Where to put certificates in Tomcat, when app acts as client?
Solution 1
At the end, I created one keystore (with keystore explorer on windows) with all the necessary certificates(keys) and aliases. Then I filled out keystore and trustore as java VM launch parameters:
-Djavax.net.ssl.keyStore=%KEYSTORE%
-Djavax.net.ssl.keyStorePassword=changeme
-Djavax.net.ssl.trustStore=%TRUSTSTORE%
-Djavax.net.ssl.trustStorePassword=changeme
Same keystore is used in tomcat connector, with appropriate keyAlias for HTTPS.
Enabling -Djava.net.debug=ssl
is also very helpful when debugging.
Solution 2
In our environment (tomcat7) if we use java keystore, then our connector looks like:
<Connector SSLEnabled="true"
acceptCount="100"
connectionTimeout="20000"
executor="tomcatThreadPool"
keyAlias="tomcat"
keystoreFile="${catalina.base}/conf/tomcat.keystore"
keystorePass="changeme"
maxKeepAliveRequests="15"
port="443"
protocol="org.apache.coyote.http11.Http11Protocol"
redirectPort="8443"
scheme="https"
secure="true"/>
Differences are ${catalina.base}
(in our case /opt/tomcat/) instead of ${user.home}/
, and as you mentioned keyAlias
.
If you want to import a key into keystore, you could do it like that (we use that when tomcat is a client to authenticate at ADFS):
keytool -importcert -file cert.cer -keystore tomcat.keystore -alias myalias
I think with the keystore at ${catalina.base}
and keyAlaias
you should be able to solve your question.
Related videos on Youtube
Comments
-
johnymachine over 1 year
For starters, i have my Tomcat8 configured for https with valid certificated linked in connector xml file.
Something like this:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" enableLookups="false" keyAlias="https" keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\keystore.jks" keystorePass="changeit"/>
But I need my web aplication to connect as client to third party data provider with valid certificate. Where do i put this extra certificate? When I put in keystore for connector, "https" certificate is not first certificate and it breaks stuff. I can probably fix that with
keyAlias
atribute in connector...But... Are the connector keystores application wide? What is the best option for this kind of setup?
This article pretty much sums up my options, which one to pick? Best option seems to be pass keystore with both certificates to JVM, but how to tell connector which certificate to use?
EDIT:
After suggestion I edited my connector and keystore like this:
Now I am getting:
Wrapped javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
-
johnymachine about 7 yearsSo https certificate and adfs certificate both added to one keystore linked in connector. Https certificate is than selected by keyAlias?
-
chloesoe about 7 yearsYes, so we do that. Further you also could check the keys with
keytool --list -keystore tomcat.keystore
to see what keys are in your keystore -
johnymachine about 7 yearsThanks, I will try with this tool tomorow. keystore-explorer.org