[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Issues installing SSL certificate into Apache Tomcat

Posted on 2016-09-07
3
Medium Priority
?
165 Views
Last Modified: 2016-09-13
Hi,

I'm trying to install a certificate into Tomcat 8 and am having trouble.

I've been given a Trustwave certificate in the form of:

chain.cer
domainname.co.uk.cer
domainname.co.uk.der
domainname.co.uk.p7b
domainname.co.uk.pem

I create a keystore with:

keytool -genkey -keystore c:\livecontent03.jks -alias livecontent03 -keyalg RSA -keysize 2048 -validity 3650

Open in new window


and fill out the answers with the details given to me although I leave the First name last name field blank as I was n't supplied these details.

I then import the CA certificate file "root certificate" with:

keytool -import -keystore c:\livecontent03.jks -trustcacerts -alias CACert -file c:\chain.cer -storepass ******

Open in new window


and then import the signed certificate:

keytool -import -keystore c:\livecontent03.jks -trustcacerts -alias livecontent03 -file c:\domainname.co.uk.cer -storepass ******

Open in new window



But at this point I get:

keytool error: java.lang.Exception: Public keys in reply and keystore don't match

I've spoken to Trustwave and they say that I should use "root certificate for Apache is STCA either from TEXT or PEM format"

So I tried again from scratch with stca.tx first before installing the domain.co.uk.cer but get the same error.

I'm now scratching my head and looking for advice.

Thanks.
0
Comment
Question by:Letterpart
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 36

Accepted Solution

by:
mccarl earned 2000 total points
ID: 41788940
It's not clear from that list of files if one of them is the PRIVATE KEY for the certificate that you are trying to install. If you don't have the private key, nothing is going to work anyway. You need the before you can do anything further.

Now, just to clarify the reason for the error that you are seeing... In the first keytool command, you are creating a new keystore, BUT you are also creating a new private key and public key with the alias "livecontent03". This private/public key pair will have NOTHING in common with the details in the certificate that you are importing. So then, when you execute the third keytool command, that is why you are getting the error saying that the public key in the certificate doesn't match with the public key generated in the first command.

So, if you deleted the keystore that you created, and then just ran the 2nd and 3rd commands above, you would be able to import those certificates into the keystore without error, but this would still be useless to Tomcat as it wouldn't have the associated private key that is required for SSL/TLS to work.

The usual process of getting SSL up and going is this...
 - Using something like the first command, create a private/public key pair. At this point you have a self-signed certificate.
 - Using that key pair, get keytool to generate a "Certificate Signing Request" and send that to your CA
 - The CA will verify all your details and generate a new certificate, signed using their own private key, asserting that you are how you say you are. They send you this new certificate (and often their root certificate that verifies your new certificate)
 - You then import the certificate that they send back into the same keystore overwriting the self-signed certificate that was created in the first step.
 - This entry in the keystore now has the private key that Tomcat can use to encrypt information, plus the CA signed certificate (including the public key) that it can send to the remote client, so that the client can decrypt information.
1
 
LVL 1

Author Closing Comment

by:Letterpart
ID: 41795716
Thanks for that.

Created the CSR on the server, sent it off and the cert installed fine first time.
0
 
LVL 36

Expert Comment

by:mccarl
ID: 41795756
You're welcome!!
1

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
Java functions are among the best things for programmers to work with as Java sites can be very easy to read and prepare. Java especially simplifies many processes in the coding industry as it helps integrate many forms of technology and different d…
Viewers will learn about if statements in Java and their use The if statement: The condition required to create an if statement: Variations of if statements: An example using if statements:
Viewers will learn about basic arrays, how to declare them, and how to use them. Introduction and definition: Declare an array and cover the syntax of declaring them: Initialize every index in the created array: Example/Features of a basic arr…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question