Yes I have run into that. I'm using an xml editor to check my work.
John Ellis
405.285.2500 office
http://biz-e.io
-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Tuesday, September 26, 2017 3:32 PM
To: Tomcat Users List <[email protected]>
Subject: Re: tomcat ssl setup
Grrrr, I hate formatting in Mails...
Beware of “ when copying source code!
> Am 26.09.2017 um 22:25 schrieb [email protected]:
>
> John,
>
>
>
>> Am 26.09.2017 um 21:26 schrieb John Ellis <[email protected]>:
>>
>> Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is
>> what Jira and/or Confluence would use so I did that and it worked fine on
>> http port of 8080. I then edited the server.xml file again for the SSL port
>> and got the same result as before; never gets to a webpage login using the
>> secure port of 8443 but I can still get the webpage on port 8080. When I
>> look at the Tomcat 8 Catalina log file I see several lines where it says-
>> "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been
>> googling that error and found a couple of posts saying to change from JKS to
>> JCEKS but when I ran the commands I didn't have JKS in the command; only RSA
>> for the algorithm. Can someone provide me with the proper keytool commands
>> that I need to use to create an SSL certificate for Tomcat?
>>
>> John Ellis
>>
>> 405.285.2500 office
>>
>>
>
>
> We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride
> a dead horse, also SSL setup has changed quite a bit in 8.5/9.0.
>
> So my setup is as follows:
>
> server.xml:
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
> allowTrace="false"
> maxThreads="150"
> SSLEnabled="true"
> compression="off"
> scheme="https"
> server="Apache Tomcat"
> secure="true"
defaultSSLHostConfigName=“localhost” > <!-- corrected -->
>
> <SSLHostConfig
> hostName="localhost"
> honorCipherOrder="true"
> certificateVerification="none"
> protocols="TLSv1.2"
>
> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
> <Certificate
> certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts"
> certificateKeystorePassword="changeit"
> certificateKeyAlias="tomcat"
> type="RSA" />
> </SSLHostConfig>
> </Connector>
>
> https://stackoverflow.com/questions/10175812/how-to-create-a-self-sign
> ed-certificate-with-openssl
> <https://stackoverflow.com/questions/10175812/how-to-create-a-self-sig
> ned-certificate-with-openssl>
>
> I use openssl to create the certs (as let’s encrypt for an official cert will
> generate the same structure) and then convert to JKS:
>
> openssl genrsa -aes256 -out server.key 4096 -subj
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost"
> openssl req -new -key server.key -out server.csr -sha512 -subj
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost/[email protected]"
> #there is more to it to get SAN extensions, but that’s not necessary
> to get it running
>
> openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key
> -out server.crt # you may need your own ca and a signing-process to
> make this work in all browsers
>
> #Verify Server Cert
> openssl x509 -in server.crt -text -noout
>
> openssl pkcs12 -export -in server.crt -inkey server.key -out
> jssecacerts -name tomcat keytool -list -v -keystore jssecacerts
> -storepass changeit
>
>
> Hope this helps for a start.
>
> Regards
>
> Peter
>
>
>
>
>
>
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
