Hi,
We have a working tomcat 6 installation with a self-signed cert. We have
received a certificate from Symantec (x509) and are trying to get it working in
our tomcat 6 installation. So far, I’ve had no luck.
What I have done so far:
1) Followed instructions from
https://knowledge.verisign.com/support/mpki-for-ssl-support/index?page=content&actp=CROSSLINK&id=AR124
- downloaded primary & secondary intermediate CA from Symantec
- imported into a brand new keystone using
keytool -import -trustcacerts -alias primaryIntermediate -keystore
geneKeystore -file priimary_inter.cer
keytool -import -trustcacerts -alias secondaryIntermediate -keystore
geneKeystore -file secondary_inter.cer
keystore didn’t exist prior to the first import above but it seemed top
create it ok and prompt for passwords.
- install the SSL cert from Symantec
keytool -import -trustcacerts -alias myalias -keystore geneKeystore
-file ssl_cert.cer
- verify contents of keystone
keytool -list -v -keystore geneKeystore
Thie symantec instructions say to ensure the alias for the ssl cert has
an Entry Type of PrivateKeyEntry. Mine DOES NOT. Instructions say if it does
not, to please import the certificate in the “Private Key” alias. I’m not sure
what that means. I’m assuming it does not mean to import the cert using the
alias of ‘PrivateKey” as I believe the alias has to match what was in the CSR??
It also says to ensure the Certificate chain length is 4. The Symantec
example shows sample output the above command with the “Certificate chain
length: 4’ in the output but I don’t get that in mine. My keystone type is JKS
and provider is SUN as in their example though. I do see four extensions
listed under the ‘myalias’ alias; not sure if that would imply a chain length
of four. As you can already guess, I’m no SSL expert (or even tomcat expert
for that matter). Since I wasn’t sure what to do here I left his alone and
moved on.
2) edit server.xml
3) restart tomcat
-verified tomcat is running
-verified something listening on port 8443 (netstat -an |grep 8443)
-catalina.out contents below:
Jan 03, 2014 8:43:43 AM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the java.library.path:
:/usr/share/tomcat6/lib:/usr/share/tomcat6/lib:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
Jan 03, 2014 8:43:43 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'minSpareThreads' to '25' did not find a matching property.
Jan 03, 2014 8:43:43 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'maxSpareThreads' to '75' did not find a matching property.
Jan 03, 2014 8:43:43 AM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Jan 03, 2014 8:43:44 AM org.apache.tomcat.util.net.NioSelectorPool
getSharedSelector
INFO: Using a shared selector for servlet write/read
Jan 03, 2014 8:43:44 AM org.apache.coyote.http11.Http11NioProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443
Jan 03, 2014 8:43:44 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1217 ms
Jan 03, 2014 8:43:44 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Jan 03, 2014 8:43:44 AM org.apache.catalina.core.StandardEngine start
...
Jan 03, 2014 8:43:53 AM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Jan 03, 2014 8:43:53 AM org.apache.coyote.http11.Http11NioProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8443
Jan 03, 2014 8:43:53 AM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Jan 03, 2014 8:43:53 AM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/49 config=null
Jan 03, 2014 8:43:53 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 9583 ms
I’m not doing something correctly but I’m not sure what that is. If anyone can
point me in the right direction I would appreciate it.
Thanks,
Gene
PS: How does one search the archives of this list? When I browse the archive
site I don’t see a search field anywhere. So I’ve been googling without coming
up with a solution. it is probably out there but I don’t know enough to
recognize it :-(
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org