On Thursday 11 November 2004 11:04, Robert Cole wrote: > Hi, > > I'm having some fun and games getting Tomcat 5.0.19 to use a non-self > signed certificate. I've done the following: > > 1) Using Keytool, generated a new key pair using the genkey switch, into a > new keystore 2) Generated a CSR using the new keystore created above > 3) Using OpenSSL, where I've created a certificate authority to sign my > CSRs, I've then generated a signed certificate valid for 365 days, signed > by my root authority 4) I've then imported the Root CA into the keystore > created in 1 > 5) Then I've imported the new, signed certificate into the keystore from 1 > 6) I've then enabled by HTTPS connector in server.xml, with the keystore > entry pointing to the keystore from 1. I bounced Tomcat afterwards > > I can then connect to Tomcat on port 8443 but when I examine the > certificate it is a self signed certificate that expired after 3 months. > There is no evidence of the signed certificate. > > So far I have: > > 1) Removed the keystore file to check that Tomcat is picking up the correct > file. It is as I get loads of errors in the std.out file 2) Listed the > contents of the keystore. I can see in the following order, the root CA > certificate, the generated keypair and then the signed certificate. 3) I > made a copy of the keystore, changed the configuration to use the copy and > then fired Tomcat up again. I finally managed to shut Tomcat down again > after a large number of errors flooded the log file. 4) I've used the > Keytool export and printcert switches to check that the signed certificate > in the keystore is the right one, and it is. > > So, my question is, how is tomcat using a self signed SSL certificate, and > where could it be getting it from? Is there a way to force Tomcat to use a > certain certificate from a keystore? > > I'm now very, very stuck and would appreciate some help. Are there any > switches I can use to get more information from Tomcat on what it is using, > certificate wise? > > For reference, the connector config looks like this: > > <Connector port="8443" > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" > enableLookups="false" disableUploadTimeout="true" > acceptCount="100" debug="0" scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" > keystoreFile="D:\db\certificates\keystore" > keystorePass="" /> > > My keystore: > > D:\db\certificates>keytool -keystore keystore -list should that not be ".keystore", not "keystore"?
David > Enter keystore password: > > Keystore type: jks > Keystore provider: SUN > > Your keystore contains 3 entries > > rootca, Nov 9, 2004, trustedCertEntry, > Certificate fingerprint (MD5): > 7B:CD:2C:5D:AE:79:8A:86:D5:70:25:56:3D:0D:D1:AC mis1_key, Nov 9, 2004, > keyEntry, > Certificate fingerprint (MD5): > BB:6A:10:C7:1C:DC:A2:AE:BD:77:C3:6F:50:B6:50:C1 mis1_cert, Nov 9, 2004, > trustedCertEntry, > Certificate fingerprint (MD5): > 63:A4:57:A1:3E:B9:72:67:14:21:88:F3:3A:90:C5:5A > > The certificate that should be used is the mis1_cert certificate. From the > printcert: > > D:\db\certificates>keytool -keystore keystore -printcert -file test.crt -v > Owner: CN=mis1, OU=gmPrice, O=Deutsche Bank, L=London, ST=England, C=UK > Issuer: [EMAIL PROTECTED], CN=gmPrice, OU=Shared Technology, > O=Deutsche Bank, L=London, ST=England, C=UK Serial number: 8 > Valid from: Tue Nov 09 09:26:01 GMT 2004 until: Wed Nov 09 09:26:01 GMT > 2005 Certificate fingerprints: > MD5: 63:A4:57:A1:3E:B9:72:67:14:21:88:F3:3A:90:C5:5A > SHA1: C7:AA:85:F7:7E:92:AC:E6:77:8B:44:F4:B2:7F:33:11:A7:DC:57:A3 > > > > Rob Cole > > > > > -- > > This e-mail may contain confidential and/or privileged information. If you > are not the intended recipient (or have received this e-mail in error) > please notify the sender immediately and destroy this e-mail. Any > unauthorized copying, disclosure or distribution of the material in this > e-mail is strictly forbidden. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]