Hi Munzer,

I guess we‘re going a slightly awkward way here, but to fix your problem with 
the new cert in the first place, you could use this:

If your keystore is the old proprietary format, convert it to PKCS12:
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 
-deststoretype PKCS12 -srcalias tomcat -deststorepass <password> -destkeypass 
Then extract the key using openssl:
openssl pkcs12 -in keystore.p12 -nocerts -out key.pem
After that recombine it with the new cert.
I‘ve found this here: https://security.stackexchange.com/a/66865

There has to be an easier way, but as your keystore is causing troubles, I‘m 
not really able to troubleshoot that.

After all, you may have to reread on cert handling with keytool vs. openssl.
I prefer the openssl way ;-).


Peter Kreuser
> Am 06.08.2019 um 19:50 schrieb Munzer Khatib <smk_01_2...@yahoo.com.invalid>:
> Hi Peter
> I dont have the private key file. That is created when I create the keystore. 
> I dont know if it can be extracted.
> Munzer
>    On Tuesday, 6 August 2019, 4:35:51 PM UTC, Peter Kreuser 
> <l...@kreuser.name> wrote:  
> Hi,
>> Am 06.08.2019 um 02:42 schrieb Munzer Khatib <smk_01_2...@yahoo.com.invalid>:
>> Hi
>> Can you help me with this problem.
>> Problem: Installing SSL certificate on Apache Tomcat 8.0.36 fails
>> I am trying to install a new SSL certificate into Apache tomcat 8.0.36.I ran 
>> same steps ran successfully in 2013 and 2016 on tomcat 7. Nothing changed 
>> other than moving the virtual machine from old server to new hardware this 
>> year. Windows Server 2008 is still the same Operating system.
>> I created a keystore and extracted CSR, generated certificate using godaddy 
>> for Apache server and imported to server. I keep getting an SSL handshake 
>> errors and I think it is because the certificate entrytype is 
>> "trustedcertEntry" and not "privateKey Entry'
>> Here are the steps I used to create the keystore and import certificate to 
>> it.
>> 1) Generate a Keystorecd C:\Program Files\Java\jre7\bin
>> keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA  -sigalg 
>> SHA256withRSA -keypass secret19 -keystore tomcat10.keystore
>> 2) Create a CSRkeytool -certreq -alias tomcat -keyalg RSA -sigalg 
>> SHA256withRSA -keystore tomcat10.keystore -file file10.csr
>> 3) Generate certificates on godaddy site for "Apache" server (not tomcat)
>> 4) Install root, intermediate and user certificate
>> keytool -import -alias root -keystore tomcat14.keystore -trustcacerts -file 
>> c:\cert_2022\gd-class2-root.crt
>> keytool -import -alias intermediate -keystore tomcat14.keystore 
>> -trustcacerts -file c:\cert_2022\gd_bundle-g2-g1.crt
>> keytool -import -alias tomcat -keystore tomcat10.keystore  -file 
>> c:\cert_2019\508c844632c0145.crt
> I‘ve not found a keytool command for that. I use openssl to convert the PEM 
> to pkcs12/keystore format
> Care to try the following command?
> openssl pkcs12 -export -in cert.pem -inkey privkey.pem -name tomcat -certfile 
> fullchain.pem -passout pass:changeit -out jssekeystore
> Peter
>> I am not sure why but it seems the new one is not linking all certificates 
>> into the private key.
>> I tried many different imports and it would never import the server 
>> certificate as a "privateKeyentry" as the one running now.C:\Program 
>> Files\Java\jre7\bin>keytool -list -keystore tomcat10.keystoreEnter keystore 
>> password:
>> Keystore type: JKSKeystore provider: SUN
>> Your keystore contains 3 entries
>> root, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 
>> 47:BE:AB:C9:22:EA:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8Bintermediate, Jul 
>> 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 
>> 27:AC:93:69:FA:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8tomcat, Jul 22, 
>> 2019, trustedCertEntry,Certificate fingerprint (SHA1): 
>> B6:27:BE:DF:ED:EF:EF:4D:62:D2:F1:5C:CC:C1:A2:AB:98:60:8E
>> I also tried creating a PEM text file for all certificates and importing 
>> that into private key alias tomcat but it only imported the domain 
>> certificate as "trustedcertentry"
>> My server xml file connector config is like this        <Connector 
>> port="8080" protocol="HTTP/1.1" connectionTimeout="20000" 
>> redirectPort="8443" compression="on" URIEncoding="UTF-8" 
>> compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" 
>> compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"/><Connector
>>  port="443" protocol="HTTP/1.1" maxThreads="150" scheme="https" 
>> secure="true" clientAuth="false" sslProtocol="TLS" SSLEnabled="true" 
>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" 
>> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 
>>  TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="password" 
>> keystoreFile="C:\Program Files\Java\jre7\bin\tomcat10.keystore"/>    
>> </Service></Server>
>> Tried many different options for keytool command.
>> Followed tomcat 8 documentation and godaddy list for installing certificate.
>> When I try to access using browser I get this error
>> This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in 
>> Advanced settings and try connecting to https://psscr.xyz.c
>> When I use openssl I get handshake failure$openssl s_client -connect 
>> 10.60.xx.xx:443CONNECTED(00000003)140298896533392:error:14077410:SSL 
>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
>> failure:s23_clnt.c:769:---no peer certificate available---No client 
>> certificate CA names sent---SSL handshake has read 7 bytes and written 289 
>> bytes---New, (NONE), Cipher is (NONE)Secure Renegotiation IS NOT 
>> supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session:    
>> Protocol  : TLSv1.2    Cipher    : 0000    Session-ID:    Session-ID-ctx:    
>> Master-Key:    Key-Arg  : None    Krb5 Principal: None    PSK identity: None 
>>    PSK identity hint: None    Start Time: 1564789174    Timeout  : 300 (sec) 
>>    Verify return code: 0 (ok)
>> Thanks,  

Reply via email to