You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Si...@contractor.amat.com on 2013/12/04 12:11:28 UTC
enable SSL for Tomcat
Hi,
I need to enable SSL for tomcat in a windows server 2008. I have generated a certificate using the csr generated by this command: certreq -new request.inf request.req
request.inf:
[NewRequest]
Subject = ""
Exportable = TRUE
KeyLength = 2048
MachineKeySet = TRUE
FriendlyName = "DN of the server"
KeySpec = 1
RequestType = PKCS10
[Extensions]
2.5.29.17 = "{text}"
continue = "Server DN&"
Now with the generated csr file, I have got the certificate from our organization which in in cer format.
I have imported this certificate to CACERTS using keytool and uncommented the connector configuration in servers.xml in APACHE conf folder.
Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" keystoreFile="C:\Program Files\Java\jre7\lib\security\CACERTS" keystorePass="changeit" maxThreads="300" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
I didn't find any error on startup of Tomcat but still ssl is not enabled.
Could anyone help me in fixing this?
Regards!!
Siva Kumar Balaguru
SME | Identity, Security Access and Messaging Services (ISAMS) | Applied Materials India Pvt. Ltd. | Chennai | India
Mobile : +91-8438569069|Extn : 7002 | Tie Line: #9575 7002
What is ISAMS? Please see our site to learn more: isams.amat.com<http://isams.amat.com/>
The content of this message is Applied Materials Confidential. If you are not the intended recipient and have received this message in error, any use or distribution is prohibited. Please notify me immediately by reply e-mail and delete this message from your computer system. Thank you
** Save a tree. Please don't print this e-mail unless needed.
Re: enable SSL for Tomcat
Posted by Ognjen Blagojevic <og...@gmail.com>.
Sivakumar,
On 4.12.2013 14:27, Sivakumar_Balaguru@contractor.amat.com wrote:
> This csr has the DN formatted like CN=<server name>, OU=<OU Name>, O=<Organization Name>, L=<Location>, ST=<State>, C=<country>
> which is based on the information we give while genarating the keystore.
>
> But the signing authority in our domain accepts the dn format with cn=<server name>,ou=Devices,o=<organization>,c=<country>
Please do not top post. Reply under the quote. That is standard on this
list.
You may try to use keytool -genkeypair -dname "..."
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: enable SSL for Tomcat
Posted by Si...@contractor.amat.com.
Hi Daniel,
I have generated the csr with the keytool:
keytool -certreq -sigalg RSA -alias <alias> -filename certreq.csr -keystore <keystorename>
This csr has the DN formatted like CN=<server name>, OU=<OU Name>, O=<Organization Name>, L=<Location>, ST=<State>, C=<country>
which is based on the information we give while genarating the keystore.
But the signing authority in our domain accepts the dn format with cn=<server name>,ou=Devices,o=<organization>,c=<country>
When I request for certificate using the keytool based CSR, I get the invalid request error as the forat is different.
Is there a way I can generate the CSR in this format usng keytool?
Keytool always asks for location information for generating the keystore.
Thanks,
Siva Kumar Balaguru.
-----Original Message-----
From: Daniel Mikusa [mailto:dmikusa@gopivotal.com]
Sent: Wednesday, December 04, 2013 6:45 PM
To: Tomcat Users List
Subject: Re: enable SSL for Tomcat
On Dec 4, 2013, at 7:40 AM, Sivakumar_Balaguru@contractor.amat.com wrote:
> Hi Ognjen,
>
> I have tried this as well.
>
> I have generated a new keystore. By default, keytool generates a keystore with a private key.
Good. You're half way there.
>
> I have imported the trusted signed certificate to this keystore.
Huh? Which signed certificate? The one that you had generated using the MS tool? If so, that's not going to work. You need to generate a new CSR based on the keystore's private cert and get a new signed certificate from your CA. Then import the new signed cert into your keystore.
Dan
>
> But Tomcat is using the unsigned key/certificate which has been generated by default with keytool.
>
> The domain is not trusting this certificate as it is private self-signed certificate not the trusted one and SSL is not accomplished.
