here is my abbreviated keystore list using alias 'mykey'
for the keystore.
____________________________________keystore listing_______________________
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 5 entries
intermediate, 16/07/2022, trustedCertEntry,
Certificate fingerprint (SHA-256):
68:B9:C7:61.................................
intermediate2, 16/07/2022, trustedCertEntry,
Certificate fingerprint (SHA-256):
7F:A4:FF:68................................
mykey, 16/07/2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256):
36:F8:64:73:.................................
root, 16/07/2022, trustedCertEntry,
Certificate fingerprint (SHA-256): D7:A7:A0:FB..............................
tomcat, 16/07/2022, trustedCertEntry,
Certificate fingerprint (SHA-256):
36:A9:B7:A9:..............................
________________________________________________________________________

Here is my startup code (no server.xml file)


    Tomcat tomcat = new Tomcat();
    tomcat.setPort(PATHS.getPortNumber());
    Connector c=tomcat.getConnector();
    c.setSecure(true);
    c.setScheme("https");
    c.setProperty("SSLEnabled","true");    //crucial bit of code
    SSLHostConfig ss=new SSLHostConfig();
    //ss.setHostName("localhost"); this breaks the init process - leave as
"_default_"
    ss.setCertificateKeyAlias("mykey");           // if set to 'tomcat'
init will throw "Alias name [tomcat] does not identify a key entry"
    ss.setCertificateKeystorePassword("changit");
    ss.setCertificateKeystoreFile(PATHS.getHomePath()+"/ks/mykeystor.jks");
    ss.setCertificateKeystoreType("PKCS12");
    ss.setCertificateKeystoreProvider("SUN")
    c.addSslHostConfig(ss);
    org.apache.catalina.Context ctx = tomcat.addContext("", new
File(".").getAbsolutePath());
    Tomcat.addServlet(ctx, "myApp", new MyApp());
    ctx.addServletMappingDecoded("/*", "myApp");
    Logr.s("connector scheme "+c.getScheme());
    Logr.s("connector SSLEnabled "+c.getProperty("SSLEnabled"));
    Logr.s("connector redirect "+c.getRedirectPort()); //defaults to 443
    Logr.s("connector protocol "+c.getProtocol());
    tomcat.start();
    tomcat.getServer().await();

When I use "tomcat" as the alias for the keystore I cannot load the final
issued certificate without an error. If I use "mykey" as the keystore alias
everything seems to be working but the certificate returned to the browser
is not the domain-specific certified certificate but a certificate
generated with the certificate keystore fingerprint.  In a properly
operating implementation, what certificate should be returned to the
browser?
I'm obviously doing something wrong. But what ?
-- 
Vince Stewart

Re: SSL configuration for Tomcat 9

Posted by Christopher Schultz <ch...@christopherschultz.net>.

Vince,

On 7/15/22 19:56, Vince Stewart wrote:
> My system uses embedded Tomcat to connect to a HttpServlet instance.
> I have just uprgraded from Tomcat 8.0.2 to 9.0.64
> I am implementing SSL for the first time.
> 
> I created a keystore with no alias. Keytool gave it the alias "mykey". (2nd
> entry below)
> I imported an issued PEM certificate (4 items in chain)
> The final item in the chain has the alias "tomcat" as per
> https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Importing_the_Certificate
> (The same documentation recommends the keystore alias also be 'tomcat' but
> If the keystore and the issued certificate are both given the same alias
> (ie 'tomcat'), keytool will import the final entry as "self generated" and
> throw an error. Here is my abbreviated keystore list using alias 'mykey'
> for the keystore.

You have to import the signed cert on top of the one that already 
exists. Because you used "mykey" as the alias for the key/cert 
initially, you must use the same alias when you import the signed cert. 
Your self-signed cert will be replaced with the signed one. Remove the 
"tomcat" one and tell Tomcat to use "mykey".

Remember to make a backup ;)

I hate keystores.

-chris

> ____________________________________keystore listing_______________________
> Keystore type: PKCS12
> Keystore provider: SUN
> Your keystore contains 5 entries
> intermediate, 16/07/2022, trustedCertEntry,
> Certificate fingerprint (SHA-256):
> 68:B9:C7:61.................................
> intermediate2, 16/07/2022, trustedCertEntry,
> Certificate fingerprint (SHA-256):
> 7F:A4:FF:68................................
> mykey, 16/07/2022, PrivateKeyEntry,
> Certificate fingerprint (SHA-256):
> 36:F8:64:73:.................................
> root, 16/07/2022, trustedCertEntry,
> Certificate fingerprint (SHA-256): D7:A7:A0:FB..............................
> tomcat, 16/07/2022, trustedCertEntry,
> Certificate fingerprint (SHA-256):
> 36:A9:B7:A9:..............................
> ________________________________________________________________________
> 
> Here is my startup code (no server.xml file)
> 
> 
>      Tomcat tomcat = new Tomcat();
>      tomcat.setPort(PATHS.getPortNumber());
>      Connector c=tomcat.getConnector();
>      c.setSecure(true);
>      c.setScheme("https");
>      c.setProperty("SSLEnabled","true");    //crucial bit of code
>      SSLHostConfig ss=new SSLHostConfig();
>      //ss.setHostName("localhost"); this breaks the init process - leave as
> "_default_"
>      ss.setCertificateKeyAlias("mykey");           // if set to 'tomcat'
> init will throw "Alias name [tomcat] does not identify a key entry"
>      ss.setCertificateKeystorePassword("changit");
>      ss.setCertificateKeystoreFile(PATHS.getHomePath()+"/ks/mykeystor.jks");
>      ss.setCertificateKeystoreType("PKCS12");
>      ss.setCertificateKeystoreProvider("SUN")
>      c.addSslHostConfig(ss);
>      org.apache.catalina.Context ctx = tomcat.addContext("", new
> File(".").getAbsolutePath());
>      Tomcat.addServlet(ctx, "myApp", new MyApp());
>      ctx.addServletMappingDecoded("/*", "myApp");
>      Logr.s("connector scheme "+c.getScheme());
>      Logr.s("connector SSLEnabled "+c.getProperty("SSLEnabled"));
>      Logr.s("connector redirect "+c.getRedirectPort()); //defaults to 443
>      Logr.s("connector protocol "+c.getProtocol());
>      tomcat.start();
>      tomcat.getServer().await();
> 
> When I use "tomcat" as the alias for the keystore I cannot load the final
> issued certificate without an error. If I use "mykey" as the keystore alias
> everything seems to be working but the certificate returned to the browser
> is not the domain-specific certified certificate but a certificate
> generated with the certificate keystore fingerprint.  In a properly
> operating implementation, what certificate should be returned to the
> browser?
> I'm obviously doing something wrong. But what ?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org