Reputation: 161
Tomcat application with self-signed certificate results in ERR_CERT_AUTHORITY_INVALID in the Chrome browser
Tomcat application with self-signed certificate results in ERR_CERT_AUTHORITY_INVALID in the Chrome browser
I've set up a https and created a self-signed certificate. However, when I connect to the URL, I get a ERR_CERT_AUTHORITY_INVALID message.
https://{remote_host_name}:8443/
I've followed the instructions on the Tomcat website for SSL and self-signed certificates ( https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File ). One difference is that I'm connecting to a remote host, not a localhost, although I dont think that should matter.
This is a test environment, but unfortunately I cannot add an exception for the certificate in the browsers of the test hosts, as they create new FF profiles each test run.
Here is the command I have used to create the self-signed cert:
./keytool -genkey -keyalg RSA -alias tomcat -keystore /var/tomcat/.keystore -storepass changeit -validity 360 -keysize 2048
Here is my Tomcat server.xml connector information:
Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/var/tomcat/.keystore"
keystorePass="changeit"
- Does the config in the Tomcat doc for self-signed certs only work when running Tomcat on localhost?
- What is the best way to resolve this?
Upvotes: 3
Views: 6048
Answers (1)
Reputation: 123320
Tomcat application with self-signed certificate results in ERR_CERT_AUTHORITY_INVALID in the Chrome browser
Of course it does. Your tomcat server is presenting the browser a certificate which is not issued by a certificate agency trusted by the browser (i.e. shipped with the browser or with the OS). Thus the browser has no reason to trust the certificate and complains.
If the browser would check not if it trusts the issuer of the certificate this would mean that it would trust any certificate issued by some arbitrary person, which would include certificates issued by an attacker. Do you really want this?
To work with self-signed certificates you have to explicitly accept the certificate as trusted in each browser, but of course only after you've validated the fingerprint of the certificate manually to make sure that nobody has tampered with the connection. No server side reconfiguration can make the browser automatically trust such self-signed certificates. The only way to skip this step is to use certificates issued by a certificate agency already trusted by the browser.
Upvotes: 5
Related Questions
- Tomcat server AND HTTP Client accepting expired self-signed certificate
- How to create a self signed SSL certificate for use with Tomcat?
- SSLHandshakeException with valid certificate on Tomcat server
- Tomcat SSL certificate authority invalid
- Tomcat and self-signed certificate
- Android SSL Connection to Tomcat (self signed certificate) SSLPeerUnverifiedException
- ssl tomcat certificate error
- Why is tomcat having trouble loading a self signed SSL certificate?
- HTTPS not working with self signed certificate in tomcat
- Android client doesn't connect to Tomcat with a self-signed certificate