Solved

New SSL Certificate for existing Tomcat deployment

Posted on 2007-11-14
2
4,597 Views
Last Modified: 2013-12-02
Help!  Our SSL certificate is expiring very soon.  We purchased a new certificate from VeriSign (not allowed to renew the existing one because company moved from Canada to US), but I'm not having any luck installing it into the existing site.  Here's what I have.  Running keytool -list against the existing keystore returns:

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, Nov 5, 2005, keyEntry,
Certificate fingerprint (MD5): AF:A0:D4:07:DF:1B:AE:64:D1:14:53:5B:59:DB:FF:0D

I copied this keystore to a local machine and performing the following steps:

keytool -import -alias intermediateCA -keystore /cygwin/tmp/keystore -trustcacerts -file /cygwin/tmp/verisign_root.cer
keytool -import -alias MyApplication -keystore /cygwin/tmp/keystore -trustcacerts -file /cygwin/tmp/my_domain.cer
keytool -delete -alias tomcat -keystore /cygwin/tmp/keystore

Running keytool -list against the resulting keystore yields the following:

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

intermediateca, Nov 14, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 2A:C8:48:C0:85:F3:27:DE:32:29:44:BB:B0:2C:79:F8
myapplication, Nov 14, 2007, trustedCertEntry,
Certificate fingerprint (MD5): DD:B8:19:36:D6:B5:1E:6B:47:75:31:E8:BC:96:CF:49

In my Tomcat/conf/server.xml file, I have the following:

    <Connector port="443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
             keystoreFile="D:/Tomcat-5.5/conf/keystore"
               clientAuth="false" sslProtocol="TLS" />

With the old keystore in place, I'm having no problems at all.  When I replace it with the new keystore and bounce Tomcat, I can no longer find the server when I attempt to connect via https.  We have a redirect from https://mydomain.com to https://mydomain.com/myapplication, and it does show me Redirecting, but then it drops to the Cannot find server.  If I look in the catalina.log, I see:

Nov 14, 2007 8:00:47 PM org.apache.coyote.http11.Http11BaseProtocol pause
INFO: Pausing Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:47 PM org.apache.coyote.http11.Http11BaseProtocol pause
INFO: Pausing Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:48 PM org.apache.catalina.core.StandardService stop
INFO: Stopping service Catalina
Nov 14, 2007 8:00:48 PM org.apache.catalina.core.StandardWrapper unload
INFO: Waiting for 5 instance(s) to be deallocated
Nov 14, 2007 8:00:50 PM org.apache.catalina.core.StandardWrapper unload
INFO: Waiting for 5 instance(s) to be deallocated
Nov 14, 2007 8:00:51 PM org.apache.catalina.core.StandardWrapper unload
INFO: Waiting for 5 instance(s) to be deallocated
Nov 14, 2007 8:00:51 PM org.apache.coyote.http11.Http11BaseProtocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:51 PM org.apache.coyote.http11.Http11BaseProtocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:51 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: Failed shutdown of Apache Portable Runtime
Nov 14, 2007 8:00:53 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: d:\Tomcat-5.5\bin;.;C:\WINNT\system32;C:\WINNT;D:\oracle\ora81\bin;D:\oracle\ora81\Apache\Perl\5.00503\bin\mswin32-x86;C:\Program Files\Oracle\jre\1.1.7\bin;C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;d:\MSSQL7\BINN;d:\scripts
Nov 14, 2007 8:00:53 PM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:54 PM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:54 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1594 ms
Nov 14, 2007 8:00:54 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Nov 14, 2007 8:00:54 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.16
Nov 14, 2007 8:00:54 PM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
Nov 14, 2007 8:00:54 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive myapplication.war
Nov 14, 2007 8:00:56 PM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:00:56 PM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-443
Nov 14, 2007 8:00:56 PM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Nov 14, 2007 8:00:56 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/31  config=null
Nov 14, 2007 8:00:56 PM org.apache.catalina.storeconfig.StoreLoader load
INFO: Find registry server-registry.xml at classpath resource
Nov 14, 2007 8:00:56 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 2235 ms

No errors, no problems.  But now I can't get to my application.  I've tried adding a keyAlias attribute to the Connector property, using intermediateca, intermediateCA, myapplication and MyApplication and none of them work.  In every case, if I specify a keyAlias, I get an error like:

Nov 14, 2007 8:10:01 PM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Nov 14, 2007 8:10:01 PM org.apache.coyote.http11.Http11BaseProtocol start
SEVERE: Error starting endpoint
java.io.IOException: Alias name intermediateca does not identify a key entry
      at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)
      at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109)
      at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88)
      at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292)
      at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312)
      at org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150)
      at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75)
      at org.apache.catalina.connector.Connector.start(Connector.java:1089)
      at org.apache.catalina.core.StandardService.start(StandardService.java:459)
      at org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
      at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
      at java.lang.reflect.Method.invoke(Unknown Source)
      at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:275)
      at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Nov 14, 2007 8:10:01 PM org.apache.catalina.startup.Catalina start
SEVERE: Catalina.start:
LifecycleException:  service.getName(): "Catalina";  Protocol handler start failed: java.io.IOException: Alias name intermediateca does not identify a key entry
      at org.apache.catalina.connector.Connector.start(Connector.java:1096)
      at org.apache.catalina.core.StandardService.start(StandardService.java:459)
      at org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
      at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
      at java.lang.reflect.Method.invoke(Unknown Source)
      at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:275)
      at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Nov 14, 2007 8:10:01 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 2313 ms

Help!  Thanks in advance!
0
Comment
Question by:arktech
2 Comments
 

Author Comment

by:arktech
ID: 20286743
Never mind, I figured out the problem.  The certificate must be imported into the same keystore from which the CSR was generated.  I should have realized that, but was moving too fast for my own good.  It's working great now, with the new certificate properly deployed.
0
 

Accepted Solution

by:
EE_AutoDeleter earned 0 total points
ID: 20968398
kytjwrangler,
Because you have presented a solution to your own problem which may be helpful to future searches, this question is now PAQed and your points have been refunded.

EE_AutoDeleter
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Problem to refer to codes 10 110
logging jar 1 105
Java Exception example issues 11 83
how to use external config file with Spring MVC 4 63
This exercise is about for the following scenario: Dmgr and One node with 2 application server. Each application server contains it owns application. Application server name as follows server1 contains app1 server2 contains app1 Prereq…
Most of the developers using Tomcat find it easy to configure the datasource in Server.xml and use the JNDI name in the code to get the connection.  So the default connection pool using DBCP (or any other framework) is made available and the life go…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now