What is wrong with the way I configured SSL in tomcat?

Question

Firstly, I'm trying to configure my java web project for school as HTTPS, so I'm trying to make a self signed certificate and import it to tomcat. My tomcat version is 9.0.591 and I'm using java 17.

I basically followed the documents in the official tomcat website.

I first created a keystore by running this exact command "%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA

this is what I entered

And then I simply added it to the tomcat server.xml file as such -

<Connector
       protocol="org.apache.coyote.http11.Http11NioProtocol"
       port="8443" maxThreads="200"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="${user.home}/.keystore" keystorePass="changeit"
       clientAuth="false" sslProtocol="TLS"/>

And I added this to the web.xml file -

<security-constraint>
    <web-resource-collection>
        <web-resource-name>DigitalLibrary</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Now I'm not gonna lie, I don't really know what the code in the web.xml file means so if you could explain that as well I'd appreciate it. All I know is that it makes the server automatically forward to https instead of http.

Lastly I ran the server, windows of course did not recognize the certificate so I downloaded the CER file straight from chrome and added it to the Trusted Root Certification Authorities through mmc.

When I tried running the server again the certificate still was not recognized. What did I do wrong that made windows not recognize it? It does obviously show up when I run the server but windows won't recognize it.... I have tried just putting up the keystore file in the Trusted Root Certification Authorities and it still didn't work.

Thanks in advance.

Answer 1

The problem was really dumb... I can't believe it took me so long to realize this...

Basically it only recognized the certificate when I used the IP in the url, I originally had "localhost" in there. That was the cause of the error in this case.

I also changed at some point to a certificate I made with openssl so it probably has to do with it.

Thank you to everyone that answered and I'm sorry for posting in the wrong site, I didn't even know there were other ones....

Answer 2

Meta: this is not programming or development, and will probably get closed or moved. This doesn't fit as a comment but I consent to it being deleted or moved.

HTTPS certificates must contain the domain name you use to connect to the server, or the IP address if you use that instead which is rare on the internet but not uncommon in test environments, or optionally a wildcard matching the domain name.

For Chrome or Edge, you must add the SubjectAlternativeName extension to the cert with the domain name(s) or IP address(es) of the server. See the keytool documentation. For other browsers you may do that or (at least for now) put one name or address of the server as 'Common Name' in Subject, which is what keytool describes inaccurately as "First and Last Name" (but note the confirmation shows it as CN, which is the correct abbreviation for Common Name).