Windows Tomcat7 SSL CA证书说是自签名的

Question

Hi I'm trying to configure tomcat7 (7.0.50) in windows 7 using a cert from a CA (entrust, if it matters). I downloaded the CA root, chain root and chain cert files, and my new certificate. Per the tomcat guide , I used the keystore I generated the csr from and followed these steps

1. keytool -import -alias entrust -trustcacerts -keystore crush.jks -file entrust.crt.txt

[prompts me the cert exists in the system wide CA keystore, I still add it]

2. keytool -import -alias chain-root -trustcacerts -keystore crush.jks -file L1Kchainroot.txt

3. keytool -import -alias chain-root -trustcacerts -keystore crush.jks -file L1Kchain.txt

4. keytool -import -alias tomcat -trustcacerts -keystore crush.jks -file entrustcert.crt.txt

Now when I list the contents of my keystore I see

C:\Users\crush\My Documents\cert>keytool -list -keystore crush.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 5 entries

entrust, Mar 30, 2015, trustedCertEntry,   
Certificate fingerprint (SHA1): B3:1E:B1:B7:40:E3:6C:84:02:DA:DC:3

chain, Mar 30, 2015, trustedCertEntry,   
Certificate fingerprint (SHA1): CC:A2:7D:33:C7:35:A7:D0:6D:1F:EC:A

chain-root, Mar 30, 2015, trustedCertEntry,   
Certificate fingerprint (SHA1): 9E:1A:0C:35:E7:14:B6:97:92:D0:90:B

tomcat, Mar 30, 2015, trustedCertEntry,   
Certificate fingerprint (SHA1): 6A:77:EC:32:1E:F9:AC:4F:BE:C7:CB:5

crush-windows7, Mar 26, 2015, PrivateKeyEntry,   
Certificate fingerprint (SHA1): 04:72:8A:36:56:7E:D5:0F:7E:E9:E0:1

Now I edited my server.xml file to be like so

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" 
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1" 
    keystoreFile="C:\Users\crush\apache-tomcat-7.0.50\conf\crush.jks"  
    keystorePass="storepassword" 
    keyPass="keypassword"
/>

When this boots up and I navigate to the page I'll see an untrusted connection warning

crush-windows7.crush.com:8443 uses an invalid security certificate. The certificate is not trusted because it is self-signed. (Error code: sec_error_ca_cert_invalid)

If I use -v with keytool and inspect the returned certificate I'll see the Issuer as Entrust

Owner: CN=crush-windows7.crush.com, ....
Issuer: CN=Entrust Certification Authority - L1K, OU="(c) 2012 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US

But my private key entry has the issuer as myself

Owner: CN=crush-windows7.crush.com, ....
Issuer: CN=crush-windows7.crush.com, ....

I've been messing with this for a couple hours and bashing my head against the wall, I've done this with linux before using openssl instead of keytool without issues. Could this be my issue? No matter what connector config I try, it will not boot without the private key entry as the alias and the keyPass option set. If I remove the private key entry it will boot but never complete the ssl handshake. I use the 'tomcat' alias for the keyAlias it will say

java.io.IOException: Alias name tomcat does not identify a key entry

Can I salvage my current certificate or do I need to generate a new private key and csr and submit a new request then move them to my windows machine? I really feel this is my issue, am I even close to being on point? Using windows for this has been less than comfortable, thanks for helping.

Answer 1

You have made a small mistake in step 4: Instead of updating your PrivateKeyEntry with the certificate issued by Entrust, you have imported it as a trusted certificate.

The right command would have been:

keytool -import -alias crush-windows7 -trustcacerts -keystore crush.jks -file entrustcert.crt.txt