if you are testing locally (i.e. on localhost) you might want to check if the root and intermediate CA exists. Or just import it 1. Find out where your jdk is - say JDK_PATH 2. keep a backup copy somewhere for JDK_PATH\jre\lib\security\cacerts 2. run the following command for each root/intermediate CA cert keytool -import -trustcacerts -keystore JDK_PATH\jre\lib\security\cacerts -storepass changeit -noprompt -file CA_FILE_LOCATION
Restart your tomcat. and check. On 4 August 2017 at 17:23, Hameed, Amir <amir.ham...@xerox.com> wrote: > Thank you for your reply. Please see my answers below: > > Have you imported the signed server certificate into the server keystore > with all the root+intermediate certificates? in other words, does the > "chain-of-trust" exist in server keystore? > >> Yes, I have imported all trusted certificates (COMODORSAAddTrustCA.crt > + AddTrustExternalCARoot.crt + > COMODORSAOrganizationValidationSecureServerCA.crt) > into the server key store along with the signed server certificate. > > You just need to add the root and intermediate CA certs to trust store - > any server certs signed by them is by default, trusted. > >> I am new to Tomcat. Where can I find the trust store and is it separate > from the server key store? > > Thanks > -----Original Message----- > From: M. Manna [mailto:manme...@gmail.com] > Sent: Friday, August 4, 2017 12:16 PM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: SSL is not working > > Have you imported the signed server certificate into the server keystore > with all the root+intermediate certificates? in other words, does the > "chain-of-trust" exist in server keystore? > > You just need to add the root and intermediate CA certs to trust store - > any server certs signed by them is by default, trusted. > > > On 4 August 2017 at 17:09, Hameed, Amir <amir.ham...@xerox.com> wrote: > > > Hi, > > I am trying to configure Tomcat 8.0.36 with SSL and running into some > > issues. The JDK version I am using is 1.8.0_64. I used the following > > process to implement SSL: > > > > 1. Generated a java key store using the following command: > > ${JAVA_HOME}/bin/keytool -genkey -alias [alias-name] -keyalg RSA > > -keysize > > 2048 \ > > -keystore [key-store-path]/keystore.jks -dname > > "CN=[common-name],OU=[org-unit], O=[company-name], L=[city], > ST=[state], C=US" > > > > > > 2. Generated CSR using the following command: > > ${JAVA_HOME}/bin/keytool -certreq -alias [alias-name] -file > > [key-store-path]/[csr-file-name] \ -keystore > > [key-store-path]/keystore.jks > > > > > > 3. Requested certificate from COMODO. > > > > 4. Imported all Trusted certificates from COMODO into the key store > > using command. There were a total of three trusted certificates that > > we received from COMODO: > > ${JAVA_HOME}/bin/keytool -import -trustcacerts -alias [alias-name] > > -file [ssl-cert-file] -keystore [key-store-path]/keystore.jks -v > > > > > > 5. Modified Tomcat's server.xml file as shown below: > > > > <Connector port="[ssl-port]" protocol="org.apache.coyote. > > http11.Http11NioProtocol" > > > > maxThreads="150" SSLEnabled="true" scheme="https" > > secure="true" > > > > clientAuth="false" sslProtocol="TLS" > > > > keystoreFile="[key-store-path]/keystore.jks" > > > > keystoreType="JKS" keystorePass="[key-store-password]" > > /> > > > > > > > > 6. Restarted Tomcat. > > > > 7. Accessed the Tomcat homepage from the browser using https and > the > > browser complained about page being insecure. When I looked at the > > certificate from the browser, I see that the Certificate Path tab of > > the certificate shows that the trusted chain is incomplete and does > > not show the trusted certificates that I had imported into the key store. > > > > What am I missing here? Any help will be appreciated. > > > > > > Thank you, > > Amir > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
