Thanks Mr. Han Ming Low,
But that 2nd line number was a typo its supposed to state:
"(2) Create a certificate and store it in a new key store.
keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks"
Thanks for responding to my inquiry,
James
On Dec 17, 2012, at 6:51 PM, Han Ming Low <hanmin...@gmail.com> wrote:
> I'm not sure about the curl part but I think there is a couple of things
> you would want to change.
>
> 1) when you use the genkey with -keystore .jks, you should expect a file
> name ".jks" (without quotes) to be generated in the /conf directory if you
> have CD in as in the step 1. So, the keystoreFile in step 3 should be
> keystoreFile=".jks" instead.
>
> If you have configure this correctly, then you should be able to use a
> browser and access https://localhost:8443/
> Make sure this is working first before proceeding.
> If this is working, then any other problem should be with curl instead.
>
> 2) when you hit the "Keystore was tampered ..." error, it is because the
> password is wrong.
> Since you are trying to import the cert in the JVM default cacerts, then
> the password should be "changeit" (without quotes)
> However, I would think this is unlikely to be of any use because if you are
> testing with curl, you need to specify to curl where is the trusted cert
> found.
> If you are using a java client, then you can define the location of trusted
> keystore by specifying the property
> -Djavax.net.ssl.trustStore=/path/to/jre/lib/security/cacerts
>
> I believe the error you hit shows that your tomcat is correct but the
> parameter defined for curl is not.
>
> Hope this helps.
>
>
>
>
> On Tue, Dec 18, 2012 at 10:03 AM, James Dekker <james.dek...@gmail.com>wrote:
>
>> Am using JDK 1.6, tomcat 7.0.32, and Red Hat Linux.
>>
>> I need help setting up SSL on my local tomcat instance.
>>
>> After looking at the instructions on the official tomcat 7 website:
>>
>>
>> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html]http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
>>
>> I followed the directions like this:
>>
>> (1) cd $CATALINA_HOME/conf
>>
>> (2) Create a certificate and store it in a new key store.
>>
>> keytool -genkey -alias tomcat -keyalg RSA -keystore .jks
>>
>> (3) Uncomment the SSL connector configuration in Tomcat's conf/server.xml,
>> specifying your key store file and password.
>>
>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>> maxThreads="150" scheme="https" secure="true"
>> clientAuth="false" sslProtocol="TLS"
>> keystoreFile="./conf/keystore.jks"
>> keystorePass="mypassword"
>> />
>>
>> (4) Export the certificate from the key store.
>>
>> keytool -exportcert -alias tomcat -file tomcat.crt -keystore keystore.jks
>>
>> When I tried to (which would have been Step # 5) import the certificate
>> into the trust store.
>>
>> keytool -importcert -alias tomcat -file tomcat.crt -trustcacerts -keystore
>> $JAVA_HOME/jre/lib/security/cacerts
>>
>> I get the following prompt for my password (after which I entered in
>> "mypassword"):
>>
>> Enter keystore password:
>>
>> keytool error: java.io.IOException: Keystore was tampered with, or password
>> was incorrect
>>
>> (I disregarded this step by the way because I found it on Google but not on
>> the official Tomcat7-SSL-Howto documentation - please let me know if its
>> necessary).
>>
>> Tomcat's server output:
>>
>> INFO: Initializing ProtocolHandler ["http-bio-8080"]
>> Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init
>> INFO: Initializing ProtocolHandler ["http-bio-8443"]
>> Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init
>> INFO: Initializing ProtocolHandler ["ajp-bio-8009"]
>> Dec 17, 2012 5:43:08 PM org.apache.catalina.startup.Catalina start
>> Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start
>> INFO: Starting ProtocolHandler ["http-bio-8080"]
>> Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start
>> INFO: Starting ProtocolHandler ["http-bio-8443"]
>> Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractP
>> INFO: Server startup in 9611 ms
>>
>> When I go to my bash shell and type this in:
>>
>> curl -X GET https://localhost:8443
>>
>> I get the following error output:
>>
>> curl: (60) Peer certificate cannot be authenticated with known CA
>> certificates
>> More details here: http://curl.haxx.se/docs/sslcerts.html
>>
>> curl performs SSL certificate verification by default, using a "bundle"
>> of Certificate Authority (CA) public keys (CA certs). If the default
>> bundle file isn't adequate, you can specify an alternate file
>> using the --cacert option.
>> If this HTTPS server uses a certificate signed by a CA represented in
>> the bundle, the certificate verification probably failed due to a
>> problem with the certificate (it might be expired, or the name might
>> not match the domain name in the URL).
>> If you'd like to turn off curl's verification of the certificate, use
>> the -k (or --insecure) option.
>>
>> Am I missing a step here?
>>
>> I just want to enable SSL on Tomcat 7 and test it using curl.
>>
>> Would appreciate it if someone could point me in the right direction.
>>
>> If you wish to see this posting with better syntax coloring or my full
>> server.xml, please check out these identical (but with more detail) forum
>> posts:
>>
>>
>> http://stackoverflow.com/questions/13925146/how-to-enable-ssl-on-tomcat-7-on-linux-test-using-curl
>>
>> http://www.coderanch.com/t/600556/Tomcat/Enable-SSL-Tomcat-Linux
>>
>> Happy programming,
>>
>> James
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
