You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Andrews, Wayne" <wa...@sap.com> on 2009/05/07 04:43:51 UTC
SSL Mysterious Self Signed Certificate
Hi
I have an issue whereby on a windows installation of Tomcat; I have a
mysterious seflt signed certificate displayed within the browser.
Despite the fact that I have created a new keystore and imported the
relevant root certs and SSL cert and then redirected server.xml to point
to the keystore
Any ideas?:
W.
RE: SSL Mysterious Self Signed Certificate
Posted by Ma...@McAfee.com.
Can you clarify on "mysterious self-signed certificate displayed within the browser"? Also, into what did you import the "relevant root certs and SSL cert"? The keystore?
W is right. If your certificate is was not issued (signed) by a CA that the browser trusts, then the browser will not trust your certificate and will show a warning as a result. If that is your issue, then in order to get that message to go away, you'll either need use a certificate issued by a trusted CA, or import your certificate information into the browser.
~Mark
-----Original Message-----
From: Jonathan Mast [mailto:jhmast.developer@gmail.com]
Sent: Thursday, May 07, 2009 9:59 AM
To: Tomcat Users List
Subject: Re: SSL Mysterious Self Signed Certificate
Its my understanding that all Self-signed certs generate the creepy browser
messages. Not sure though. Were the imported root certs issued by a well
known CA?
On Wed, May 6, 2009 at 10:43 PM, Andrews, Wayne <wa...@sap.com>wrote:
>
> Hi
>
> I have an issue whereby on a windows installation of Tomcat; I have a
> mysterious seflt signed certificate displayed within the browser.
> Despite the fact that I have created a new keystore and imported the
> relevant root certs and SSL cert and then redirected server.xml to point
> to the keystore
>
> Any ideas?:
> W.
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL Mysterious Self Signed Certificate - FIXED
Posted by Hassan Schroeder <ha...@gmail.com>.
On Fri, May 8, 2009 at 8:03 AM, Andrews, Wayne <wa...@sap.com> wrote:
> In summary Tomcat requires a .keystore file under c:\document and
> settings\default user and as such the one there was not the one details
> within server.xml.
That would be terribly awkward for all of us running Tomcat successfully
on non-Windows platforms, eh? :-)
> Q: Whats the point of referencing a specific keystore within server.xml
> if it does take notice of it?
Referencing a "specific keystore" most assuredly works just fine --
your configuration has an error somewhere.
--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SSL Mysterious Self Signed Certificate - FIXED
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Andrews, Wayne [mailto:wayne.andrews@sap.com]
> Subject: RE: SSL Mysterious Self Signed Certificate - FIXED
>
> In summary Tomcat requires a .keystore file under c:\document and
> settings\default user and as such the one there was not the one details
> within server.xml.
That's simply not true; you can specify the location in the <Connector> element. Post your server.xml so we can see what it looks like. (Obfuscate any sensitive information, of course.)
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SSL Mysterious Self Signed Certificate - FIXED
Posted by "Andrews, Wayne" <wa...@sap.com>.
Problem fixed!
In summary Tomcat requires a .keystore file under c:\document and
settings\default user and as such the one there was not the one details
within server.xml.
I changed the entries within this default keystore, restarted tomcat and
excellent problem resolved.
Q: Whats the point of referencing a specific keystore within server.xml
if it does take notice of it?
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Saturday, 9 May 2009 12:53 AM
To: Tomcat Users List
Subject: Re: SSL Mysterious Self Signed Certificate
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Wayne,
On 5/7/2009 5:23 PM, Andrews, Wayne wrote:
> I created a new keystore, imported the root certificate from Thawte,
> then the signed cert. The browser displays some self signed cert
> that has expired.
Wait, you signed the certificate? That's called a self-signed
certificate, when you .... sign the cert ... yourself.
If you are using a legitimate certificate /signed by Thawte/ and you're
still getting this error, there are two possibilities that I can think
of:
1. Thawte has a two-part cert, and you've only imported one of the
parts. This can happen with the new-fangled EV certs (we had this
problem ourselves... we had the VeriSign intermediate cert
installed on our servers for years, but we required a /second/
intermediate cert in order to get the new EV cert not to complain
on certain browsers (but not all... strange).
2. You aren't sending the cert you think you're sending to the
browser.
Use your browser to check the cert it's receiving, and check the
certificate "chain", too.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkoER2UACgkQ9CaO5/Lv0PAPXQCfeh1Ch8npN/x87WOwu5xO9CTJ
PxQAmgM7AueeiFMzInJ1ikGz+GwMUTW+
=6AJn
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL Mysterious Self Signed Certificate
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Wayne,
On 5/7/2009 5:23 PM, Andrews, Wayne wrote:
> I created a new keystore, imported the root certificate from Thawte,
> then the signed cert. The browser displays some self signed cert
> that has expired.
Wait, you signed the certificate? That's called a self-signed
certificate, when you .... sign the cert ... yourself.
If you are using a legitimate certificate /signed by Thawte/ and you're
still getting this error, there are two possibilities that I can think of:
1. Thawte has a two-part cert, and you've only imported one of the
parts. This can happen with the new-fangled EV certs (we had this
problem ourselves... we had the VeriSign intermediate cert
installed on our servers for years, but we required a /second/
intermediate cert in order to get the new EV cert not to complain
on certain browsers (but not all... strange).
2. You aren't sending the cert you think you're sending to the
browser.
Use your browser to check the cert it's receiving, and check the
certificate "chain", too.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkoER2UACgkQ9CaO5/Lv0PAPXQCfeh1Ch8npN/x87WOwu5xO9CTJ
PxQAmgM7AueeiFMzInJ1ikGz+GwMUTW+
=6AJn
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SSL Mysterious Self Signed Certificate
Posted by "Andrews, Wayne" <wa...@sap.com>.
Hi
I created a new keystore, inported the root certificate from thawte,
then the signed cert. The browser displays some self signed cert that
has expired.
Cheers
W
-----Original Message-----
From: Jonathan Mast [mailto:jhmast.developer@gmail.com]
Sent: Friday, 8 May 2009 2:59 AM
To: Tomcat Users List
Subject: Re: SSL Mysterious Self Signed Certificate
Its my understanding that all Self-signed certs generate the creepy
browser
messages. Not sure though. Were the imported root certs issued by a
well
known CA?
On Wed, May 6, 2009 at 10:43 PM, Andrews, Wayne
<wa...@sap.com>wrote:
>
> Hi
>
> I have an issue whereby on a windows installation of Tomcat; I have a
> mysterious seflt signed certificate displayed within the browser.
> Despite the fact that I have created a new keystore and imported the
> relevant root certs and SSL cert and then redirected server.xml to
point
> to the keystore
>
> Any ideas?:
> W.
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL Mysterious Self Signed Certificate
Posted by Jonathan Mast <jh...@gmail.com>.
Its my understanding that all Self-signed certs generate the creepy browser
messages. Not sure though. Were the imported root certs issued by a well
known CA?
On Wed, May 6, 2009 at 10:43 PM, Andrews, Wayne <wa...@sap.com>wrote:
>
> Hi
>
> I have an issue whereby on a windows installation of Tomcat; I have a
> mysterious seflt signed certificate displayed within the browser.
> Despite the fact that I have created a new keystore and imported the
> relevant root certs and SSL cert and then redirected server.xml to point
> to the keystore
>
> Any ideas?:
> W.
>
>