>
> As an alternative, I have deleted the self-signed private key from the keystore so that the keystore contains only one certificate which is signed by the certified authority(Entrust).
>
> This couldn't help me in enabling SSL.
>
>
> Regards!!
> Siva Kumar Balaguru
> SME | Identity, Security Access and Messaging Services (ISAMS) |
> Applied Materials India Pvt. Ltd. | Chennai | India Mobile :
> +91-8438569069|Extn : 7002 | Tie Line: #9575 7002
>
> What is ISAMS? Please see our site to learn more: isams.amat.com
>
> The content of this message is Applied Materials Confidential. If you
> are not the intended recipient and have received this message in
> error, any use or distribution is prohibited. Please notify me
> immediately by reply e-mail and delete this message from your computer
> system. Thank you
> ** Save a tree. Please don't print this e-mail unless needed.
>
> -----Original Message-----
> From: Ognjen Blagojevic [mailto:ognjen.d.blagojevic@gmail.com]
> Sent: Wednesday, December 04, 2013 5:25 PM
> To: Tomcat Users List
> Subject: Re: enable SSL for Tomcat
>
> Sivakumar,
>
> On 4.12.2013 12:11, Sivakumar_Balaguru@contractor.amat.com wrote:
>> I need to enable SSL for tomcat in a windows server 2008. I have
>> generated a certificate using the csr generated by this command:
>> certreq -new request.inf request.req
> (...)
>> I have imported this certificate to CACERTS using keytool and uncommented the connector configuration in servers.xml in APACHE conf folder.
>
> You used Microsoft tool (certreq) to generate the private key and CSR, and Java tool (keytool) to import the certificate into Java keystore.
> That is your problem.
>
> You need to, *either*:
>
> 1. Start from the beginning: Use Java keytool to generate private key in Java keystore, to create CSR, and to import certificate into that SAME Java keystore. You should not use "cacerts" file as you keystore, but other file for that purpose (e.g. c:\users\sivakumar\server.jks).
>
> 2. Reuse what you have so far: Find where certreq stored private key; export private key; import private key and certificate into PKCS keystore; convert PKCS keystore into new keystore in JKS format.
>
> You should consider which one is easier for you, and then we can help you along the way.
>
>
>> Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" keystoreFile="C:\Program Files\Java\jre7\lib\security\CACERTS" keystorePass="changeit" maxThreads="300" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
>
> Whatever you do, you will have to change keystoreFile attribute from
> "C:\Program Files\Java\jre7\lib\security\CACERTS" to e.g.
> "c:\users\sivakumar\server.jks."
>
>
>> I didn't find any error on startup of Tomcat but still ssl is not enabled.
>
> That is strange. What you described would result in cacerts file
> containing server certificate without the private key. Therefore I
> would expect that Tomcat complains about inability to find the private key.
>
> Either way, cacerts file is not the right place to store server
> private key and certificate. That file should contain only
> certificates from trusted CA.
>
> -Ognjen
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> �B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
> KCB � �[ X ܚX K��K[XZ[
�\ \ ][ X ܚX P�� X ]
\�X �K ܙ B ܈�Y��]�[ۘ[�� [X[ � ��K[XZ[
�\ \ Z�[���� X ]
\�X �K ܙ B
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: enable SSL for Tomcat
Posted by Daniel Mikusa <dm...@gopivotal.com>.
On Dec 4, 2013, at 7:40 AM, Sivakumar_Balaguru@contractor.amat.com wrote:
> Hi Ognjen,
>
> I have tried this as well.
>
> I have generated a new keystore. By default, keytool generates a keystore with a private key.
Good. You're half way there.
>
> I have imported the trusted signed certificate to this keystore.
Huh? Which signed certificate? The one that you had generated using the MS tool? If so, that's not going to work. You need to generate a new CSR based on the keystore's private cert and get a new signed certificate from your CA. Then import the new signed cert into your keystore.
Dan
>
> But Tomcat is using the unsigned key/certificate which has been generated by default with keytool.
>
> The domain is not trusting this certificate as it is private self-signed certificate not the trusted one and SSL is not accomplished.
