Tomcat 7（7.0.10）上的SSL，此处我使用Thawte SGC证书

Question

I have problem configuring SSL on tomcat 7 (7.0.10) here I am using Thawte SGC Certificate , please read below description carefully help me out . I have followed below step

1)Generated key using below command

keytool -genkey -keysize 2048 -alias test_self_certificate -keyalg RSA -keystore test_self_certificate.jks -validity 730

this command generated “ test_self_certificate.jks ” file in current folder

2)This generated CSR using below command

keytool -certreq -alias test_self_certificate -file my_application.csr -keystore test_self_certificate.jks

this command generated “ my_application.csr ” file in current folder

3)Then I have submitted this CSR to Thawte and got certificate from them in PKCS#7 format , I have copied that certificate text in notepad and saved that file as “ signed_certificate.p7b ”

4)Then i created New JKS keystore and imported certificate received from Thawte using below command

keytool -import -alias signed_cert -trustcacerts -file signed_certificate.p7b -keystore tomcat_application.jks

this command generated “tomcat_application.jks ” file in current folder

5)I have update tomcat server.xml as below ( I have provided correct .jks file path and keystore password )

<Connector port="8001" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
                            maxThreads="150" scheme="https" secure="true"
               keystoreFile="/export/home/parsupport/Tomcat_certs/ tomcat_application.jks " keystorePass="parlive" clientAuth="false" sslProtocol="TLS" /> 

6)After this change when I start Tomcat I get below Exception and tomcat does not start with SSL

Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
    at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:310)
    at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:255)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:774)

Important Note : but if I import certificate received from Thawte in keystore (test_self_certificate.jks -- mentioned as first step above) that I have created to generate KeyPair and CSR , and use that keystore to configure tomcat (as described in step 6 as above ) then Tomcat start in SSL mode but when in try to launch HTTPS URL I get untrusted certificate warning .

Answer 1

 keytool -genkey -keysize 2048 -alias test_self_certificate [...] 

Here, -genkey generates a public/private key pair and stores in into the "test_self_certificate" alias entry, thereby making this a private key entry. (If you use keytool -list , you'll see some private key entries and some certificate entries). -genkey also generates a self-signed certificate to associate with this private key automatically (this is also how the public key is effectively stored by default).

 keytool -import -alias signed_cert [...] 

If you get a certificate issued for a private key that is stored in a keystore, you need to store this certificate against the right private key entry, not just any entry. Here, you should have used -alias test_self_certificate instead (which may also mean that it wasn't the best choice of alias name, but that's just a detail). (In some cases, you may also need to make sure you import the full chain .)