I have wild card pfx certificate with its Intermediate certificate in p7b/crt format. Those certificate are installed on IIS 8.0. How to install those certificates in tomcat 8.0? Tomcat is installed on windows
I could do it successfully. As I have mentioned that my certificate was installed on IIS web server on windows with intermediate certificate. So I follow below steps
Step 1: Create a Microsoft Management Console (MMC) Snap-in for managing certificates
Access the Search menu. In the search box, type mmc
From the Microsoft Management Console (MMC), click File > Add/Remove Snap-in
From the list of snap-ins, select Certificates
Click Add
Select Computer Account
Click Next
Select Local Computer (the computer this console is running on)
Click Finish
In the Add/Remove Snap-in window, click OK
Save these console settings for future use
Step 2: Export/ Back Up the certificate
Open the Certificates (Local Computer) snap-in you added > select Personal > Certificates
Right-click certificate name > select All Tasks > Export.
The Certificate Export Wizard opens > click Next
Select Yes, export the private key > click Next
Select Personal Information Exchange
Ensure to check only Include all certificates in the certificate path if possible > click Next
Enter and confirm a password > click Next
Choose a file name and location for the export file > click Next
Click Finish
Step 3: Configure PKCS12 (.pfx) file on Tomcat server
Open %TOMCAT_HOME/conf/server.xml in XML or text editor
Find the following lines: (In my case, I could not find below lines, So I directly jump to point 4 and add whole tag in my server.xml and change keystorefile and keystorePassword)
<!-- <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> -->
Delete the comment markers at the beginning of the code (<!--) and at the end of the code (-->)
Immediately after sslProtocol="TLS" and before />, add the following attributes:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile=”/path/to/mycert.pfx” keystoreType=”PKCS12″ keystorePass="your_PKCS12_password" />
Save server.xml
Restart Tomcat
Hope it will help somebody :)
Please convert the PFX file into a Tomcat compatible format . The command is given below
Keytool -importkeystore -srckeystore server.pfx -srcstoretype pkcs12 -destkeystore tomcat.jks -deststoretype jks
The tomcat.jks file directives can be provided in the server.xml file of tomcat.
Related
This is the situation summed up.
The configuration below is identical in server.xml in Tomcat 8.5.8 and Tomcat 9.0.64.
The JKS-file used is created by keytool in Java 8.
Expected behaviour is that when using HTTPS in URL (mysite.org), NetID will start giving me a choice of client certificates from my card, I choose correct certificate, and give my PIN-code, then the webpage will be shown.
This works with Tomcat 8.5.8 on Java 8.
But when starting with Tomcat 9.0.64 on Java 8 or Java 17 it throws the error:
ERR_SSL_CLIENT_AUTH_NO_COMMON_ALGORITHMS
Any idea why doesn't Tomcat 9 like this configuration?
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
maxThreads="150" scheme="https" secure="true" clientAuth="true" sslProtocol="TLSv1.2"
keystoreFile="/srv/archive/Cert/archivelux.jks" keystorePass="xxxx"
truststoreFile="/srv/archive/Cert/archivelux.jks" truststorePass="xxxx" truststoreType="JKS"/>
Yes, something appears to have changed between Tomcat 8 and Tomcat 9.
The parameter sslProtocol="TLSv1.2" is accepted by Tomcat 8, but not by Tomcat 9.
There the parameter must be SSLProtocol="TLSv1.2"
Restart, and it will work.
/Paul
I am working on Link-OS web-service with self-signed CA.
I followed this to create a self-signed CA
I deployed the printer server by following these instructions
https://github.com/ZebraDevs/LinkOS-Webservices-Samples
Whenever I add this part to server.xml, no page will work including localhost:8080 although the server is running without showing or throwing errors or exceptions.
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
SSLEnabled="true" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
maxThreads="200" port="8443" SSLVerifyClient="optional"
scheme="https" secure="true"
SSLCertificateFile="C:\cert\SERVER.crt"
SSLCertificateKeyFile="C:\cert\SERVER.key"
/>
what could go wrong with these steps? I have followed them step by step
I am using:
Java 8
Tomcat 7
APR 1.7
following this solution will make the server works fine, but it won't work with the printers, so it is not what I am looking for.
