I’ve been using Tomcat for about fours years. I’ve developed websites and
services that used certificates based upon SHA1. Today I purchased a new
certificate from GoDaddy based upon using “-sigalg SHA256withRSA”.
So for this new service I executed the following commands in the directory of
the keystore:
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -sigalg SHA256withRSA
-keystore tomcat.keystore
keytool -certreq -keyalg RSA -alias tomcat -file csr.txt -keystore
tomcat.keystore
sent the csr.txt to GoDadday and received the certificate files.
keytool -delete -alias tomcat -keystore tomcat.keystore
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file
gd_bundle-g2-g1.crt
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file
gdig2.crt
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file
xxxxxxxxxxxxxx.crt
If I copy over the new tomcat.keystore with a backup of the original everything
works.
My Tomcat 8.0.23 on CentOS 6.5 is configure with three virtual hosts in
server.xml; the following is for the one with the GoDaddy certificate. I’m
doing them one-at-time.
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
<Listener
className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener
className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<Service name="System">
<Connector port="8080" address="xxx.xxx.xxx.xxx" protocol="HTTP/1.1"
connectionTimeout="20000" redirectPort="8443" />
<Connector port="8443" address="xxx.xxx.xxx.xxx" protocol="HTTP/1.1"
SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
keyAlias="tomcat" keystoreFile="/opt/tomcat/system/tomcat.keystore"
keystorePass="xxxxxxxxxxxxxxxxxxx" clientAuth="false" sslProtocol="TLS" />
<Engine name="System" defaultHost="xxxxxxxx.com">
<Host name="xxxxxxxx.com" appBase="webapps/xxxxxxxx.com"
unpackWARs="true" autoDeploy="true" >
<Alias>www.xxxxxxxx.com</Alias>
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs" prefix="xxxxxxxx.com" suffix=".log" pattern="common" />
</Host>
</Engine>
</Service>
….
</Server>
Each service is on a different IP address and I’ve been redirecting 80 to 8080
and 443 to 8443. This has been working fine until I replaced the key.
This is from the catalina.out file:
07-Aug-2015 12:43:02.493 SEVERE [main] org.apache.coyote.AbstractProtocol.init
Failed to initialize end point associated with ProtocolHandler
["http-nio-xxx.xxx.xxx.xxx-8443"]
java.io.IOException: Alias name tomcat does not identify a key entry
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:599)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:537)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:358)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:737)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:457)
at
org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:576)
at org.apache.catalina.startup.Catalina.load(Catalina.java:599)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)
07-Aug-2015 12:43:02.496 SEVERE [main]
org.apache.catalina.core.StandardService.initInternal Failed to initialize
connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Failed to initialize component
[Connector[HTTP/1.1-8443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:576)
at org.apache.catalina.startup.Catalina.load(Catalina.java:599)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Then I used keytool to verify that the alias is in the tomcat.keystore. The
following is a list from the keystore:
#keytool -list -v -keystore tomcat.keystore -alias tomcat
Enter keystore password:
Alias name: tomcat
Creation date: Aug 7, 2015
Entry type: trustedCertEntry
Owner: CN=xxxxxxxx.com, OU=Domain Control Validated
Issuer: CN=Go Daddy Secure Certificate Authority - G2,
OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale,
ST=Arizona, C=US
Serial number: xxxxxxxxxxxxxxxxxx
Valid from: Fri Aug 07 12:29:38 CDT 2015 until: Sun Aug 07 12:29:38 CDT 2016
Certificate fingerprints:
MD5: A2:70:1D:06:68:FF:C1:4B:2C:1B:B8:4D:9B:25:25:59
SHA1: 26:32:29:71:37:59:DB:0D:D4:30:B4:5F:8B:1F:3E:44:57:DD:69:1C
SHA256:
E4:10:1E:40:7D:84:32:A5:23:EE:83:47:95:D0:30:49:7C:9B:0E:5E:E4:6E:67:80:1E:6E:01:7F:D5:25:45:33
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.godaddy.com/
,
accessMethod: caIssuers
accessLocation: URIName: http://certificates.godaddy.com/repository/gdig2.crt
]
]
#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 40 C2 BD 27 8E CC 34 83 30 A2 33 D7 FB 6C B3 F0 @..'..4.0.3..l..
0010: B4 2C 80 CE .,..
]
]
#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.godaddy.com/gdig2s1-105.crl]
]]
#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [x.xx.xxx.x.xxxxxx.x.x.xx.x]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 2B 68 74 74 70 3A 2F 2F 63 65 72 74 69 66 69
.+http://certifi
0010: 63 61 74 65 73 2E 67 6F 64 61 64 64 79 2E 63 6F cates.godaddy.co
0020: 6D 2F 72 65 70 6F 73 69 74 6F 72 79 2F m/repository/
]] ]
]
#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: xxxxxxxx.com
DNSName: www.xxxxxxxx.com
]
#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3B 7C A9 5C 32 FE F5 92 DB D1 C4 A6 F1 70 09 57 ;..\2........p.W
0010: C7 5A 97 88 .Z..
]
]
I would be grateful for any assistance.
Jeff Crump
Sent from Windows Mail
