Solved

tomcat 6 (not 7) ssl problem (certificate issues)

Posted on 2014-10-10
11
391 Views
Last Modified: 2014-10-22
Hi;

I have created a keystore and CSR for SSL with the following command:
      
%JAVA_HOME%\bin\keytool -genkey -alias server -keyalg RSA \
  -keystore \path\to\my\keystore

Then I received 2 files from the certificate authority, abc.com.cer and abc.om.p7b

From this point, no matter what I have done, i couldn't make the SSL work on my Tomcat 6.
I followed the steps under, http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
but I failed to import p7b so I convert it crt file and successfully import it.
My application for http, is using 55012 and I want to use the port 443 for https.
Following is my server.xml

<Connector port="443"
maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
maxSpareThreads="75" enableLookups="false"
disableUploadTimeout="true" acceptCount="100"
scheme="https" secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS"
keyAlias="server" keystoreFile="/path/to/JKSfile/your_site_name.jks"
keystorePass="your_keystore_password" />

Now my questions are

1) my keystore alias is server and i send my csr after this.
To clean the things up, I want to delete my keystore but is it fine if I generate the key with another alias, e.g. tomcat as in the tomcat documentation?
2) I have the files, cer and crt (p7b), so is fine or should I need stg extra?
3) Is the order of import important?`first crt then cer?
4) What are the correct import commands? Should I trust tomcat documentation or authorities documentation?

My tomcat version is as follows:

Server version: Apache Tomcat/6.0.36
Server built:   Oct 16 2012 09:59:09
Server number:  6.0.36.0
OS Name:        Windows 7
OS Version:     6.1
Architecture:   amd64
JVM Version:    1.7.0_21-b11
JVM Vendor:     Oracle Corporation

Regards.
0
Comment
Question by:jazzIIIlove
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 40374545
Java security baseline is 7u65
There is no problem with tomcat.

They sent you certificate in 2 formats. Remember that keytool needs to know that your private key has alias 'server'
0
 
LVL 12

Author Comment

by:jazzIIIlove
ID: 40374695
So while importing crt and cer, i need to use alias as server. Correct?
0
 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 40375010
You need to import just one. It is same cryptographic signature in 2 different formats.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 12

Author Comment

by:jazzIIIlove
ID: 40375131
Hi,

Is it abc.com.cer (which is the intermediate) or abc.com.p7b to import?

Can you write down the exact command? I am a little desperate..
0
 
LVL 62

Expert Comment

by:gheist
ID: 40375134
Consult your CA documentation. p7b is for IIS
0
 
LVL 12

Author Comment

by:jazzIIIlove
ID: 40375168
Yes. I couldn't import p7b so i converted to crt to import to java keystore. So what you say is that i need to import only crt (cer is intermediate certificate and no need to import it?). And i need to use the same alias that i used to generate the CSR. Correct?

I strongly appreciate your interest in question btw. As you see, noone else is commenting currently. I would personally request  5000 pts award instead of 500pts as noone got interested in some areas inEE
0
 
LVL 62

Expert Comment

by:gheist
ID: 40375181
Would be nice if you manage to tell which CA you used and your domain name. Domain abc.com uses Apache, thats not yours I assume.
0
 
LVL 12

Author Comment

by:jazzIIIlove
ID: 40375670
java version "1.8.0"
Java(TM) SE Runtime Environment (build 1.8.0-b132)
Java HotSpot(TM) 64-Bit Server VM (build 25.0-b70, mixed mode)

It's the geotrust, https://www.geocerts.com/install/tomcat

it says,

keytool -import -trustcacerts -alias tomcat -file your_site_name.p7b -keystore mykeystore.jks
You MUST you the same alias used when the keystore was created, in this case the alias used was tomcat

the thing is that i made csr with alias "server", and also unable to install p7b, so my customer send me a converted version, crt.

Now, to be on the safe side, should i delete the keystore and regenerate the csr with alias "tomcat"?
Or should "I" convert p7b to crt file? (Note that I have the other certificate which is a cer file)

And do you think above Connector is fine?

I really wish to give the domain name but the certificate is not in place currently.

Thanks for thousand times!
0
 
LVL 12

Author Comment

by:jazzIIIlove
ID: 40375800
0
 
LVL 62

Expert Comment

by:gheist
ID: 40375899
Tomcat 6 is not compatible with java 1.8
0
 
LVL 12

Author Comment

by:jazzIIIlove
ID: 40375955
Which java should i use for tomcat 6?
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Signing certificate through internal CA server windows server 2008 11 67
By pass website on ASA for Websense 4 93
Sonicwall SHA issue 4 49
Securing WEBAPI on Azure 2 27
If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question