0

I have problem configuring SSL on tomcat 7 (7.0.10) here I am using Thawte SGC Certificate , please read below description carefully help me out . I have followed below step

1)Generated key using below command 

keytool -genkey -keysize 2048 -alias test_self_certificate -keyalg RSA -keystore test_self_certificate.jks -validity 730

this command generated “test_self_certificate.jks” file in current folder

2)This generated CSR using below command 

keytool -certreq -alias test_self_certificate -file my_application.csr -keystore test_self_certificate.jks

this command generated “my_application.csr” file in current folder

3)Then I have submitted this CSR to Thawte and got certificate from them in PKCS#7 format , I have copied that certificate text in notepad and saved that file as “signed_certificate.p7b

4)Then i created New JKS keystore and imported certificate received from Thawte using below command 

keytool -import -alias signed_cert -trustcacerts -file signed_certificate.p7b -keystore tomcat_application.jks

this command generated “tomcat_application.jks” file in current folder

5)I have update tomcat server.xml as below ( I have provided correct .jks file path and keystore password ) 

<Connector port="8001" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
                            maxThreads="150" scheme="https" secure="true"
               keystoreFile="/export/home/parsupport/Tomcat_certs/ tomcat_application.jks " keystorePass="parlive" clientAuth="false" sslProtocol="TLS" />

6)After this change when I start Tomcat I get below Exception and tomcat does not start with SSL

Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
    at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:310)
    at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:255)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:774)

Important Note : but if I import certificate received from Thawte in keystore (test_self_certificate.jks -- mentioned as first step above) that I have created to generate KeyPair and CSR , and use that keystore to configure tomcat (as described in step 6 as above ) then Tomcat start in SSL mode but when in try to launch HTTPS URL I get untrusted certificate warning .

user3687318
  • 11
  • 2
  • Is there any good reason to use an SGC certificate in 2014? – Bruno May 29 '14 at 11:29
  • `...rt/Tomcat_certs/ tomcat_application.jks `: are those spaces intentional, or just a copy/paste typo? – Bruno May 29 '14 at 11:31
  • Hi Bruno , thanks for response , to use SGC certificate is corporate policy . and that space is just copy paste actual path in server.xml file is correct – user3687318 May 29 '14 at 11:59

1 Answers1

0
keytool -genkey -keysize 2048 -alias test_self_certificate [...]

Here, -genkey generates a public/private key pair and stores in into the "test_self_certificate" alias entry, thereby making this a private key entry. (If you use keytool -list, you'll see some private key entries and some certificate entries). -genkey also generates a self-signed certificate to associate with this private key automatically (this is also how the public key is effectively stored by default).

keytool -import -alias signed_cert [...]

If you get a certificate issued for a private key that is stored in a keystore, you need to store this certificate against the right private key entry, not just any entry. Here, you should have used -alias test_self_certificate instead (which may also mean that it wasn't the best choice of alias name, but that's just a detail). (In some cases, you may also need to make sure you import the full chain.)

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376