I'm not sure about the curl part but I think there is a couple of things you would want to change.
1) when you use the genkey with -keystore .jks, you should expect a file name ".jks" (without quotes) to be generated in the /conf directory if you have CD in as in the step 1. So, the keystoreFile in step 3 should be keystoreFile=".jks" instead. If you have configure this correctly, then you should be able to use a browser and access https://localhost:8443/ Make sure this is working first before proceeding. If this is working, then any other problem should be with curl instead. 2) when you hit the "Keystore was tampered ..." error, it is because the password is wrong. Since you are trying to import the cert in the JVM default cacerts, then the password should be "changeit" (without quotes) However, I would think this is unlikely to be of any use because if you are testing with curl, you need to specify to curl where is the trusted cert found. If you are using a java client, then you can define the location of trusted keystore by specifying the property -Djavax.net.ssl.trustStore=/path/to/jre/lib/security/cacerts I believe the error you hit shows that your tomcat is correct but the parameter defined for curl is not. Hope this helps. On Tue, Dec 18, 2012 at 10:03 AM, James Dekker <james.dek...@gmail.com>wrote: > Am using JDK 1.6, tomcat 7.0.32, and Red Hat Linux. > > I need help setting up SSL on my local tomcat instance. > > After looking at the instructions on the official tomcat 7 website: > > > http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html]http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html > > I followed the directions like this: > > (1) cd $CATALINA_HOME/conf > > (2) Create a certificate and store it in a new key store. > > keytool -genkey -alias tomcat -keyalg RSA -keystore .jks > > (3) Uncomment the SSL connector configuration in Tomcat's conf/server.xml, > specifying your key store file and password. > > <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" > maxThreads="150" scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" > keystoreFile="./conf/keystore.jks" > keystorePass="mypassword" > /> > > (4) Export the certificate from the key store. > > keytool -exportcert -alias tomcat -file tomcat.crt -keystore keystore.jks > > When I tried to (which would have been Step # 5) import the certificate > into the trust store. > > keytool -importcert -alias tomcat -file tomcat.crt -trustcacerts -keystore > $JAVA_HOME/jre/lib/security/cacerts > > I get the following prompt for my password (after which I entered in > "mypassword"): > > Enter keystore password: > > keytool error: java.io.IOException: Keystore was tampered with, or password > was incorrect > > (I disregarded this step by the way because I found it on Google but not on > the official Tomcat7-SSL-Howto documentation - please let me know if its > necessary). > > Tomcat's server output: > > INFO: Initializing ProtocolHandler ["http-bio-8080"] > Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init > INFO: Initializing ProtocolHandler ["http-bio-8443"] > Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init > INFO: Initializing ProtocolHandler ["ajp-bio-8009"] > Dec 17, 2012 5:43:08 PM org.apache.catalina.startup.Catalina start > Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start > INFO: Starting ProtocolHandler ["http-bio-8080"] > Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start > INFO: Starting ProtocolHandler ["http-bio-8443"] > Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractP > INFO: Server startup in 9611 ms > > When I go to my bash shell and type this in: > > curl -X GET https://localhost:8443 > > I get the following error output: > > curl: (60) Peer certificate cannot be authenticated with known CA > certificates > More details here: http://curl.haxx.se/docs/sslcerts.html > > curl performs SSL certificate verification by default, using a "bundle" > of Certificate Authority (CA) public keys (CA certs). If the default > bundle file isn't adequate, you can specify an alternate file > using the --cacert option. > If this HTTPS server uses a certificate signed by a CA represented in > the bundle, the certificate verification probably failed due to a > problem with the certificate (it might be expired, or the name might > not match the domain name in the URL). > If you'd like to turn off curl's verification of the certificate, use > the -k (or --insecure) option. > > Am I missing a step here? > > I just want to enable SSL on Tomcat 7 and test it using curl. > > Would appreciate it if someone could point me in the right direction. > > If you wish to see this posting with better syntax coloring or my full > server.xml, please check out these identical (but with more detail) forum > posts: > > > http://stackoverflow.com/questions/13925146/how-to-enable-ssl-on-tomcat-7-on-linux-test-using-curl > > http://www.coderanch.com/t/600556/Tomcat/Enable-SSL-Tomcat-Linux > > Happy programming, > > James >
