Re: SSL Certificate Help
On 07/11/12 21:13, Alissa Schneider wrote: Hi - I'm a novice Tomcat user. I've only used the tool to support BusinessObjects. I recently was asked to set up SSL for the first time. Initially I created my own self-signed certificate and was able to get everything working fine, although I would get the 'certificate warning' error message when going to https://localhost:8443, but this was expected. Then my IT admin gave me a CA-signed certificate to use instead so we wouldn't get that warning. The problem I am having, is that Tomcat still seems to be reading my old self-signed certificate instead of being pointed to the CA-signed certificate. Here are my environment specifics: * Windows 2008 R2 64-bit * Tomcat 6.0.24 * IE 8 Here are the steps I have taken thus far: * I deleted my original keystore that held my self-signed certificate. * I deleted the self-signed certificate. * I recreated the keystore. Which will have generate a NEW public/private key pair. * I imported the CA-signed certificate. But when did you generate the certificate request for this certificate. Does it contain the SAME public key as in your new keystore? * I have an index.txt file that I deleted all the contents from so it is empty. * The server.xml file reflects the current keystore/pw information and the SSL lines have been uncommented. Still, when I visit https://localhost:8443, the browser throws a certificate warning. When I click on the certificate warning and view certificate, it displays information on my self-signed certificate (that I've deleted). I think if I could figure out how to make Tomcat point to the CA certificate instead of the old one, this would work for me. However, I'm not sure how to clear the Tomcat cache so to speak. I appreciate any help! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificate Help
Alissa, On 7.11.2012 22:13, Alissa Schneider wrote: Here are the steps I have taken thus far: * I deleted my original keystore that held my self-signed certificate. * I deleted the self-signed certificate. * I recreated the keystore. * I imported the CA-signed certificate. * I have an index.txt file that I deleted all the contents from so it is empty. * The server.xml file reflects the current keystore/pw information and the SSL lines have been uncommented. Still, when I visit https://localhost:8443, the browser throws a certificate warning. When I click on the certificate warning and view certificate, it displays information on my self-signed certificate (that I've deleted). I think if I could figure out how to make Tomcat point to the CA certificate instead of the old one, this would work for me. However, I'm not sure how to clear the Tomcat cache so to speak. Are you sure that the warning is the same? Perhaps the first warning was about certificate not being signed by CA, and second warning is about something else? Every (CA-signed or self-signed) certificate is issued for the specific hostname. If certificate hostname does not match hostname from browser URL, browser will issue a warning. Maybe that is the case here. If your CA-signed certificate is bound to hostname other than localhost and you access your Tomcat server using browser URL https://localhost:8443;, than the browser will issue a warning. I believe not a single CA would sign certificate for loopback interface hostname localhost, only for FQDN like server.example.com. Therefore, you should access your server using FQDN which your certificate is issued for. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificate Help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brian, On 11/8/12 4:39 AM, Brian Burch wrote: On 07/11/12 21:13, Alissa Schneider wrote: * I recreated the keystore. Which will have generate a NEW public/private key pair. +1 * I imported the CA-signed certificate. But when did you generate the certificate request for this certificate. Does it contain the SAME public key as in your new keystore? Probably not. My guess is that the keystore in question isn't the one being used by Tomcat. Allison: please post your Connector configuration plus the path of the keystore file you have been re-working. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCcLhgACgkQ9CaO5/Lv0PAKXQCgtRZF7YflGYGZ8BG9B2UAuATR 7vMAnijZ3OhV4ADd0Uks+3Gq5mMQQdBQ =0X0O -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificate Help
Alissa Schneider wrote: Still, when I visit https://localhost:8443, the browser throws a certificate warning. When I click on the certificate warning and view certificate, it displays information on my self-signed certificate (that I've deleted). I think if I could figure out how to make Tomcat point to the CA certificate instead of the old one, this would work for me. However, I'm not sure how to clear the Tomcat cache so to speak. Did you restart Tomcat? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL Certificate Help
Yes, I have...many, many times. But good question! -Original Message- From: James Lampert [mailto:jam...@touchtonecorp.com] Sent: Wednesday, November 07, 2012 3:28 PM To: Tomcat Users List Subject: Re: SSL Certificate Help Alissa Schneider wrote: Still, when I visit https://localhost:8443, the browser throws a certificate warning. When I click on the certificate warning and view certificate, it displays information on my self-signed certificate (that I've deleted). I think if I could figure out how to make Tomcat point to the CA certificate instead of the old one, this would work for me. However, I'm not sure how to clear the Tomcat cache so to speak. Did you restart Tomcat? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificate Help
On Thu, Nov 8, 2012 at 8:32 AM, Alissa Schneider aschnei...@sensecorp.comwrote: Yes, I have...many, many times. But good question! -Original Message- From: James Lampert [mailto:jam...@touchtonecorp.com] Sent: Wednesday, November 07, 2012 3:28 PM To: Tomcat Users List Subject: Re: SSL Certificate Help Alissa Schneider wrote: Still, when I visit https://localhost:8443, the browser throws a certificate warning. When I click on the certificate warning and view certificate, it displays information on my self-signed certificate (that I've deleted). I think if I could figure out how to make Tomcat point to the CA certificate instead of the old one, this would work for me. However, I'm not sure how to clear the Tomcat cache so to speak. Did you restart Tomcat? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Sounds like your browser is still caching your old one. If Firefox then go to Tools-Options-Advanced-View Certificates button and delete the certificate(s) for the localhost.
RE: SSL Certificate Help
I'm using IE 8. I went into ToolsOptionsContent and there is a Certificates section. I clicked on Certificates and in the Trusted Root Certification Authorities tab, I saw my deleted certificate. So, I went ahead and clicked 'Remove' and 'Close'. Then on the Content tab again, I clicked 'Clear SSL state'. I then restarted Tomcat. When I navigated to http://localhost:8443, I again receive the Certificate Error warning and when I click 'View Certificate', my deleted certificate is still being used. Where is it coming from?! I've also looked at the certificates in the Microsoft Management Console (MMC) and have added the snap-in for all certificates (My user account, Service account, Computer account). In none of the directories do I see my deleted certificate. I appreciate any ideas anyone has - thank you! -Original Message- From: Igor Cicimov [mailto:icici...@gmail.com] Sent: Wednesday, November 07, 2012 4:37 PM To: Tomcat Users List Subject: Re: SSL Certificate Help Sounds like your browser is still caching your old one. If Firefox then go to Tools-Options-Advanced-View Certificates button and delete the certificate(s) for the localhost. On Thu, Nov 8, 2012 at 8:32 AM, Alissa Schneider aschnei...@sensecorp.comwrote: Yes, I have...many, many times. But good question! -Original Message- From: James Lampert [mailto:jam...@touchtonecorp.com] Sent: Wednesday, November 07, 2012 3:28 PM To: Tomcat Users List Subject: Re: SSL Certificate Help Alissa Schneider wrote: Still, when I visit https://localhost:8443, the browser throws a certificate warning. When I click on the certificate warning and view certificate, it displays information on my self-signed certificate (that I've deleted). I think if I could figure out how to make Tomcat point to the CA certificate instead of the old one, this would work for me. However, I'm not sure how to clear the Tomcat cache so to speak. Did you restart Tomcat? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org