Re: enable SSL for Tomcat

Wed, 04 Dec 2013 03:56:56 -0800 

Sivakumar,

On 4.12.2013 12:11, sivakumar_balag...@contractor.amat.com wrote:

I need to enable SSL for tomcat in a windows server 2008. I have generated a 
certificate using the csr generated by this command: certreq -new request.inf 
request.req

(...)

I have imported this certificate to CACERTS using keytool and uncommented the 
connector configuration in servers.xml in APACHE conf folder.



You used Microsoft tool (certreq) to generate the private key and CSR, 
and Java tool (keytool) to import the certificate into Java keystore. 
That is your problem.


You need to, *either*:


1. Start from the beginning: Use Java keytool to generate private key in 
Java keystore, to create CSR, and to import certificate into that SAME 
Java keystore. You should not use "cacerts" file as you keystore, but 
other file for that purpose (e.g. c:\users\sivakumar\server.jks).



2. Reuse what you have so far: Find where certreq stored private key; 
export private key; import private key and certificate into PKCS 
keystore; convert PKCS keystore into new keystore in JKS format.



You should consider which one is easier for you, and then we can help 
you along the way.




Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" keystoreFile="C:\Program 
Files\Java\jre7\lib\security\CACERTS" keystorePass="changeit" maxThreads="300" scheme="https" secure="true" 
clientAuth="false" sslProtocol="TLS"



Whatever you do, you will have to change keystoreFile attribute from 
"C:\Program Files\Java\jre7\lib\security\CACERTS" to e.g. 
"c:\users\sivakumar\server.jks."




I didn't find any error on startup of Tomcat but still ssl is not enabled.



That is strange. What you described would result in cacerts file 
containing server certificate without the private key. Therefore I would 
expect that Tomcat complains about inability to find the private key.



Either way, cacerts file is not the right place to store server private 
key and certificate. That file should contain only certificates from 
trusted CA.


-Ognjen

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to