Tomcat Server/Client Self-Signed SSL Certificate

by

Finally got the solution to my problem, so I’ll post the results here if anyone else gets stuck.

Thanks to Michael Martin of Michael’s Software Thoughts & Ramblings I discovered that:

keytool by default uses the DSA
algorithm when generating the
self-signed cert. Earlier versions of
Firefox accepted these keys without
problem. With Firefox 3 beta 5, using
DSA doesn’t work, but using RSA does.
Passing “-keyalg RSA” when generating
the self-signed certificate creates a
cert the Firefox 3 beta 5 fully
accepts.

I simply set that flag, cleared all caches in FireFox and it worked like a charm! I am using this as a test-setup for my project and I need to share this with other people, so I wrote a little batch script that creates two SSL certificates. One can be dropped into the Tomcat setup and the other is a .p12 file that can be imported into FireFox/IE. Thanks!

Usage: first command-line argument is the username of the client. All passwords are “password” (with no quotations). Change any of the hard-coded bits to meet your needs.

@echo off
if "%1" == "" goto usage

keytool -genkeypair -alias servercert -keyalg RSA -dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=US" -keypass password -keystore server.jks -storepass password
keytool -genkeypair -alias %1 -keystore %1.p12 -storetype pkcs12 -keyalg RSA -dname "CN=%1,OU=Unit,O=Organization,L=City,S=State,C=US" -keypass password -storepass password
keytool -exportcert -alias %1 -file %1.cer -keystore %1.p12 -storetype pkcs12 -storepass password
keytool -importcert -keystore server.jks -alias %1 -file %1.cer -v -trustcacerts -noprompt -storepass password
keytool -list -v -keystore server.jks -storepass password
del %1.cer
goto end

:usage
echo Need user id as first argument: generate_keystore [username]
goto end

:end
pause

The results are two files. One called server.jks that you drop into Tomcat and another file called {username}.p12 that you import into your browser. The server.jks file has the client certificate added as a trusted cert.

I hope someone else finds this useful.

And here is the the XML that needs to be added to your Tomcat conf/sever.xml file (only tested on on Tomcat 6.x)

<Connector
   clientAuth="true" port="8443" minSpareThreads="5" maxSpareThreads="75"
   enableLookups="true" disableUploadTimeout="true"
   acceptCount="100" maxThreads="200"
   scheme="https" secure="true" SSLEnabled="true"
   keystoreFile="${catalina.home}/conf/server.jks"
   keystoreType="JKS" keystorePass="password"
   truststoreFile="${catalina.home}/conf/server.jks"
   truststoreType="JKS" truststorePass="password"
   SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2" sslProtocol="TLS"
/>

For Tomcat 7:

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" SSLEnabled="true"
           maxThreads="200" scheme="https" secure="true"
           keystoreFile="${catalina.base}/conf/server.jks" keystorePass="password"
           clientAuth="false" sslProtocol="TLS" />

More Related Contents:

  1. Self-signed SSL acceptance on Android
  2. How to create a self-signed certificate for a domain name for development on Windows 10 and below?
  3. How to add subject alernative name to ssl certs?
  4. SSL, Tomcat and Grails
  5. Enabling SSL on tomcat using pem file
  6. Java Keytool error after importing certificate , “keytool error: java.io.FileNotFoundException & Access Denied”
  7. How to set the context path of a web application in Tomcat 7.0
  8. Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  9. Trust Anchor not found for Android SSL Connection
  10. How should I connect to JDBC database / datasource in a servlet based application?
  11. curl: (60) SSL certificate problem: unable to get local issuer certificate
  12. Unable to find valid certification path to requested target – error even after cert imported
  13. How to change the ROOT application?
  14. SSL certificate rejected trying to access GitHub over HTTPS behind firewall
  15. bypass invalid SSL certificate in .net core
  16. Adding an external directory to Tomcat classpath
  17. How can I specify system properties in Tomcat configuration on startup?
  18. Absolute path & Relative Path
  19. Java SSL: how to disable hostname verification
  20. Get ServletContext in JAX-RS resource
  21. Can you use a service worker with a self-signed certificate?
  22. Increase Tomcat memory settings [duplicate]
  23. Tomcat manager remote deploy script
  24. NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813) iOS
  25. How do I update a Tomcat webapp without restarting the entire service?
  26. Retrieve current Windows user in Java EE web application for Single Sign On purposes
  27. Environment/system variables in server.xml
  28. Tomcat logging confusion
  29. Spring Boot SSL Client
  30. how to build server level custom error page in tomcat?

Leave a Comment