19th February 2010

2 notes 

Another rant

Ask me anything

SSL and Tomcat 6

original and far too long article I followed

Standard Certificate Stuff

Go to your apache ssl folder

# cd /etc/apache2/ssl

Just like you would do with apache or any other server

Generete a server key

# openssl genrsa -des3 -out server.key 1024

this will create → /etc/apache2/ssl/server.key

Generate a CSR

# openssl req -new -key server.key -out server.csr

this will create → /etc/apache2/ssl/server.csr

Send the csr to your certificate provider example

name the file your receive → /etc/apache2/ssl/server.crt

Tomcat stuff

Source your root providers certificate example

name the file you receive → /etc/apache2/ssl/root.crt

Create a new file comprising of the contents of the following (just copy and paste)

root.crt
server.crt
server.key

name the file → /etc/apache2/ssl/server.pem

Generate a p12 file based on the pem

# openssl pkcs12 -export -in server.pem \ 
-out server.p12 -name tomcat

you will be asked for a password

this will create → /etc/apache2/ssl/server.p12

Enable ssl within the Tomcat environment.

edit the file /etc/tomcat6/server.xml

<Connector 
  port="8443" protocol="HTTP/1.1" maxThreads="150"
  keystoreFile="/etc/apache2/ssl/server.p12" 
  keystorePass="password" keystoreType="PKCS12" 
  SSLEnabled="true" scheme="https" secure="true"
  clientAuth="false" sslProtocol="TLS" />

restart your tomcat installation

/etc/init.d/tomcat6 restart

check it’s working, when it isn’t analyse your logs

cat /var/log/tomcat6/catalina.year-month-day.log

Errors I know of

Invalid keystore format

The certificate definition is for a keystore other than the PKCS12 you created, ensure you’re defining that in the connector within your server.xml

Still invalid format

This is a great command for checking whether a keystore is valid

keytool -v -list -keystore server.p12 -storetype pkcs12

you’re looking for the following

  • Keystore type: PKCS12
  • Your keystore contains 1 entry
  • Certificate chain length: 2

Page hangs accessing anything secure

At one point the server was starting up, with absolutely no errors. However it would just sit there requesting the secure pages.

We ended up rebuilding Tomcat from scratch and it worked fine.

There was absolutely zero surprisement regarding this

Server dies in the ass

There was a non secure link on one of the pages, this would literally destroy the server every time the page rendered. Primarily that was the fault of bad coding, but really the server shouldn’t be failing as a result.

Don’t Use Tomcat

I hate you past Dirk

  1. dirkkelly posted this