I've acquired a signed certificate for use in a secure connection in Tomcat 7(.0.42). Here is what I'm given:
An x.509 certificate, primary-intermediate and secondary-intermediate x.509 certificates, an PKCS#7 chained certificate, and a private key.
I imported the certificates as specified in this guide using the x.509 certificates, then configured my SSL Connector to use the keystore, but got this error:
java.io.IOException: Alias name the_alias does not identify a key entry
I was advised to use the (also) provided PKCS#7 chained certificate, but when attempting to import it using keytool, it failed saying that it wasn't an x.509 certificate.
I understand from online lit that in the first step I was missing the "1" alias for the private key, but I have no idea how to import it. Also, I understand the PKCS#7 certificate is supposed to work fine on Tomcat, but I don't know how to import it to a keystore. I'm rather new to this, please advise!
Many thanks,
Victor.
I can not check how you implement the guide, but I do recommend to start from the self-signed certificate according to instruction here:
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
Ensure that keyAlias points to the alias of the server certificate in keystoreFile.
The default alias for the self signed certificate is tomcat.
<Connector port="8443"
…
keyAlias="tomcat"
…
keystoreFile="server.keystore" keystorePass="changeit"
truststoreFile="trust.keystore" truststorePass="changeit"/>
When it will work, replace the keyAlias with the alias of the signed certificate.
Related
I have Java application running on two different servers. On the 1st server while the application is trying to insert a X.509 certificate to NSS keystore it is getting the following error:
Failed to store public key certificate in keystore. Cause: Could not create trust object
java.security.ProviderException: Could not create trust object
at sun.security.pkcs11.Secmod$TrustAttributes.<init>(Secmod.java:658)
at sun.security.pkcs11.Secmod$Module.setTrust(Secmod.java:529)
at sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1045)
at sun.security.pkcs11.P11KeyStore.engineSetCertificateEntry(P11KeyStore.java:516)
at java.security.KeyStore.setCertificateEntry(Unknown Source)
Using certutil to list the NSS DB entry I can see the certificate entry, but the trust flag says "CTu,Cu,Cu".
On the 2nd server, inserting a X.509 certificate to NSS keystore doesn't throw the same exception. It is working fine and using certutil I can see the certificate entry, and the trust flag says: "CT,C,C".
My questions:
Why on the 1st server inserting a X.509 certificate threw an exception?
What cause the trust flag to be different between the two certificate? The X.509 certificate is imported thru the same API.
Both servers are running Java 8u121. Thank you.
I am trying to automate the certificate renewal process. I am able to generate the certificate then import the certificate to the server and now just need to update the SSL certificate to the new certificate imported for a particular application(ex : ABC). No changes in other property like port number or anything else. Just need to point the SSL Certificate to the new one added for a particular application. I tried doing a lot of research but no luck. Please help
Could you please help me setup the SSL on the Nifi Application.
To explain about the steps taken so far.
I have used the following link intructions to use the CA signed certs provided to us (This include root,intermediate and Server cert). I have sucessfully configured Nifi to run on SSL on server end but i am not getting the steps to create a client cert so that using the client cert we can login to Nifi.
Help in this regard will be highly appreciated.
You'll need to generate a Certificate Signing Request (CSR) or request from your security/IT team who provided the CA-signed server certs that they provide a client certificate (and private key) signed by the same intermediate or root CA. You could also generate your own client certificate signed by a self-signed CA and put the public certificate of that CA in the NiFi truststore. More documentation around this process can be found in the NiFi Toolkit Guide.
I'm trying to use the tomcat[7]-maven-plugin to deploy my war to my tomcat instance. However, it's running over https with a self-signed cert. So, I'd like to import the cert into a truststore in order to deploy it. I thought the truststoreFile parameter might let me specify the custom truststore I'd like to use for the action, but it doesn't seem to. Can anyone tell me what it does?
Truststore in this context is used to validate certificates provided by the clients to the server (lookup SSL client certificate). I'm not too familiar with tomcat but I would imagine that the parameter is used to point to a custom truststore (which could contain custom trusted certificates or CA's) Server's own certificates, self-signed or not, go to a keystore.
I have the following issue: I have a domain that hosts a) a website on port 443 (Apache) and b) a web app with Spring Boot (Tomcat) on port 8443. Both are using the same certificates. For Tomcat I generated a keystore that consists of the private key/certificate, intermediate and root certificate. Visiting the website is not an issue at all.
Now, when I visit the webapp from e.g. Chromium or from my smartphone I can access it and https works just fine (certificate is trusted and I can view the certificate chain). If I instead try opening it in Firefox or use openssl s_client -connect domain.com:8443 the connection is not secured and only my certificate, but neither the intermediate and nor the root certificate are provided.
Now I don't understand how that happens, whether maybe Chrome recognizes the certificate chain from the issuer field of the certificate or asks the app server to provide further parts of the chain, and Firefox/openssl do not.
Any hint about how to make this running would be greatly appreciated!
BR Johannes
BTW about the keystore creation: I created an empty keystore, added the root, then the intermediate and then my certificate + key.
Seems I made a mistake on how to create the keystore, just importing the certificate chain and the key pair wasn't enough. I had to append the certificates of the chain to my certificate (using KeyStoreExplorer or as described in this answer.
How it came that Chromium accepted the certificate anyway is still a mistery to me, though.