>
> As an alternative, I have deleted the self-signed private key from the keystore so that the keystore contains only one certificate which is signed by the certified authority(Entrust).
>
> This couldn't help me in enabling SSL.
>
>
> Regards!!
> Siva Kumar Balaguru
> SME | Identity, Security Access and Messaging Services (ISAMS) | Applied Materials India Pvt. Ltd. | Chennai | India
> Mobile : +91-8438569069|Extn : 7002 | Tie Line: #9575 7002
>
> What is ISAMS? Please see our site to learn more: isams.amat.com
>
> The content of this message is Applied Materials Confidential. If you are not the intended recipient and have received this message in error, any use or distribution is prohibited. Please notify me immediately by reply e-mail and delete this message from your computer system. Thank you
> ** Save a tree. Please don't print this e-mail unless needed.
>
> -----Original Message-----
> From: Ognjen Blagojevic [mailto:ognjen.d.blagojevic@gmail.com]
> Sent: Wednesday, December 04, 2013 5:25 PM
> To: Tomcat Users List
> Subject: Re: enable SSL for Tomcat
>
> Sivakumar,
>
> On 4.12.2013 12:11, Sivakumar_Balaguru@contractor.amat.com wrote:
>> I need to enable SSL for tomcat in a windows server 2008. I have
>> generated a certificate using the csr generated by this command:
>> certreq -new request.inf request.req
> (...)
>> I have imported this certificate to CACERTS using keytool and uncommented the connector configuration in servers.xml in APACHE conf folder.
>
> You used Microsoft tool (certreq) to generate the private key and CSR, and Java tool (keytool) to import the certificate into Java keystore.
> That is your problem.
>
> You need to, *either*:
>
> 1. Start from the beginning: Use Java keytool to generate private key in Java keystore, to create CSR, and to import certificate into that SAME Java keystore. You should not use "cacerts" file as you keystore, but other file for that purpose (e.g. c:\users\sivakumar\server.jks).
>
> 2. Reuse what you have so far: Find where certreq stored private key; export private key; import private key and certificate into PKCS keystore; convert PKCS keystore into new keystore in JKS format.
>
> You should consider which one is easier for you, and then we can help you along the way.
>
>
>> Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" keystoreFile="C:\Program Files\Java\jre7\lib\security\CACERTS" keystorePass="changeit" maxThreads="300" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
>
> Whatever you do, you will have to change keystoreFile attribute from
> "C:\Program Files\Java\jre7\lib\security\CACERTS" to e.g.
> "c:\users\sivakumar\server.jks."
>
>
>> I didn't find any error on startup of Tomcat but still ssl is not enabled.
>
> That is strange. What you described would result in cacerts file
> containing server certificate without the private key. Therefore I would
> expect that Tomcat complains about inability to find the private key.
>
> Either way, cacerts file is not the right place to store server private
> key and certificate. That file should contain only certificates from
> trusted CA.
>
> -Ognjen
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> �B�KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB����[��X��ܚX�K��K[XZ[���\�\��][��X��ܚX�P���X�]��\�X��K�ܙ�B��܈�Y��]�[ۘ[����[X[�����K[XZ[���\�\��Z�[�����X�]��\�X��K�ܙ�B�
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: enable SSL for Tomcat
Posted by Si...@contractor.amat.com.
Hi Ognjen,
I have tried this as well.
I have generated a new keystore. By default, keytool generates a keystore with a private key.
I have imported the trusted signed certificate to this keystore.
But Tomcat is using the unsigned key/certificate which has been generated by default with keytool.
The domain is not trusting this certificate as it is private self-signed certificate not the trusted one and SSL is not accomplished.
As an alternative, I have deleted the self-signed private key from the keystore so that the keystore contains only one certificate which is signed by the certified authority(Entrust).
This couldn't help me in enabling SSL.
Regards!!
