0

First of all, I know that there similar questions already asked and I tried to follow the suggestions to troubleshoot but haven't got any luck. So, I'm at the point that I think I'd better off just post for help. Thank you, in advance, for your help.

Question: What am I doing wrong? What/where should I check?

Objective: I'm trying to set up a certificate on Tomcat. I have Tomcat 8.5, %JAVA_HOME%="C:\Program Files\Java\jdk1.8.0_121" and a certificate I generated with the following command:

keytool -genkeypair -alias cert -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -keypass 123456 -storepass 123456 -keystore d:\cert.jks

And filled out my name and other information, etc. to generate the key pair.

I saw many YouTube videos and other instructions mention "genkey" instead "genkeypair" but this option isn't available on this computer. Anyway, I modified the server.xml file by adding the following:

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true">
  <SSLHostConfig>
    <Certificate certificateKeystoreFile="D:\cert.jks" type="RSA" keystorePass="123456" />
  </SSLHostConfig>
</Connector>

Executing catalina configtest gave me this:

04-Apr-2017 19:28:16.271 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-jsse-nio-443"]
 java.lang.IllegalArgumentException: java.io.IOException: Keystore was tampered with, or password was incorrect
nh39
  • 1
  • 1
  • 1

2 Answers2

0
<Certificate certificateKeystoreFile="D:\cert.jks" type="RSA" keystorePass="123456" />

The probem is here. The keystore type is JKS, not RSA1. The keypair type is RSA.

You may also have to rename your keypair/certificate entry to "tomcat" or whatever the default is in Tomcat 8, or else tell Tomcat to use the alias "cert" (poor choice).

  1. Because you didn't specify any other type to the keytool.
user207421
  • 305,947
  • 44
  • 307
  • 483
  • Thanks @EJP. Please be patient with me here - first time using Tomcat. Did you mean, since the file name is cert.jks, the value for type should be JKS? Below is the sample from the server.xml template: – nh39 Apr 05 '17 at 00:19
  • The filename has nothing to do with it. As you didn't specify an alternate keystore type when using the keytool, the default that it produces is JKS. I don't know why you're re-posting the same extract with the same error in it that I have already pointed out. – user207421 Apr 05 '17 at 00:35
  • Thanks for the clarification. What I posted the second was just the original template from the server.xml. Just trying to make sure I understood it correctly. Sorry if it annoyed you. – nh39 Apr 05 '17 at 01:13
  • You should have posted that in the first place, or when you re-posted it you should have stated why. Otherwise it's completely pointless. You've already posted it and I've already quoted it. – user207421 Apr 05 '17 at 01:14
  • Thanks, again, for your help. And sorry, again, that you're annoyed by what I did. – nh39 Apr 05 '17 at 01:21
  • Don't make personal remarks here. You have no evidence of annoyance. What I have expressed here is 'don't know why'. – user207421 Apr 05 '17 at 01:39
-2

FWIW, I can get it to work with the HTTP/1.1 protocol - simpler.

Basically, replaced

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true">
  <SSLHostConfig>
    <Certificate certificateKeystoreFile="D:\cert.jks" type="RSA" keystorePass="123456" />
  </SSLHostConfig>
</Connector>

With this

<Connector port="443" protocol="HTTP/1.1"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true" 
               clienAuth="false" sslProtocol="TLS" keystoreFile="/conf/.keystore" keystorePass="123456" />

Moving on and reading more about Tomcat and store type. There's an interesting thread here: How to create a BKS (BouncyCastle) format Java Keystore that contains a client certificate chain

Community
  • 1
  • 1
nh39
  • 1
  • 1
  • 1