0

I used openssl to generate a csr and key file, I buy a SSL certificates provide from COMODO, I have installed the SSL service in my apache server on port 443 and it work!. In this same server I have installed apache tomcat7 running in port 8080. I want to install the same certificates in Tomcat7 port 8443. COMODO provided me two files: certificate .crt and intermediate .ca-bundle file. with this files I have generated a keystore importing the files with this instructions:

keytool -import -alias root -keystore <your_keystore_filename>
-trustcacerts -file <filename_of_the_chain_certificate - .ca-bundle>

keytool -import -alias tomcat -keystore <your_keystore_filename>
-file <your_certificate_filename .crt>

after I have configured the server.xml file so:

<Connector port="8443"cprotocol="org.apache.coyote.http11.Http11Protocol"
SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
maxHttpHeaderSize="8192" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" clientAuth="false"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
keystoreFile="/etc/apache2/ssl/keystore" keystorePass="password"
sslProtocols="TLSv1, TLSv1.1, TLSv1.2"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,  TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,  TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,  
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,  TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,  TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,  TLS_DHE_DSS_WITH_AES_128_CBC_SHA,  TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,  TLS_ECDH_ECDSA_WITH_RC4_128_SHA,  TLS_ECDH_RSA_WITH_RC4_128_SHA,  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,  TLS_RSA_WITH_AES_256_GCM_SHA384,  TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,  TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,  TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,  TLS_RSA_WITH_AES_128_GCM_SHA256,  TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,  TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,  TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,  TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,  TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,  TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,  TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,  TLS_EMPTY_RENEGOTIATION_INFO_SCSVF  "/>

but no work, I get this message in chrome: 

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

There aren't in the tomcat log files. What is wrong here? Thanks!!!

Jose Luis
  • 43
  • 1
  • 9
  • You need the privatekey AND certs. Duplicate http://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i and related to several more in the first part of my answer http://stackoverflow.com/a/37423399/2868801 PS: you misspelled the name of the ERI SCSV, but even when correct this setting is ignored for server. – dave_thompson_085 Jan 11 '17 at 19:09

1 Answers1

0

this is the answer importing an existing x509 certificate and private key in Java keystore to use in ssl.

But additionally, the .ca-bundle provide for COMODO have two certificates, root and intermediate. You need to open the file, extract the certificates and create other two files root.crt and intermediate.crt. with this you can import them and create the new key as show the post above.

Community
  • 1
  • 1
Jose Luis
  • 43
  • 1
  • 9