Hi, I have finally found a solution to the problem of using commercial certificates and running tomcat in https mode. As this seems to be a common issue for people using tomcat and 3rd party certs, I have provided the information below - might save someone else some time! (I have translated the solution found at http://listes.cru.fr/www/arc/pki-fr/2003-04/msg00004.html)
*********************** Prior to starting: Ensure that there is a hostcert.pem and hostkey.pem and that the hostcert.pem starts and ends with ------BEGIN CERTIFICATE ----- and -----END CERTIFICATE -----. If it contains any other information then create a copy of the .pem file, delete any other lines and use this copy to carry out the steps below. The following steps should be followed to configure Tomcat for Https communication using 3rd party CA certificates. 1.Follow ONLY the 'Edit the Tomcat Configuration File' section in the Jakarta Project Tomcat SSL Configuration HOW-TO located at http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html. 2.Import CA root certificate into Tomcat cacerts store. keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file caRoot.pem. This is the system wide CA certificates store and contains entries for other CA such as Verisign and Equifax. 3.Create the java keystore used by Tomcat. This is located at $HOME/.keystore � if the file doesn't already exist it will be created in the process. The first step is to generate a certificate in pkcs12 format by combining the host's key and certificate. openssl pkcs12 -export -inkey hostkey.pem -in hostcert.pem -out <host_name>.pkcs12 The next step is to read the pkcs12 file into the keystore. To do this a java class taken from Jetty is used. Download Jetty (if required) and locate the PKCS12Import.java file. This needs to be compiled and then run using java -classpath org.mortbay.jetty-jdk1.2.jar PKCS12Import <host_name>.pkcs12 $HOME/.keystore ( java <classpath> <class file> <pkcs12 cert> <keystore location> ) When asked for the input keystore password � this is the certificate password used in the step above. The output keystore password is the password of the .keystore, 'changeit'. This puts the host certificate and key into the keystore with an alias of 1. To rename the alias the following steps are required: keytool -keyclone -keystore .keystore -alias 1 -dest <host_name> Delete the alias 1 from the keystore using: keytool -delete -keystore .keystore -alias 1 (These steps are not obligatory) Create the chain of certificates. Concatenate the host certificate file with the CA root file. cat hostcert.pem caRoot.pem > certchain-<host_name>.pem Generate a pkcs7 file which contains this chain: openssl crl2pkcs7 -nocrl -certfile certchain-<host_name>.pem -outform DER -out certchain-<host_name>.pkcs7 Import this chain to the keystore keytool -import -alias <host_name> -trustcacerts -file certchain-<host_name>.pkcs7 -keystore .keystore Check the content of your keystore keytool -list -v -keystore .keystore This should contain the entry of type keyEntry, which is a chain of certificates. If using jakarta-tomcat-4.1.27, a known bug exists which results in tomcat throwing a fatal error after two hits with https. This bug is documented and discussed with the necessary information to fix this issue at http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22701. Restart tomcat and open https://<host_name>:8443/ in your browser. Hope this helps! Christina --- Christina Cunningham <[EMAIL PROTECTED]> wrote: > Hi > > I am trying to deploy tomcat securely using https > and > X509 certificates issued by a CA. I have followed > the > documentation on the tomcat webpage to insert my CA > certificate into the cacerts store in Java as well > as > the server.ks and changed the server.xml file. > > When I try and run tomcat securely using my issued > certificates (which are valid and have nothing > before > the BEGIN CERTIFICATE line) I get an error message > from the browser that "Mozilla and localhost cannot > communicate securely because they have no common > encryption algorithms". > > However, if I put a self generated and signed > certificate into the java .keystore located in my > $HOME directory, tomcat will run securely. If I > replace this certificate with an issued certificate > then I get the same error message detailed above. > > Can anyone shed some light on this problem? > > I am using tomcat 4.1.27, Red Hat Linix 9.0 and > mozilla-1.6.1. > > Thanks, > > Christina > > > > > > ___________________________________________________________ALL-NEW > Yahoo! Messenger - all new features - even more fun! > http://uk.messenger.yahoo.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > ___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
