John Ellis

405.285.2500 office


    

http://biz-e.io


-----Original Message-----
From: Peter Kreuser [mailto:l...@kreuser.name] 
Sent: Wednesday, September 27, 2017 3:43 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: tomcat ssl setup

John,


> Am 27.09.2017 um 18:08 schrieb John Ellis <john.el...@lsgsolutions.com>:
> 
> 
> 
> John Ellis
> 
> 405.285.2500 office
> 
> 
> 
> 
> http://biz-e.io
> 
> 
> -----Original Message-----
> From: l...@kreuser.name [mailto:l...@kreuser.name] 
> Sent: Tuesday, September 26, 2017 3:26 PM
> To: Tomcat Users List <users@tomcat.apache.org>
> Subject: Re: tomcat ssl setup
> 
> John,
> 
> 
> 
>> Am 26.09.2017 um 21:26 schrieb John Ellis <john.el...@lsgsolutions.com>:
>> 
>> Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is 
>> what Jira and/or Confluence would use so I did that and it worked fine on 
>> http port of 8080. I then edited the server.xml file again for the SSL port 
>> and got the same result as before; never gets to a webpage login using the 
>> secure port of 8443 but I can still get the webpage on port 8080. When I 
>> look at the Tomcat 8 Catalina log file I see several lines where it says- 
>> "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been 
>> googling that error and found a couple of posts saying to change from JKS to 
>> JCEKS but when I ran the commands I didn't have JKS in the command; only RSA 
>> for the algorithm. Can someone provide me with the proper keytool commands 
>> that I need to use to create an SSL certificate for Tomcat?   
>> 
>> John Ellis
>> 
>> 405.285.2500 office
>> 
>> 
> 
> 
> We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride 
> a dead horse, also SSL setup has changed quite a bit in 8.5/9.0.
> 
> So my setup is as follows:
> 
> server.xml:
> 
> <Connector port="8443"
>            protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>            
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
>            allowTrace="false"
>            maxThreads="150"
>            SSLEnabled="true"
>            compression="off"
>            scheme="https"
>            server="Apache Tomcat"
>            secure="true"
>            defaultSSLHostConfigName=“ localhost” >
>    <SSLHostConfig
>            hostName="localhost"
>            honorCipherOrder="true"
>            certificateVerification="none"
>            protocols="TLSv1.2"
>            
> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
>     <Certificate 
> certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts"
>                  certificateKeystorePassword="changeit"
>                  certificateKeyAlias="tomcat"
>                  type="RSA" />
>    </SSLHostConfig>
>  </Connector>
> 
> https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl
>  
> <https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl>
> 
> I use openssl to create the certs (as let’s encrypt for an official cert will 
> generate the same structure) and then convert to JKS:
> 
> openssl genrsa -aes256 -out server.key 4096 -subj 
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost"
> openssl req -new -key server.key -out server.csr -sha512  -subj 
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost/emailAddress=x...@xx.com"
> #there is more to it to get SAN extensions, but that’s not necessary to get 
> it running
> 
> openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out 
> server.crt # you may need your own ca and a signing-process to make this work 
> in all browsers
> 
> #Verify Server Cert
> openssl x509 -in server.crt -text -noout
> 
> openssl pkcs12 -export -in server.crt -inkey server.key -out jssecacerts 
> -name tomcat keytool -list -v -keystore jssecacerts -storepass changeit
> 
> 
> Hope this helps for a start.
> 
> Regards
> 
> Peter
> 
> Peter I have never seen entries in the "</SSLHostConfig>" part of the 
> server.xml file. Does that have to be in there for SSL to work in Tomcat?
> 
That's the way you define one Connector on one port with different certificates 
in TC 8.5 and 9.0.
I guess that's one of the important new features!
> 
> 
> Wow. I started posting in this forum back on the 19th; specifically about 
> version 9 of Tomcat and yours is the 1st reply where I have seen anything 
> about having to configure
the  "</SSLHostConfig>" part of the server.xml. I will give that a try. BTW, do 
you have the exact order and text of the openssl commands that you used. I have 
been using the keytool command but for some strange reason yesterday all of a 
sudden when I would try that command, after typing in the password, which 
should be a new password, I kept getting an error saying "keytool error: 
java.io.IOException: Keystore was tampered with, or password was incorrect".

> 
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to