You used an APR Connector here. (protocol="org.apache.coyote.http11.Http11AprProtocol")
APR implementation needs Apache Portable Runtime (APR) and Tomcat Native library.
You can install them with these commands:
apt install libtcnative-1
apt install libapr1-dev libssl-dev
or if either package is not found, try this answer.
I think you should implement cert-sign certification without APR, because an APR connector needs extra libraries. İf you want, try these instructions.
I set up ssl certification in eclipse tomcat. After setting up 8443 port work fine but now when i try to access
http://localhost:8080/myapp/page.html
it does not work.
without ssl my app was working fine i need to run the code in https enabled environment but code should work with 8080 port.
These two urls should work in parallel
https://localhost:8443/readapp/multiHostDeviceInfo.html?host=xyz¶m=device&intl=1
Key created using this command
keytool -genkey -alias localhost -keyalg RSA -keystore /Users/name/Documents/keystore.keystore
i put this in my server.xml
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLSv1"
keystoreFile="/Users/myName/Documents/keystore.keystore"
keystorePass="password" />
Error i am getting while opening project
java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens
at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:422)
I added it to java certificates using this command
keytool -import -noprompt -trustcacerts -alias <AliasName> -file <certificate> -keystore <KeystoreFile> -storepass <Password>
After restarting tomcat i got following exception
java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot store non-PrivateKeys
This is my keystore file
beat, 7 Mar, 2018, trustedCertEntry, Certificate fingerprint (SHA1): xyz
localhost, 7 Mar, 2018, PrivateKeyEntry, Certificate fingerprint (SHA1): xyz
I removed entry from this beat, 7 Mar, 2018, trustedCertEntry
Then i came back to handshake issue.
Thanks
I followed the tomcat instructions here and it is all working well for me (using alias localhost and password = password)
I can see you are using Windows, so make sure that the path to the keystore file is prefixed with the drive e.g. C:/Users/myName/Documents/keystore.keystore
If that doesn't work I suggest to recreate the .keystore file. You should be prompted with a series of questions such as for your password, your first and last name, org unit, city etc. The .keystore file if created succesfully should not be in clear text.
Also for a self signed certificate (I assume this is for your local desktop and not production), you don't need to run the keytool -import command. Just point your server.xml file to the generated .keystore file like you are already doing.
I'm using tomcat 6 (embedded server) in myEclipse 10.0 along with Apache CXF for a web services app. My problem is I'm trying to connect to a server that has a war file with some service code in it. However, when I try to hit it though the code, I'm getting this error from CXF:
WARNING: Interceptor has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Could not send Message.
and then this error which seems to be the root problem:
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
I used InstallCert.java to hit the server and it gave me this:
Loading KeyStore jssecacerts... Opening connection to :443...
Starting SSL handshake...
No errors, certificate is already trusted
I used Porticle to view the cacerts file and sure enough the server sha1 and md5 information matched exactly what was on the server. The cacerts file is located under the java/jre6/lib/security folder, which I thought was automatically picked up by tomcat when it loads.
I also created a .bin folder as another idea and put it under webapps directory for tomcat and modified the server xml like so:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="<path on my machine>/webapps/tomcat.bin" keystorePass="changeit" />
I found some articles that showed how to get the certificate loaded to your keystore, but that doesn't seem to be the issue, even though that is the common solution for this error. Is there something I'm missing or could there be another reason why I'm getting this error?
It turned out that myEclipse has it's own jre running it's own default cacerts file. On my machine it was here: C:\MyEclipse\Common\binary\com.sun.java.jdk.win32.x86_1.6.0.013\jre\lib\security.
I used ProcessExplorer to view the javaw.exe process and then did a Find (control key + F key) and it showed the additional jre that had loaded. I copied the correct cacerts over to that directory restarted everything and it worked!
I have a test scenario, where a root certificate authority called Root signs a certificate signing request created by an intermediate certificate authority called Intermediate, which in turn signs a certificate signing request created by a subject called Subject.
