Hi I'm trying to configure tomcat7 (7.0.50) in windows 7 using a cert from a CA (entrust, if it matters). I downloaded the CA root, chain root and chain cert files, and my new certificate. Per the tomcat guide, I used the keystore I generated the csr from and followed these steps
- keytool -import -alias entrust -trustcacerts -keystore crush.jks -file entrust.crt.txt
[prompts me the cert exists in the system wide CA keystore, I still add it]
keytool -import -alias chain-root -trustcacerts -keystore crush.jks -file L1Kchainroot.txt
keytool -import -alias chain-root -trustcacerts -keystore crush.jks -file L1Kchain.txt
keytool -import -alias tomcat -trustcacerts -keystore crush.jks -file entrustcert.crt.txt
Now when I list the contents of my keystore I see
C:\Users\crush\My Documents\cert>keytool -list -keystore crush.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 5 entries
entrust, Mar 30, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): B3:1E:B1:B7:40:E3:6C:84:02:DA:DC:3
chain, Mar 30, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): CC:A2:7D:33:C7:35:A7:D0:6D:1F:EC:A
chain-root, Mar 30, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): 9E:1A:0C:35:E7:14:B6:97:92:D0:90:B
tomcat, Mar 30, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): 6A:77:EC:32:1E:F9:AC:4F:BE:C7:CB:5
crush-windows7, Mar 26, 2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): 04:72:8A:36:56:7E:D5:0F:7E:E9:E0:1
Now I edited my server.xml file to be like so
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1"
keystoreFile="C:\Users\crush\apache-tomcat-7.0.50\conf\crush.jks"
keystorePass="storepassword"
keyPass="keypassword"
/>
When this boots up and I navigate to the page I'll see an untrusted connection warning
crush-windows7.crush.com:8443 uses an invalid security certificate. The certificate is not trusted because it is self-signed. (Error code: sec_error_ca_cert_invalid)
If I use -v with keytool and inspect the returned certificate I'll see the Issuer as Entrust
Owner: CN=crush-windows7.crush.com, ....
Issuer: CN=Entrust Certification Authority - L1K, OU="(c) 2012 Entrust, Inc. - for authorized use only", OU=See http://ift.tt/1qsuZUk, O="Entrust, Inc.", C=US
But my private key entry has the issuer as myself
Owner: CN=crush-windows7.crush.com, ....
Issuer: CN=crush-windows7.crush.com, ....
I've been messing with this for a couple hours and bashing my head against the wall, I've done this with linux before using openssl instead of keytool without issues. Could this be my issue? No matter what connector config I try, it will not boot without the private key entry as the alias and the keyPass option set. If I remove the private key entry it will boot but never complete the ssl handshake. I use the 'tomcat' alias for the keyAlias it will say
java.io.IOException: Alias name tomcat does not identify a key entry
Can I salvage my current certificate or do I need to generate a new private key and csr and submit a new request then move them to my windows machine? I really feel this is my issue, am I even close to being on point? Using windows for this has been less than comfortable, thanks for helping.
Aucun commentaire:
Enregistrer un commentaire