My system uses embedded Tomcat to connect to a HttpServlet instance. I have just uprgraded from Tomcat 8.0.2 to 9.0.64 I am implementing SSL for the first time.
I created a keystore with no alias. Keytool gave it the alias "mykey". (2nd entry below) I imported an issued PEM certificate (4 items in chain) The final item in the chain has the alias "tomcat" as per https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Importing_the_Certificate (The same documentation recommends the keystore alias also be 'tomcat' but If the keystore and the issued certificate are both given the same alias (ie 'tomcat'), keytool will import the final entry as "self generated" and throw an error. Here is my abbreviated keystore list using alias 'mykey' for the keystore. ____________________________________keystore listing_______________________ Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 5 entries intermediate, 16/07/2022, trustedCertEntry, Certificate fingerprint (SHA-256): 68:B9:C7:61................................. intermediate2, 16/07/2022, trustedCertEntry, Certificate fingerprint (SHA-256): 7F:A4:FF:68................................ mykey, 16/07/2022, PrivateKeyEntry, Certificate fingerprint (SHA-256): 36:F8:64:73:................................. root, 16/07/2022, trustedCertEntry, Certificate fingerprint (SHA-256): D7:A7:A0:FB.............................. tomcat, 16/07/2022, trustedCertEntry, Certificate fingerprint (SHA-256): 36:A9:B7:A9:.............................. ________________________________________________________________________ Here is my startup code (no server.xml file) Tomcat tomcat = new Tomcat(); tomcat.setPort(PATHS.getPortNumber()); Connector c=tomcat.getConnector(); c.setSecure(true); c.setScheme("https"); c.setProperty("SSLEnabled","true"); //crucial bit of code SSLHostConfig ss=new SSLHostConfig(); //ss.setHostName("localhost"); this breaks the init process - leave as "_default_" ss.setCertificateKeyAlias("mykey"); // if set to 'tomcat' init will throw "Alias name [tomcat] does not identify a key entry" ss.setCertificateKeystorePassword("changit"); ss.setCertificateKeystoreFile(PATHS.getHomePath()+"/ks/mykeystor.jks"); ss.setCertificateKeystoreType("PKCS12"); ss.setCertificateKeystoreProvider("SUN") c.addSslHostConfig(ss); org.apache.catalina.Context ctx = tomcat.addContext("", new File(".").getAbsolutePath()); Tomcat.addServlet(ctx, "myApp", new MyApp()); ctx.addServletMappingDecoded("/*", "myApp"); Logr.s("connector scheme "+c.getScheme()); Logr.s("connector SSLEnabled "+c.getProperty("SSLEnabled")); Logr.s("connector redirect "+c.getRedirectPort()); //defaults to 443 Logr.s("connector protocol "+c.getProtocol()); tomcat.start(); tomcat.getServer().await(); When I use "tomcat" as the alias for the keystore I cannot load the final issued certificate without an error. If I use "mykey" as the keystore alias everything seems to be working but the certificate returned to the browser is not the domain-specific certified certificate but a certificate generated with the certificate keystore fingerprint. In a properly operating implementation, what certificate should be returned to the browser? I'm obviously doing something wrong. But what ? -- Vince Stewart
