Where to put certificates in Tomcat, when app acts as client?

ssl ssl-certificate tomcat java tomcat8

10,698

Solution 1

At the end, I created one keystore (with keystore explorer on windows) with all the necessary certificates(keys) and aliases. Then I filled out keystore and trustore as java VM launch parameters:

  -Djavax.net.ssl.keyStore=%KEYSTORE% 
  -Djavax.net.ssl.keyStorePassword=changeme
  -Djavax.net.ssl.trustStore=%TRUSTSTORE% 
  -Djavax.net.ssl.trustStorePassword=changeme

Same keystore is used in tomcat connector, with appropriate keyAlias for HTTPS.

Enabling -Djava.net.debug=ssl is also very helpful when debugging.

Solution 2

In our environment (tomcat7) if we use java keystore, then our connector looks like:

<Connector SSLEnabled="true"
    acceptCount="100"
    connectionTimeout="20000"
    executor="tomcatThreadPool"
    keyAlias="tomcat"
    keystoreFile="${catalina.base}/conf/tomcat.keystore"
    keystorePass="changeme"
    maxKeepAliveRequests="15"
    port="443"
    protocol="org.apache.coyote.http11.Http11Protocol"
    redirectPort="8443"
    scheme="https"
    secure="true"/>

Differences are ${catalina.base} (in our case /opt/tomcat/) instead of ${user.home}/, and as you mentioned keyAlias.

If you want to import a key into keystore, you could do it like that (we use that when tomcat is a client to authenticate at ADFS):

keytool -importcert -file cert.cer -keystore tomcat.keystore -alias myalias

I think with the keystore at ${catalina.base} and keyAlaias you should be able to solve your question.

10,698

johnymachine

Not much to say. I like to ask!

Updated on September 18, 2022

Comments

johnymachine over 1 year
For starters, i have my Tomcat8 configured for https with valid certificated linked in connector xml file.

Something like this:
```
    <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" enableLookups="false" keyAlias="https"
           keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\keystore.jks"
           keystorePass="changeit"/>
```
But I need my web aplication to connect as client to third party data provider with valid certificate. Where do i put this extra certificate? When I put in keystore for connector, "https" certificate is not first certificate and it breaks stuff. I can probably fix that with keyAlias atribute in connector...

But... Are the connector keystores application wide? What is the best option for this kind of setup?

This article pretty much sums up my options, which one to pick? Best option seems to be pass keystore with both certificates to JVM, but how to tell connector which certificate to use?

EDIT:

After suggestion I edited my connector and keystore like this:

Now I am getting:
```
Wrapped javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
Cause: sun.security.validator.ValidatorException: PKIX path building 
failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target]
```
johnymachine about 7 years

So https certificate and adfs certificate both added to one keystore linked in connector. Https certificate is than selected by keyAlias?
chloesoe about 7 years

Yes, so we do that. Further you also could check the keys with keytool --list -keystore tomcat.keystore to see what keys are in your keystore
johnymachine about 7 years

Thanks, I will try with this tool tomorow. keystore-explorer.org