Solved

Issues installing SSL certificate into Apache Tomcat

Posted on 2016-09-07
3
94 Views
Last Modified: 2016-09-13
Hi,

I'm trying to install a certificate into Tomcat 8 and am having trouble.

I've been given a Trustwave certificate in the form of:

chain.cer
domainname.co.uk.cer
domainname.co.uk.der
domainname.co.uk.p7b
domainname.co.uk.pem

I create a keystore with:

keytool -genkey -keystore c:\livecontent03.jks -alias livecontent03 -keyalg RSA -keysize 2048 -validity 3650

Open in new window


and fill out the answers with the details given to me although I leave the First name last name field blank as I was n't supplied these details.

I then import the CA certificate file "root certificate" with:

keytool -import -keystore c:\livecontent03.jks -trustcacerts -alias CACert -file c:\chain.cer -storepass ******

Open in new window


and then import the signed certificate:

keytool -import -keystore c:\livecontent03.jks -trustcacerts -alias livecontent03 -file c:\domainname.co.uk.cer -storepass ******

Open in new window



But at this point I get:

keytool error: java.lang.Exception: Public keys in reply and keystore don't match

I've spoken to Trustwave and they say that I should use "root certificate for Apache is STCA either from TEXT or PEM format"

So I tried again from scratch with stca.tx first before installing the domain.co.uk.cer but get the same error.

I'm now scratching my head and looking for advice.

Thanks.
0
Comment
Question by:Letterpart
  • 2
3 Comments
 
LVL 35

Accepted Solution

by:
mccarl earned 500 total points
ID: 41788940
It's not clear from that list of files if one of them is the PRIVATE KEY for the certificate that you are trying to install. If you don't have the private key, nothing is going to work anyway. You need the before you can do anything further.

Now, just to clarify the reason for the error that you are seeing... In the first keytool command, you are creating a new keystore, BUT you are also creating a new private key and public key with the alias "livecontent03". This private/public key pair will have NOTHING in common with the details in the certificate that you are importing. So then, when you execute the third keytool command, that is why you are getting the error saying that the public key in the certificate doesn't match with the public key generated in the first command.

So, if you deleted the keystore that you created, and then just ran the 2nd and 3rd commands above, you would be able to import those certificates into the keystore without error, but this would still be useless to Tomcat as it wouldn't have the associated private key that is required for SSL/TLS to work.

The usual process of getting SSL up and going is this...
 - Using something like the first command, create a private/public key pair. At this point you have a self-signed certificate.
 - Using that key pair, get keytool to generate a "Certificate Signing Request" and send that to your CA
 - The CA will verify all your details and generate a new certificate, signed using their own private key, asserting that you are how you say you are. They send you this new certificate (and often their root certificate that verifies your new certificate)
 - You then import the certificate that they send back into the same keystore overwriting the self-signed certificate that was created in the first step.
 - This entry in the keystore now has the private key that Tomcat can use to encrypt information, plus the CA signed certificate (including the public key) that it can send to the remote client, so that the client can decrypt information.
1
 
LVL 1

Author Closing Comment

by:Letterpart
ID: 41795716
Thanks for that.

Created the CSR on the server, sent it off and the cert installed fine first time.
0
 
LVL 35

Expert Comment

by:mccarl
ID: 41795756
You're welcome!!
1

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
tomcat not starting 6 45
by zero exception 10 39
How do I remove an object from a 3 23
Facing this issue for maven proxy setting 2 9
Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Viewers learn about the scanner class in this video and are introduced to receiving user input for their programs. Additionally, objects, conditional statements, and loops are used to help reinforce the concepts. Introduce Scanner class: Importing…
This tutorial covers a step-by-step guide to install VisualVM launcher in eclipse.

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question