-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Ori,
On 5/22/15 8:18 AM, Ori Raz wrote:
> We got an application based on tomcat 7.0.23 and all working fine.
>
> We are trying to apply our self-signed certificate and encountering
> some problems.
>
> I hope that the procedure I did is correct :)
>
> This is the procedure we followed:
>
> 1. copy the certificate file under this location:
> /opt/primecentral/install/utils/sslgen/vlg-cipr-pcpil1.megafon.ru.cer
>
> 2. remove existing entries: keytool -delete -alias tomcat
> -keystore /opt/primecentral/install/utils/sslgen/prime.keystore
> keytool -delete -alias tomcat -keystore
> /opt/primecentral/XMP_Platform/jre/lib/security/cacerts
It's not necessary to remove the existing certs. If you load the
CA-signed certificate into your keystore (making sure to use the
original alias, if any), it should update the certificate.
Also, you need to first import the CA's root and intermediate
certificates, first, like this:
$ keytool -import -alias [Authority.CA] -trustcacerts -file
[authority's CA cert] -keystore ${HOSTNAME}.jks
$ keytool -import -alias [Authority.intermediate] -trustcacerts -file
[authority's intermediate cert] -keystore ${HOSTNAME}.jks
$ keytool -import -alias ${HOSTNAME} -file ${HOSTNAME}.crt -keystore
${HOSTNAME}.jks
(That last one is your signed certificate, returned from the CA).
If, as you did your "delete", you managed to delete your server's key,
then your keystore is worthless. I hope you had a backup, because
without the server key, the certificate is worthless and you have to
re-start the entire process.
> After the restart of tomcat, I get the message that server started
> and catalina is empty (normal as there is no error...) hence all
> looks good.
>
> I can also see that tomcat process is up and port is listening: tcp
> 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN
> 18724/java
>
> But, when trying to open browser to the server, then I get "This
> page cannot be displayed".
>
> I cannot locate any errors/exception in the server side.
>
> Can anyone please assist? we are in a dead end :)
If there is a problem loading the certificate, Tomcat should emit an
error message. Please check all log files, not just catalina.out
(although it should have the error in there).
Can you connect to the server using openssl?
$ openssl s_client -connect 10.56.57.65:8443
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVXyxNAAoJEBzwKT+lPKRYHdAQAI3/LTLtOwfX28SJQgD1gu74
F0HTS2Rjo7vdtITvMxEulCqj2kES97qTH6TnpG3Qo99r8SWELHV2bC79pb6ic0e+
/YvXngt3MPwXOaf9jWqeDFWLcjW0VV53FcEfbo71j4JZd01hSjb7+v+Kml5mCH0m
X0Av31oigj2vJuEmbgty2hkukLyPHTzDIHnP6oS8gfIMsc4lNveDRng5yLF1tZ+M
dRi5CWWdWibZoBpMZT1QjrWUI9Z/MhsKcr0pn/FWcJfLEQUwJJqPejV8MiuPf2a8
rF+QSn5JSJtGHo9dgjdNFs/skOeF1LTZHalqun1eLIKYLJXKhvfhTvl+mXD6ITHB
K6cJ1f83L5/8HilqpBZUdUdVETUxBb9/fXe0sYM4vHoqD49Si4DaCvggiq/2bZSx
XJ0BHaFbVw+JVTVCzwng6VrNr32Ji7uKD275/mcGLbCIlCzKWd1QaPKtTD/nD5AB
PtWMAzWKoSYJgJlWhlAiF2TEyHjZ6tU8B33hpoU7AxMCqaeY2YavRwaibWENKCLc
RJXExcMK1+59etSLdqI5IwN33fcChBksGMN+bokRZB6RvvyNz+PtH6oNpN87DHnO
IanB5Lp8p5YPig/AiYa5fLPoH40RjmmB1grUF4H7iuKkEt5Epw5BICPcgRxDePJU
uEva2cy+32ZIgIC3q9+V
=xi4N
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
