Thanks Ongnjen, you gave me the hint I needed to fix the issue!
What I did was delete my keystore and start back from scratch.
I had to run these extra steps though:
keytool -genkey -alias <aliasname> tomcat -keyalg RSA
then enter in the exact matching info that was specified in the assigned
certificate itself (name, organizational unit, organization, etc).
then I ran :
keytool -certreq -alias <aliasname> -keyalg RSA -file <pathToANewCSRFile>
This creates a new .csr file.
Then I point my connector in server.xml to the new keystore.
Restarted tomcat services and app services.
Loaded the website and let the error popup happen once, then I install the
certificate it prompts about (to my truststore).
Closed out Internet Explorer.
Reopened it, and reaccessed my site.
And voila, no more certificate error.
Thanks again!
Ray Diaz
Application Consultant
U.S. Bancorp Technology and Operations Services
All of us serving you
From: Ognjen Blagojevic <ognjen.d.blagoje...@gmail.com>
To: Tomcat Users List <users@tomcat.apache.org>,
Date: 09/30/2014 03:33 PM
Subject: Re: question on certificate use - resending with
attachment descriptions in case they get stripped out again. If this
doesnt work I will resend the email when I get home
Ray,
On 30.9.2014 20:54, ray.d...@usbank.com wrote:
> <Connector
> port="443" maxThreads="200"
> scheme="https" secure="true" SSLEnabled="true"
> keystoreFile="C:\Bonaire\REVPORT\.keystore" keystorePass="changeit"
> keyAlias="tomcat2"
> proxyName="revport-it.us.bank-dns.com" proxyPort="443"
> />
>
> And then on the browser, when I try to load the site, I get a blank
> screen again, says "Internet Explorer cannot display the webpage".
>
>
> If I use "tomcat" as the alias in my connector, the site loads but then
> I get the "Certificate Error" popup again, which is what I need to get
> rid of (on the top right the Internet Explorer).
It seems that you created key pair under alias "tomcat" and imported
certificate reply from your CA under alias "tomcat2". That is wrong. You
should be importing certificate reply under same alias as you generated
key pair.
Here is exceprt from Oracle keytool docs:
"You import a certificate for two reasons:
to add it to the list of trusted certificates, or
to import a certificate reply received from a CA as the result of
submitting a Certificate Signing Request (see the -certreq command) to
that CA.
Which type of import is intended is indicated by the value of the -alias
option:
If the alias does not point to a key entry, then keytool assumes
you are adding a trusted certificate entry. In this case, the alias
should not already exist in the keystore. If the alias does already
exist, then keytool outputs an error, since there is already a trusted
certificate for that alias, and does not import the certificate.
If the alias points to a key entry, then keytool assumes you are
importing a certificate reply."
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
U.S. BANCORP made the following annotations
---------------------------------------------------------------------
Electronic Privacy Notice. This e-mail, and any attachments, contains
information that is, or may be, covered by electronic communications privacy
laws, and is also confidential and proprietary in nature. If you are not the
intended recipient, please be advised that you are legally prohibited from
retaining, using, copying, distributing, or otherwise disclosing this
information in any manner. Instead, please reply to the sender that you have
received this communication in error, and then immediately delete it. Thank you
in advance for your cooperation.
---------------------------------------------------------------------
