0

I created a certificate request for tomcat by (as described here)

openssl req -new -newkey rsa:2048 -sha256 -nodes -out req.csr -keyout keypair.key -config req.cfg

had the request signed by the authority and downloaded from the authority (MS Windows Server CA) as base64 encoded, renamed from cer to crt. Then I configured server.xml https connector as:

<Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
           port="443"
           SSLEnabled="true"
           secure="true"
           scheme="https"
           SSLProtocol="TLSv1.0+TLSv1.1+TLSv1.2"
           SSLCipherSuite="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"
           SSLHonorCipherOrder="true"
           SSLDisableCompression="true"
           SSLCertificateFile="${catalina.home}/cert.crt"
           SSLCertificateKeyFile="${catalina.home}/keypair.key"
           SSLCertificateChainFile="${catalina.home}/ca.crt"
           SSLPassword="password"
           disableUploadTimeout="true"
           maxThreads="200"
           acceptCount="100"
           maxHttpHeaderSize="49152"/>

When i access the site using https, firfox complains:

Secure Connection Failed

An error occurred during a connection to dochazka.dt.local. Peer’s certificate has an invalid signature.

Error code: SEC_ERROR_BAD_SIGNATURE

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

I found here that this is due to:

This error will occur if DSA was used as signature algorithm when generating private key and CSR.

And since i have no idea what DSA is supposed to be, what to do to make it work as it should? (note prefer not to use the keytool to generate the request)

atapaka
  • 1,172
  • 4
  • 14
  • 30
  • 2
    Your openssl command created a RSA key not a DSA key so you are looking for the incorrect problem. Your problem can't have anything to do with DSA keys. – Shane Powell Mar 12 '20 at 19:31

1 Answers1

-1

renamed from cer to crt might be your problem. The cer file may be a PKCS#7 file

Andrew Milne
  • 1