Siva Kumar Balaguru
SME | Identity, Security Access and Messaging Services (ISAMS) | Applied Materials India Pvt. Ltd. | Chennai | India
Mobile : +91-8438569069|Extn : 7002 | Tie Line: #9575 7002
What is ISAMS? Please see our site to learn more: isams.amat.com
The content of this message is Applied Materials Confidential. If you are not the intended recipient and have received this message in error, any use or distribution is prohibited. Please notify me immediately by reply e-mail and delete this message from your computer system. Thank you
** Save a tree. Please don't print this e-mail unless needed.
-----Original Message-----
From: Ognjen Blagojevic [mailto:ognjen.d.blagojevic@gmail.com]
Sent: Wednesday, December 04, 2013 5:25 PM
To: Tomcat Users List
Subject: Re: enable SSL for Tomcat
Sivakumar,
On 4.12.2013 12:11, Sivakumar_Balaguru@contractor.amat.com wrote:
> I need to enable SSL for tomcat in a windows server 2008. I have
> generated a certificate using the csr generated by this command:
> certreq -new request.inf request.req
(...)
> I have imported this certificate to CACERTS using keytool and uncommented the connector configuration in servers.xml in APACHE conf folder.
You used Microsoft tool (certreq) to generate the private key and CSR, and Java tool (keytool) to import the certificate into Java keystore.
That is your problem.
You need to, *either*:
1. Start from the beginning: Use Java keytool to generate private key in Java keystore, to create CSR, and to import certificate into that SAME Java keystore. You should not use "cacerts" file as you keystore, but other file for that purpose (e.g. c:\users\sivakumar\server.jks).
2. Reuse what you have so far: Find where certreq stored private key; export private key; import private key and certificate into PKCS keystore; convert PKCS keystore into new keystore in JKS format.
You should consider which one is easier for you, and then we can help you along the way.
> Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" keystoreFile="C:\Program Files\Java\jre7\lib\security\CACERTS" keystorePass="changeit" maxThreads="300" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
Whatever you do, you will have to change keystoreFile attribute from
"C:\Program Files\Java\jre7\lib\security\CACERTS" to e.g.
"c:\users\sivakumar\server.jks."
> I didn't find any error on startup of Tomcat but still ssl is not enabled.
That is strange. What you described would result in cacerts file
containing server certificate without the private key. Therefore I would
expect that Tomcat complains about inability to find the private key.
Either way, cacerts file is not the right place to store server private
key and certificate. That file should contain only certificates from
trusted CA.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: enable SSL for Tomcat
Posted by Ognjen Blagojevic <og...@gmail.com>.
Sivakumar,
On 4.12.2013 12:11, Sivakumar_Balaguru@contractor.amat.com wrote:
> I need to enable SSL for tomcat in a windows server 2008. I have generated a certificate using the csr generated by this command: certreq -new request.inf request.req
(...)
> I have imported this certificate to CACERTS using keytool and uncommented the connector configuration in servers.xml in APACHE conf folder.
You used Microsoft tool (certreq) to generate the private key and CSR,
and Java tool (keytool) to import the certificate into Java keystore.
That is your problem.
You need to, *either*:
1. Start from the beginning: Use Java keytool to generate private key in
Java keystore, to create CSR, and to import certificate into that SAME
Java keystore. You should not use "cacerts" file as you keystore, but
other file for that purpose (e.g. c:\users\sivakumar\server.jks).
2. Reuse what you have so far: Find where certreq stored private key;
export private key; import private key and certificate into PKCS
keystore; convert PKCS keystore into new keystore in JKS format.
You should consider which one is easier for you, and then we can help
you along the way.
> Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" keystoreFile="C:\Program Files\Java\jre7\lib\security\CACERTS" keystorePass="changeit" maxThreads="300" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
Whatever you do, you will have to change keystoreFile attribute from
"C:\Program Files\Java\jre7\lib\security\CACERTS" to e.g.
"c:\users\sivakumar\server.jks."
> I didn't find any error on startup of Tomcat but still ssl is not enabled.
That is strange. What you described would result in cacerts file
containing server certificate without the private key. Therefore I would
expect that Tomcat complains about inability to find the private key.
Either way, cacerts file is not the right place to store server private
key and certificate. That file should contain only certificates from
trusted CA.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org