Link to home
Start Free TrialLog in
Avatar of arktech
arktech

asked on

New SSL Certificate for existing Tomcat deployment

Help!  Our SSL certificate is expiring very soon.  We purchased a new certificate from VeriSign (not allowed to renew the existing one because company moved from Canada to US), but I'm not having any luck installing it into the existing site.  Here's what I have.  Running keytool -list against the existing keystore returns:

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, Nov 5, 2005, keyEntry,
Certificate fingerprint (MD5): AF:A0:D4:07:DF:1B:AE:64:D1:14:53:5B:59:DB:FF:0D

I copied this keystore to a local machine and performing the following steps:

keytool -import -alias intermediateCA -keystore /cygwin/tmp/keystore -trustcacerts -file /cygwin/tmp/verisign_root.cer
keytool -import -alias MyApplication -keystore /cygwin/tmp/keystore -trustcacerts -file /cygwin/tmp/my_domain.cer
keytool -delete -alias tomcat -keystore /cygwin/tmp/keystore

Running keytool -list against the resulting keystore yields the following:

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

intermediateca, Nov 14, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 2A:C8:48:C0:85:F3:27:DE:32:29:44:BB:B0:2C:79:F8
myapplication, Nov 14, 2007, trustedCertEntry,
Certificate fingerprint (MD5): DD:B8:19:36:D6:B5:1E:6B:47:75:31:E8:BC:96:CF:49

In my Tomcat/conf/server.xml file, I have the following:

    <Connector port="443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
             keystoreFile="D:/Tomcat-5.5/conf/keystore"
               clientAuth="false" sslProtocol="TLS" />

With the old keystore in place, I'm having no problems at all.  When I replace it with the new keystore and bounce Tomcat, I can no longer find the server when I attempt to connect via https.  We have a redirect from https://mydomain.com to https://mydomain.com/myapplication, and it does show me Redirecting, but then it drops to the Cannot find server.  If I look in the catalina.log, I see:

Nov 14, 2007 8:00:47 PM org.apache.coyote.http11.Http11BaseProtocol pause
INFO: Pausing Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:47 PM org.apache.coyote.http11.Http11BaseProtocol pause
INFO: Pausing Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:48 PM org.apache.catalina.core.StandardService stop
INFO: Stopping service Catalina
Nov 14, 2007 8:00:48 PM org.apache.catalina.core.StandardWrapper unload
INFO: Waiting for 5 instance(s) to be deallocated
Nov 14, 2007 8:00:50 PM org.apache.catalina.core.StandardWrapper unload
INFO: Waiting for 5 instance(s) to be deallocated
Nov 14, 2007 8:00:51 PM org.apache.catalina.core.StandardWrapper unload
INFO: Waiting for 5 instance(s) to be deallocated
Nov 14, 2007 8:00:51 PM org.apache.coyote.http11.Http11BaseProtocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:51 PM org.apache.coyote.http11.Http11BaseProtocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:51 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: Failed shutdown of Apache Portable Runtime
Nov 14, 2007 8:00:53 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: d:\Tomcat-5.5\bin;.;C:\WINNT\system32;C:\WINNT;D:\oracle\ora81\bin;D:\oracle\ora81\Apache\Perl\5.00503\bin\mswin32-x86;C:\Program Files\Oracle\jre\1.1.7\bin;C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;d:\MSSQL7\BINN;d:\scripts
Nov 14, 2007 8:00:53 PM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:54 PM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:54 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1594 ms
Nov 14, 2007 8:00:54 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Nov 14, 2007 8:00:54 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.16
Nov 14, 2007 8:00:54 PM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
Nov 14, 2007 8:00:54 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive myapplication.war
Nov 14, 2007 8:00:56 PM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:56 PM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:56 PM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Nov 14, 2007 8:00:56 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/31  config=null
Nov 14, 2007 8:00:56 PM org.apache.catalina.storeconfig.StoreLoader load
INFO: Find registry server-registry.xml at classpath resource
Nov 14, 2007 8:00:56 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 2235 ms

No errors, no problems.  But now I can't get to my application.  I've tried adding a keyAlias attribute to the Connector property, using intermediateca, intermediateCA, myapplication and MyApplication and none of them work.  In every case, if I specify a keyAlias, I get an error like:

Nov 14, 2007 8:10:01 PM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:10:01 PM org.apache.coyote.http11.Http11BaseProtocol start
SEVERE: Error starting endpoint
java.io.IOException: Alias name intermediateca does not identify a key entry
      at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)
      at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109)
      at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88)
      at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292)
      at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312)
      at org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150)
      at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75)
      at org.apache.catalina.connector.Connector.start(Connector.java:1089)
      at org.apache.catalina.core.StandardService.start(StandardService.java:459)
      at org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
      at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
      at java.lang.reflect.Method.invoke(Unknown Source)
      at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:275)
      at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Nov 14, 2007 8:10:01 PM org.apache.catalina.startup.Catalina start
SEVERE: Catalina.start:
LifecycleException:  service.getName(): "Catalina";  Protocol handler start failed: java.io.IOException: Alias name intermediateca does not identify a key entry
      at org.apache.catalina.connector.Connector.start(Connector.java:1096)
      at org.apache.catalina.core.StandardService.start(StandardService.java:459)
      at org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
      at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
      at java.lang.reflect.Method.invoke(Unknown Source)
      at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:275)
      at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Nov 14, 2007 8:10:01 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 2313 ms

Help!  Thanks in advance!
Avatar of arktech
arktech

ASKER

Never mind, I figured out the problem.  The certificate must be imported into the same keystore from which the CSR was generated.  I should have realized that, but was moving too fast for my own good.  It's working great now, with the new certificate properly deployed.
ASKER CERTIFIED SOLUTION
Avatar of EE_AutoDeleter
EE_AutoDeleter
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial