3

After installing JIRA (Tomcat server) we've noticed we have security issues (clear password). So we decided to implement SSL.

We decided to follow steps based on these two tutorials :

We are using:

  • A certificate generate by a Certificate Authority.
  • Tomcat 7
  • Windows server 2008 R2

Our steps:

  • Import the certificate (with the keytool command, the all chain)
  • Add Java argument (-Djavax.net.ssl.trustStore= and Djavax.net.ssl.trustStorePassword)
  • Change server.xml file (remove the comments and edit the SSL part)
  • Restart Tomcat service (and the server)

Results:

  • SSL is not working
  • We can see trustedCertEntry and PrivateKeyEntry in personal store of windows

After investigation we think the issue is that the entry in our keystore are trustedCertEntry and there is no PrivateKeyEntry.

Do we need to import PrivateKeyEntry into the Tomcat keystore? If yes, how we can import PrivateKeyEntry into a keystore?

wxs
  • 288
  • 3
  • 18
Grabault
  • 41
  • 1
  • 6
  • How did you import your certificate, and where did you store your private key in the first place? – Bruno Mar 05 '13 at 14:11
  • Without specific config entries to show, the only thing that springs out is that an entry in the `trustStore` only allows you to trust other (e.g. self-cert) certificates, but doesn't actually add the key into the `keystore`. – beny23 Mar 05 '13 at 14:12
  • @Bruno : to import the certificate we used keytool -import -alias tomcatCACert -file JIRA.CNPPD.LAB.cer -keystore "c:\users\test\cacerts.keystore" with the command line keytool -list -v -keystore "c:\users\test\cacerts.keystore" we can see our 3 certificates. – Grabault Mar 05 '13 at 14:22
  • OK, so that's just the cert. Where did you generate your private key (before or during the cert application process)? – Bruno Mar 05 '13 at 14:24
  • @Bruno : It's seems we didn't generate the private keys yet. I suppose we have to use the command _%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA_ right ? what we have to do after ? import it in the keystore ? – Grabault Mar 05 '13 at 14:33
  • You *must* have generated the private key (and the public key) before getting this certificate. Generating a new key pair now would mean that you would need to get your certificate re-issued. – Bruno Mar 05 '13 at 14:37
  • Hi @bruno : When we generated the corporate certificate it generated a private key which we see in the windows key store (using the certificates MMC). Now that we added the trusted certificate chain into the tomcat keystore, is there a process to insert the private key into that keystore as well ? If not, how does the keystore know about the private key ? – Grabault Mar 05 '13 at 18:09

0 Answers0