CODEWITHSUNDEEP
tomcatsslssl-certificatecertificatekeytool
CoolGravatar
CoolGravatar

Reputation: 5478

Tomcat SSL: No trusted certificate found

I created a certificate using keytool: 

keytool -genkey -alias tomcat -keyalg RSA

Exported and imported it into my keystore:

keytool -export -alias tomcat name.crt
keytool -import -file name.crt

When I do keytool -list I have 2 entries:

tomcat, Sept 15, 2010, keyEntry,
Certificate fingerprint (MD5): ...
mykey, Sept 17, 2010, trustedCertEntry
Certificate fingerprint (MD5):...

Note that the fingerprints for both entries are the same.

I configured my server.xml to point to my .keystore file

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
       maxThreads="150" scheme="https" secure="true"
       keystoreFile="${user.home}/.keystore" keystorePass="changeit"
       clientAuth="false" sslProtocol="TLS" />

<Connector port="8009" protocol="AJP/1.3" redirectPort="443" />

But in my tomcat logs I see when I perform an action in my Java app:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
...
sun.security.validator.ValidatorException: No trusted certificate found

Is there any other configuration that needs to be done?

Upvotes: 3

Views: 10587

Answers (1)

Jens Schauder
Jens Schauder

Reputation: 81907

You need the client (i.e. the browser) to trust your servers certificates.

For this you either import the certificate of the server in the browser as a trusted certificate, which only works when you have the browser under your control. Or you get your certificate signed by a trusted authority, which costs money.

exporting and reimporting under a different name doesn't make any sense.

Update:

I think I start to understand what you are trying to do. You want a java client access a webapp via https. yes?

In this case you need to provide a 'truststore' i.e. a keystore containing the trusted certificates. You'll want to set the system Property javax.net.ssl.trustStore to the name of the truststore to use.

You'll probably can use a handcrafted TrustManager as well. This site seems to give information about that: http://download.oracle.com/javase/1.4.2/docs/guide/security/jsse/JSSERefGuide.html

This simple example might help as well: http://stilius.net/java/java_ssl.php

Upvotes: 1

Related Questions