Configuring SSL on tomcat

Question

I am trying to configure tomcat7 on server with SSL because I need to send a request via https://

I am following steps -:

               1.Create a keystore file using Java
               2.Configure Tomcat to use the keystore

I tried to create a keystore directly with

          keytool -genkey -alias tomcat -keyalg RSA

and then tried to access https://[host]:8443 it worked

But when I tried to create keystore with the .cer file

        keytool -import -trustcacerts -alias server -file your_site_name.p7b -keystore your_site_name.jks

Also used

         keytool -import -alias simple -file Example.cer -keystore exampleraystore

and tried to access https://[host]:8443 it is not working .. showing "WEB PAGE CAN"T BE DISPLAYED"

why

whenever I use .p7b file it gives an error that its not a X509 certificate . — Mudit, Jun 17 '16 at 04:08
so I used .cer file to create the certificate in second step — Mudit, Jun 17 '16 at 04:08

score 0 · Answer 1 · edited May 23 '17 at 11:58

0

Do you use self signed certificate, or signed by external CA ?
Did you modify server.xml as said in tomcat doc ?
Does simple self signed cert work, and only imported from your_site_name.p7b doesn't work ?

If simple self signed certificate doesn't work try

https://stackoverflow.com/a/30192138/1423685

it helped me.

edited May 23 '17 at 11:58

Community

1
1

answered Jun 16 '16 at 15:25

bastiat

1,799
2
19
38

Its a self assigned Certificate in first try and in second try I used .cer file to create the key store , yeah I did modify server.xml that's why its working when I tried to create keystore directly ,yeah self signed is working – Mudit Jun 17 '16 at 04:11

score 0 · Answer 2 · answered Jun 17 '16 at 04:59

0

But when I tried to create keystore with the .cer file

    keytool -import -trustcacerts -alias server

... you were doing something invalid. This creates a truststore, not a keystore. There is no private key there. If you were attempting to import a signed certificate, you should have omitted the -trustcacerts flag, and used the same alias you used when generating the keypair and CSR.

This is all stated clearly by example in the Tomcat SSL documentation.

answered Jun 17 '16 at 04:59

user207421

305,947
44
307
483

Followed you and created keystore using – Mudit Jun 17 '16 at 06:53
keytool -import -alias simple -file Example.cer -keystore mykeystore – Mudit Jun 17 '16 at 06:54

score -1 · Answer 3 · answered Jun 16 '16 at 15:37

-1

Did you change your server.xml to redirect to port 8443?

<Connector protocol="org.apache.coyote.http11.Http11Protocol"
               port="8080" redirectPort="8443"

<Connector protocol="org.apache.coyote.http11.Http11Protocol"
               port="8443"
               SSLEnabled="true"
               scheme="https" 
               secure="true"
               sslProtocol="TLS" 
               keystorePass="<pass>" keystoreFile="<path to keystore>"
               ciphers="TLS_RSA_WITH_AES_256_CBC_SHA, <add more ciphers>"/>

answered Jun 16 '16 at 15:37

bluedevil2k

9,366
8
43
57

He puts https and 8443 port explicitly into url, so it shouldnt be the case. Adding ciphers do may help. – bastiat Jun 16 '16 at 15:43
As he already had it working the answer to this is clearly 'yes'. – user207421 Jun 17 '16 at 05:01

Configuring SSL on tomcat

3 Answers3