Reputation: 1
Certificate configuration on Tomcat
First of all, I know that there similar questions already asked and I tried to follow the suggestions to troubleshoot but haven't got any luck. So, I'm at the point that I think I'd better off just post for help. Thank you, in advance, for your help.
Question: What am I doing wrong? What/where should I check?
Objective: I'm trying to set up a certificate on Tomcat. I have Tomcat 8.5, %JAVA_HOME%="C:\Program Files\Java\jdk1.8.0_121" and a certificate I generated with the following command:
keytool -genkeypair -alias cert -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -keypass 123456 -storepass 123456 -keystore d:\cert.jks
And filled out my name and other information, etc. to generate the key pair.
I saw many YouTube videos and other instructions mention "genkey" instead "genkeypair" but this option isn't available on this computer. Anyway, I modified the server.xml file by adding the following:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="D:\cert.jks" type="RSA" keystorePass="123456" />
</SSLHostConfig>
</Connector>
Executing catalina configtest gave me this:
04-Apr-2017 19:28:16.271 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-jsse-nio-443"]
java.lang.IllegalArgumentException: java.io.IOException: Keystore was tampered with, or password was incorrect
Upvotes: 0
Views: 13016
Answers (2)
Reputation: 1
FWIW, I can get it to work with the HTTP/1.1 protocol - simpler.
Basically, replaced
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="D:\cert.jks" type="RSA" keystorePass="123456" />
</SSLHostConfig>
</Connector>
With this
<Connector port="443" protocol="HTTP/1.1"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clienAuth="false" sslProtocol="TLS" keystoreFile="/conf/.keystore" keystorePass="123456" />
Moving on and reading more about Tomcat and store type. There's an interesting thread here: How to create a BKS (BouncyCastle) format Java Keystore that contains a client certificate chain
Upvotes: -2
Reputation: 310840
<Certificate certificateKeystoreFile="D:\cert.jks" type="RSA" keystorePass="123456" />
The probem is here. The keystore type is JKS, not RSA1. The keypair type is RSA.
You may also have to rename your keypair/certificate entry to "tomcat" or whatever the default is in Tomcat 8, or else tell Tomcat to use the alias "cert" (poor choice).
- Because you didn't specify any other type to the
keytool.
Upvotes: 0
Related Questions
- How to configure Tomcat SSLHostConfig correctly?
- What are the steps to configure SSL for Tomcat?
- Install SSL on Tomcat with certificate .cer
- Need to configure Tomcat 7 for SSL
- How to configure SSL certificate on Tomcat 6?
- SSL Certificates on a Tomcat Server
- SSL Implementation using java keytool
- SSL Tomcat Configuration
- Tomcat with SSL
- Configuring SSL with tomcat