I use Tomcat as my web server and I've configured it to use the Subject key store (which contains the Root certificate, the Intermediate certificate, the Subject certificate chain and the Subject private key) and I start it to listen on the ports 80 (HTTP) and 443 (HTTPS).
I install the Root certificate (as a trusted certificate) in Firefox and I hit up my domain and this is what I get:
subject.usip.me uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)
Obviously, Firefox couldn't verify the trust of chain, or something similar. Now, before I go into details about my configuration and the steps that I took: I've changed my Tomcat configuration so that it use the Intermediate key store instead of using the Subject key store (the Intermediate key store contains the Root certificate, the Intermediate certificate chain and the Intermediate private key). Using this configuration everything works fine.
I use the following tools:
Java: 1.7.0_05
Tomcat: 7.0.29
Firefox: 14.0.1
I create the key stores in question with the following script pasted over here (it's quite lengthy). Anyone with a Java keytool can run it (it probably won't be too speedy operation because of the 4096 RSA key size).
After the script runs I can verify that my Subject key store contains the complete chain of trust (as I see it):
c:\>keytool -list -keystore c:\subject.jks -storepass changeit -rfc
It prints out the following (again, quite lengthy) output which is pasted over here. It seems OK to me (at least, after hours of struggling I can't seem to start seeing anything wrong with it).
I set up Tomcat (following this how-to) via its server.xml like this (I change nothing aside from this single tag, which is by default commented-out).
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="c:/subject.jks"
keystorePass="changeit"
keystoreType="jks"
keyAlias="subject"
keyPass="changeit" />
(After I start up Tomcat, connect to it - while it's using the Subject or the Intermediate key store - there are no errors logged.)
While looking for solutions I found that with openssl I can verify my service, as a novice user of the tool I ran the following command against my domain (using Cygwin):
$ openssl s_client -connect subject.usip.me:443 -CAfile /cygdrive/c/root.pem -showcerts &> /cygdrive/c/openssl.log
Yet again, I've pasted the lengthy output over here.
It says that Verify return code: 24 (invalid CA certificate), which is strange as it refers (as I see) to the Root certificate. Now, when I've said I reconfigured Tomcat to use the Intermediate key store previously I've also run this same command and then it checked out with Verify return code: 0 (ok). So I guest the Root certificate is OK.
The domain and sub-domain names I've mentioned through the post and pastes are free domains registered at http://freedns.afraid.org/ and each of them points to my current address (I thought I'd mention it, maybe it matters).
Any ideas what I'm doing wrong?
OK, I've managed to figure it out. I didn't specify some important X.509 certificate extensions when I generated the replies to my certificate signing requests.
There is some info on this in Java's keytool documentation. (Search for -ext.)
The key points are the proper generation, signing of the Intermediate certificate
keytool -gencert^
-alias root^
-ext BasicConstraints:critical=ca:true,pathlen:0^
-ext KeyUsage:critical=keyCertSign,cRLSign^
-infile intermediate.csr^
-keypass changeit^
-keystore root.jks^
-outfile intermediate.pem^
-rfc^
-sigalg sha512withrsa^
-storepass changeit^
-storetype jks^
-v
and the Subject certificate
keytool -gencert^
-alias intermediate^
-ext BasicConstraints:critical=ca:false^
-ext ExtendedkeyUsage:critical=serverAuth,clientAuth^
-ext KeyUsage:critical=digitalSignature,keyEncipherment^
-infile subject.csr^
-keypass changeit^
-keystore intermediate.jks^
-outfile subject.pem^
-rfc^
-sigalg sha512withrsa^
-storepass changeit^
-storetype jks^
-v
I'll update my answer when I have the time and post my complete solution.
Update
I've set up a little example repository at GitHub, which contains the scripts I wrote for generating the necessary key store files, certificates, etc. I re-wrote my scripts in Bash and added a lot of configuration parameters to it. It can be run without any configurations at all. In this case it'll create certificates for the root.lvh.me, intermediate.lvh.me and subject.lvh.me domains (the second level, lvh.me domain points to 127.0.0.1 by default). Using the Subject key store with Tomcat and installing the Root certificate into Firefox will result in a verified, secure connection to https://subject.lvh.me (and nowhere else, so https://intermediate.lvh.me won't verify).