Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

New SSL Certificate for existing Tomcat deployment

Posted on 2007-11-14
2
Medium Priority
?
4,708 Views
Last Modified: 2013-12-02
Help!  Our SSL certificate is expiring very soon.  We purchased a new certificate from VeriSign (not allowed to renew the existing one because company moved from Canada to US), but I'm not having any luck installing it into the existing site.  Here's what I have.  Running keytool -list against the existing keystore returns:

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, Nov 5, 2005, keyEntry,
Certificate fingerprint (MD5): AF:A0:D4:07:DF:1B:AE:64:D1:14:53:5B:59:DB:FF:0D

I copied this keystore to a local machine and performing the following steps:

keytool -import -alias intermediateCA -keystore /cygwin/tmp/keystore -trustcacerts -file /cygwin/tmp/verisign_root.cer
keytool -import -alias MyApplication -keystore /cygwin/tmp/keystore -trustcacerts -file /cygwin/tmp/my_domain.cer
keytool -delete -alias tomcat -keystore /cygwin/tmp/keystore

Running keytool -list against the resulting keystore yields the following:

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

intermediateca, Nov 14, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 2A:C8:48:C0:85:F3:27:DE:32:29:44:BB:B0:2C:79:F8
myapplication, Nov 14, 2007, trustedCertEntry,
Certificate fingerprint (MD5): DD:B8:19:36:D6:B5:1E:6B:47:75:31:E8:BC:96:CF:49

In my Tomcat/conf/server.xml file, I have the following:

    <Connector port="443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
             keystoreFile="D:/Tomcat-5.5/conf/keystore"
               clientAuth="false" sslProtocol="TLS" />

With the old keystore in place, I'm having no problems at all.  When I replace it with the new keystore and bounce Tomcat, I can no longer find the server when I attempt to connect via https.  We have a redirect from https://mydomain.com to https://mydomain.com/myapplication, and it does show me Redirecting, but then it drops to the Cannot find server.  If I look in the catalina.log, I see:

Nov 14, 2007 8:00:47 PM org.apache.coyote.http11.Http11BaseProtocol pause
INFO: Pausing Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:47 PM org.apache.coyote.http11.Http11BaseProtocol pause
INFO: Pausing Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:48 PM org.apache.catalina.core.StandardService stop
INFO: Stopping service Catalina
Nov 14, 2007 8:00:48 PM org.apache.catalina.core.StandardWrapper unload
INFO: Waiting for 5 instance(s) to be deallocated
Nov 14, 2007 8:00:50 PM org.apache.catalina.core.StandardWrapper unload
INFO: Waiting for 5 instance(s) to be deallocated
Nov 14, 2007 8:00:51 PM org.apache.catalina.core.StandardWrapper unload
INFO: Waiting for 5 instance(s) to be deallocated
Nov 14, 2007 8:00:51 PM org.apache.coyote.http11.Http11BaseProtocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:51 PM org.apache.coyote.http11.Http11BaseProtocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:51 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: Failed shutdown of Apache Portable Runtime
Nov 14, 2007 8:00:53 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: d:\Tomcat-5.5\bin;.;C:\WINNT\system32;C:\WINNT;D:\oracle\ora81\bin;D:\oracle\ora81\Apache\Perl\5.00503\bin\mswin32-x86;C:\Program Files\Oracle\jre\1.1.7\bin;C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;d:\MSSQL7\BINN;d:\scripts
Nov 14, 2007 8:00:53 PM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:54 PM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:54 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1594 ms
Nov 14, 2007 8:00:54 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Nov 14, 2007 8:00:54 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.16
Nov 14, 2007 8:00:54 PM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
Nov 14, 2007 8:00:54 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive myapplication.war
Nov 14, 2007 8:00:56 PM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:56 PM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:56 PM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Nov 14, 2007 8:00:56 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/31  config=null
Nov 14, 2007 8:00:56 PM org.apache.catalina.storeconfig.StoreLoader load
INFO: Find registry server-registry.xml at classpath resource
Nov 14, 2007 8:00:56 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 2235 ms

No errors, no problems.  But now I can't get to my application.  I've tried adding a keyAlias attribute to the Connector property, using intermediateca, intermediateCA, myapplication and MyApplication and none of them work.  In every case, if I specify a keyAlias, I get an error like:

Nov 14, 2007 8:10:01 PM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:10:01 PM org.apache.coyote.http11.Http11BaseProtocol start
SEVERE: Error starting endpoint
java.io.IOException: Alias name intermediateca does not identify a key entry
      at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)
      at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109)
      at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88)
      at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292)
      at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312)
      at org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150)
      at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75)
      at org.apache.catalina.connector.Connector.start(Connector.java:1089)
      at org.apache.catalina.core.StandardService.start(StandardService.java:459)
      at org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
      at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
      at java.lang.reflect.Method.invoke(Unknown Source)
      at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:275)
      at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Nov 14, 2007 8:10:01 PM org.apache.catalina.startup.Catalina start
SEVERE: Catalina.start:
LifecycleException:  service.getName(): "Catalina";  Protocol handler start failed: java.io.IOException: Alias name intermediateca does not identify a key entry
      at org.apache.catalina.connector.Connector.start(Connector.java:1096)
      at org.apache.catalina.core.StandardService.start(StandardService.java:459)
      at org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
      at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
      at java.lang.reflect.Method.invoke(Unknown Source)
      at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:275)
      at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Nov 14, 2007 8:10:01 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 2313 ms

Help!  Thanks in advance!
0
Comment
Question by:arktech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 

Author Comment

by:arktech
ID: 20286743
Never mind, I figured out the problem.  The certificate must be imported into the same keystore from which the CSR was generated.  I should have realized that, but was moving too fast for my own good.  It's working great now, with the new certificate properly deployed.
0
 

Accepted Solution

by:
EE_AutoDeleter earned 0 total points
ID: 20968398
kytjwrangler,
Because you have presented a solution to your own problem which may be helpful to future searches, this question is now PAQed and your points have been refunded.

EE_AutoDeleter
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This exercise is about for the following scenario: Dmgr and One node with 2 application server. Each application server contains it owns application. Application server name as follows server1 contains app1 server2 contains app1 Prereq…
There are numerous questions about how to setup an IBM HTTP Server to be administered from WebSphere Application Server administrative console. I do hope this article will wrap things up and become a reference for this task. You need three things…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question