?
Solved

Issues installing SSL certificate into Apache Tomcat

Posted on 2016-09-07
3
Medium Priority
?
146 Views
Last Modified: 2016-09-13
Hi,

I'm trying to install a certificate into Tomcat 8 and am having trouble.

I've been given a Trustwave certificate in the form of:

chain.cer
domainname.co.uk.cer
domainname.co.uk.der
domainname.co.uk.p7b
domainname.co.uk.pem

I create a keystore with:

keytool -genkey -keystore c:\livecontent03.jks -alias livecontent03 -keyalg RSA -keysize 2048 -validity 3650

Open in new window


and fill out the answers with the details given to me although I leave the First name last name field blank as I was n't supplied these details.

I then import the CA certificate file "root certificate" with:

keytool -import -keystore c:\livecontent03.jks -trustcacerts -alias CACert -file c:\chain.cer -storepass ******

Open in new window


and then import the signed certificate:

keytool -import -keystore c:\livecontent03.jks -trustcacerts -alias livecontent03 -file c:\domainname.co.uk.cer -storepass ******

Open in new window



But at this point I get:

keytool error: java.lang.Exception: Public keys in reply and keystore don't match

I've spoken to Trustwave and they say that I should use "root certificate for Apache is STCA either from TEXT or PEM format"

So I tried again from scratch with stca.tx first before installing the domain.co.uk.cer but get the same error.

I'm now scratching my head and looking for advice.

Thanks.
0
Comment
Question by:Letterpart
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 36

Accepted Solution

by:
mccarl earned 2000 total points
ID: 41788940
It's not clear from that list of files if one of them is the PRIVATE KEY for the certificate that you are trying to install. If you don't have the private key, nothing is going to work anyway. You need the before you can do anything further.

Now, just to clarify the reason for the error that you are seeing... In the first keytool command, you are creating a new keystore, BUT you are also creating a new private key and public key with the alias "livecontent03". This private/public key pair will have NOTHING in common with the details in the certificate that you are importing. So then, when you execute the third keytool command, that is why you are getting the error saying that the public key in the certificate doesn't match with the public key generated in the first command.

So, if you deleted the keystore that you created, and then just ran the 2nd and 3rd commands above, you would be able to import those certificates into the keystore without error, but this would still be useless to Tomcat as it wouldn't have the associated private key that is required for SSL/TLS to work.

The usual process of getting SSL up and going is this...
 - Using something like the first command, create a private/public key pair. At this point you have a self-signed certificate.
 - Using that key pair, get keytool to generate a "Certificate Signing Request" and send that to your CA
 - The CA will verify all your details and generate a new certificate, signed using their own private key, asserting that you are how you say you are. They send you this new certificate (and often their root certificate that verifies your new certificate)
 - You then import the certificate that they send back into the same keystore overwriting the self-signed certificate that was created in the first step.
 - This entry in the keystore now has the private key that Tomcat can use to encrypt information, plus the CA signed certificate (including the public key) that it can send to the remote client, so that the client can decrypt information.
1
 
LVL 1

Author Closing Comment

by:Letterpart
ID: 41795716
Thanks for that.

Created the CSR on the server, sent it off and the cert installed fine first time.
0
 
LVL 36

Expert Comment

by:mccarl
ID: 41795756
You're welcome!!
1

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Java Flight Recorder and Java Mission Control together create a complete tool chain to continuously collect low level and detailed runtime information enabling after-the-fact incident analysis. Java Flight Recorder is a profiling and event collectio…
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
This video teaches viewers about errors in exception handling.
This tutorial explains how to use the VisualVM tool for the Java platform application. This video goes into detail on the Threads, Sampler, and Profiler tabs.
Suggested Courses
Course of the Month14 days, 20 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question