Solved

Issues installing SSL certificate into Apache Tomcat

Posted on 2016-09-07
3
130 Views
Last Modified: 2016-09-13
Hi,

I'm trying to install a certificate into Tomcat 8 and am having trouble.

I've been given a Trustwave certificate in the form of:

chain.cer
domainname.co.uk.cer
domainname.co.uk.der
domainname.co.uk.p7b
domainname.co.uk.pem

I create a keystore with:

keytool -genkey -keystore c:\livecontent03.jks -alias livecontent03 -keyalg RSA -keysize 2048 -validity 3650

Open in new window


and fill out the answers with the details given to me although I leave the First name last name field blank as I was n't supplied these details.

I then import the CA certificate file "root certificate" with:

keytool -import -keystore c:\livecontent03.jks -trustcacerts -alias CACert -file c:\chain.cer -storepass ******

Open in new window


and then import the signed certificate:

keytool -import -keystore c:\livecontent03.jks -trustcacerts -alias livecontent03 -file c:\domainname.co.uk.cer -storepass ******

Open in new window



But at this point I get:

keytool error: java.lang.Exception: Public keys in reply and keystore don't match

I've spoken to Trustwave and they say that I should use "root certificate for Apache is STCA either from TEXT or PEM format"

So I tried again from scratch with stca.tx first before installing the domain.co.uk.cer but get the same error.

I'm now scratching my head and looking for advice.

Thanks.
0
Comment
Question by:Letterpart
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 36

Accepted Solution

by:
mccarl earned 500 total points
ID: 41788940
It's not clear from that list of files if one of them is the PRIVATE KEY for the certificate that you are trying to install. If you don't have the private key, nothing is going to work anyway. You need the before you can do anything further.

Now, just to clarify the reason for the error that you are seeing... In the first keytool command, you are creating a new keystore, BUT you are also creating a new private key and public key with the alias "livecontent03". This private/public key pair will have NOTHING in common with the details in the certificate that you are importing. So then, when you execute the third keytool command, that is why you are getting the error saying that the public key in the certificate doesn't match with the public key generated in the first command.

So, if you deleted the keystore that you created, and then just ran the 2nd and 3rd commands above, you would be able to import those certificates into the keystore without error, but this would still be useless to Tomcat as it wouldn't have the associated private key that is required for SSL/TLS to work.

The usual process of getting SSL up and going is this...
 - Using something like the first command, create a private/public key pair. At this point you have a self-signed certificate.
 - Using that key pair, get keytool to generate a "Certificate Signing Request" and send that to your CA
 - The CA will verify all your details and generate a new certificate, signed using their own private key, asserting that you are how you say you are. They send you this new certificate (and often their root certificate that verifies your new certificate)
 - You then import the certificate that they send back into the same keystore overwriting the self-signed certificate that was created in the first step.
 - This entry in the keystore now has the private key that Tomcat can use to encrypt information, plus the CA signed certificate (including the public key) that it can send to the remote client, so that the client can decrypt information.
1
 
LVL 1

Author Closing Comment

by:Letterpart
ID: 41795716
Thanks for that.

Created the CSR on the server, sent it off and the cert installed fine first time.
0
 
LVL 36

Expert Comment

by:mccarl
ID: 41795756
You're welcome!!
1

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Viewers learn about the third conditional statement “else if” and use it in an example program. Then additional information about conditional statements is provided, covering the topic thoroughly. Viewers learn about the third conditional statement …
Viewers learn about the “for” loop and how it works in Java. By comparing it to the while loop learned before, viewers can make the transition easily. You will learn about the formatting of the for loop as we write a program that prints even numbers…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question