Problem bringing up SSL with a CA certificate

Wed, 18 Jan 2012 09:38:31 -0800

So far, I've had complete success using self-signed certificates, both here and on the customer box, once I found out that the CN needs to match the domain name.
But now, we're trying to get the customer box up on a CA-signed certificate, and Tomcat doesn't like it. (Given that we haven't done it on our own box, it's kind of a case of the blind leading the blind.) We had our contact with the customer follow the procedure given on 

http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Importing_the_Certificate


and I put the resulting keystore into service, started Tomcat, and got 
this in logs/catalina.out:



SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-443"]          
Throwable occurred: java.io.IOException: Alias name tomcat does not identify a key entry         
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:567) 
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505) 
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449)           
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)   
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:369)                            
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:553)                  
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369)                           
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:937)                     
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)                          
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)              
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)                                             
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781)                                   
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)                                             
at org.apache.catalina.startup.Catalina.load(Catalina.java:573)                                                    
at org.apache.catalina.startup.Catalina.load(Catalina.java:598)                                                    
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)                                                     
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)                                   
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)                           
at java.lang.reflect.Method.invoke(Method.java:611)                                                                
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)                                                  
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)                                                  
Jan 18, 2012 12:15:16 PM org.apache.catalina.core.StandardService initInternal                                      
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-443]]                                                    
Throwable occurred: org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)                                             
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)                                 
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)                                             
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781)                                   
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)                         
at org.apache.catalina.startup.Catalina.load(Catalina.java:573)                                
at org.apache.catalina.startup.Catalina.load(Catalina.java:598)                                
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)                                 
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)               
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)       
at java.lang.reflect.Method.invoke(Method.java:611)                                            
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)                              
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)                              
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed       
at org.apache.catalina.connector.Connector.initInternal(Connector.java:939)                    
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)                         
... 12 more                                                                                    
Caused by: java.io.IOException: Alias name tomcat does not identify a key entry                 
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:567)

at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505)

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449)          
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)  
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:369)                            
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:553)                  
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369)                           
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:937)                     
... 13 more                                                                                     


If I list the keystore, I get:

Keystore type: jks                                                             
Keystore provider: IBMJCE                                                      
                                                                               
Your keystore contains 2 entries                                               
                                                                               
root, Jan 18, 2012, trustedCertEntry,                                          
Certificate fingerprint (MD5): D6:6A:92:1C:83:BF:A2:AE:6F:99:5B:44:E7:C2:AB:2A 
tomcat, Jan 18, 2012, trustedCertEntry,                                        
Certificate fingerprint (MD5): 55:D7:4D:D4:83:01:D6:E0:EB:A4:F3:9A:06:BD:87:38 


The above failure was with


  <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"             
             keystoreFile="/wintouch/tomcat/cptomcat.ks" keyAlias="tomcat"
             maxThreads="150" scheme="https" secure="true"                
             clientAuth="false" sslProtocol="TLS" />                      



in server.xml; it also failed without the keyAlias parameter. It does 
work properly with



  <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"             
             keystoreFile="/wintouch/tomcat/cptomcat.ks"
             maxThreads="150" scheme="https" secure="true"                
             clientAuth="false" sslProtocol="TLS" />                      


and the self-signed certificate as the first (or only) entry in cptomcat.ks.

Anybody know what could be going wrong here?

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to