Solved

New SSL Certificate for existing Tomcat deployment

Posted on 2007-11-14
2
4,649 Views
Last Modified: 2013-12-02
Help!  Our SSL certificate is expiring very soon.  We purchased a new certificate from VeriSign (not allowed to renew the existing one because company moved from Canada to US), but I'm not having any luck installing it into the existing site.  Here's what I have.  Running keytool -list against the existing keystore returns:

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, Nov 5, 2005, keyEntry,
Certificate fingerprint (MD5): AF:A0:D4:07:DF:1B:AE:64:D1:14:53:5B:59:DB:FF:0D

I copied this keystore to a local machine and performing the following steps:

keytool -import -alias intermediateCA -keystore /cygwin/tmp/keystore -trustcacerts -file /cygwin/tmp/verisign_root.cer
keytool -import -alias MyApplication -keystore /cygwin/tmp/keystore -trustcacerts -file /cygwin/tmp/my_domain.cer
keytool -delete -alias tomcat -keystore /cygwin/tmp/keystore

Running keytool -list against the resulting keystore yields the following:

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

intermediateca, Nov 14, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 2A:C8:48:C0:85:F3:27:DE:32:29:44:BB:B0:2C:79:F8
myapplication, Nov 14, 2007, trustedCertEntry,
Certificate fingerprint (MD5): DD:B8:19:36:D6:B5:1E:6B:47:75:31:E8:BC:96:CF:49

In my Tomcat/conf/server.xml file, I have the following:

    <Connector port="443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
             keystoreFile="D:/Tomcat-5.5/conf/keystore"
               clientAuth="false" sslProtocol="TLS" />

With the old keystore in place, I'm having no problems at all.  When I replace it with the new keystore and bounce Tomcat, I can no longer find the server when I attempt to connect via https.  We have a redirect from https://mydomain.com to https://mydomain.com/myapplication, and it does show me Redirecting, but then it drops to the Cannot find server.  If I look in the catalina.log, I see:

Nov 14, 2007 8:00:47 PM org.apache.coyote.http11.Http11BaseProtocol pause
INFO: Pausing Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:47 PM org.apache.coyote.http11.Http11BaseProtocol pause
INFO: Pausing Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:48 PM org.apache.catalina.core.StandardService stop
INFO: Stopping service Catalina
Nov 14, 2007 8:00:48 PM org.apache.catalina.core.StandardWrapper unload
INFO: Waiting for 5 instance(s) to be deallocated
Nov 14, 2007 8:00:50 PM org.apache.catalina.core.StandardWrapper unload
INFO: Waiting for 5 instance(s) to be deallocated
Nov 14, 2007 8:00:51 PM org.apache.catalina.core.StandardWrapper unload
INFO: Waiting for 5 instance(s) to be deallocated
Nov 14, 2007 8:00:51 PM org.apache.coyote.http11.Http11BaseProtocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:51 PM org.apache.coyote.http11.Http11BaseProtocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:51 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: Failed shutdown of Apache Portable Runtime
Nov 14, 2007 8:00:53 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: d:\Tomcat-5.5\bin;.;C:\WINNT\system32;C:\WINNT;D:\oracle\ora81\bin;D:\oracle\ora81\Apache\Perl\5.00503\bin\mswin32-x86;C:\Program Files\Oracle\jre\1.1.7\bin;C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;d:\MSSQL7\BINN;d:\scripts
Nov 14, 2007 8:00:53 PM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:54 PM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:54 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1594 ms
Nov 14, 2007 8:00:54 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Nov 14, 2007 8:00:54 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.16
Nov 14, 2007 8:00:54 PM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
Nov 14, 2007 8:00:54 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive myapplication.war
Nov 14, 2007 8:00:56 PM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:56 PM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:56 PM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Nov 14, 2007 8:00:56 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/31  config=null
Nov 14, 2007 8:00:56 PM org.apache.catalina.storeconfig.StoreLoader load
INFO: Find registry server-registry.xml at classpath resource
Nov 14, 2007 8:00:56 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 2235 ms

No errors, no problems.  But now I can't get to my application.  I've tried adding a keyAlias attribute to the Connector property, using intermediateca, intermediateCA, myapplication and MyApplication and none of them work.  In every case, if I specify a keyAlias, I get an error like:

Nov 14, 2007 8:10:01 PM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:10:01 PM org.apache.coyote.http11.Http11BaseProtocol start
SEVERE: Error starting endpoint
java.io.IOException: Alias name intermediateca does not identify a key entry
      at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)
      at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109)
      at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88)
      at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292)
      at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312)
      at org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150)
      at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75)
      at org.apache.catalina.connector.Connector.start(Connector.java:1089)
      at org.apache.catalina.core.StandardService.start(StandardService.java:459)
      at org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
      at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
      at java.lang.reflect.Method.invoke(Unknown Source)
      at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:275)
      at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Nov 14, 2007 8:10:01 PM org.apache.catalina.startup.Catalina start
SEVERE: Catalina.start:
LifecycleException:  service.getName(): "Catalina";  Protocol handler start failed: java.io.IOException: Alias name intermediateca does not identify a key entry
      at org.apache.catalina.connector.Connector.start(Connector.java:1096)
      at org.apache.catalina.core.StandardService.start(StandardService.java:459)
      at org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
      at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
      at java.lang.reflect.Method.invoke(Unknown Source)
      at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:275)
      at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Nov 14, 2007 8:10:01 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 2313 ms

Help!  Thanks in advance!
0
Comment
Question by:arktech
2 Comments
 

Author Comment

by:arktech
ID: 20286743
Never mind, I figured out the problem.  The certificate must be imported into the same keystore from which the CSR was generated.  I should have realized that, but was moving too fast for my own good.  It's working great now, with the new certificate properly deployed.
0
 

Accepted Solution

by:
EE_AutoDeleter earned 0 total points
ID: 20968398
kytjwrangler,
Because you have presented a solution to your own problem which may be helpful to future searches, this question is now PAQed and your points have been refunded.

EE_AutoDeleter
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article is about some of the basic and important steps to be used to improve the performance in web-sphere commerce application development. 1) Always leverage the Dyna-caching facility provided by the product 2) Remove the unwanted code …
Upgrading Tomcat – There are a couple of methods to upgrade Tomcat is to use The Apache Installer is to download and unzip and run the services.bat remove|install Tomcat6 Because of the App that we are working with, we can only use Tomcat 6.…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question