Press "Enter" to skip to content

Posts published in “tomcat”

Self signed SSL cert for Apache Tomcat

The simplest way I know of to create and self sign an SSL certificate for your Apache Tomcat server…  In two simple steps…………

Step 1 –  (the $JAVA_HOME environment variable should already be set in your tomcat user’s ~/.bash_profile or replace with the full path to keytool)

#  $JAVA_HOME/bin/keytool  -genkeypair  -validity 3650  -alias tomcat  -keyalg  RSA

password:  specify a password
name:  use the full <hostname> domain name
organizational unit:
organization:
city:
state:
country:
Select ‘y’ to confirm the details.

Press the ‘Enter’ key when asked for a password for the alias ‘tomcat’.

A keystore called .keystore (a hidden file) will be created (user’s home directory) which should be moved to <tomcat_home_dir>/conf/.

Step 2.
Uncomment the ‘SSL HTTP/1.1 Connector on port 8443’ section in <tomcat_home_dir>/conf/server.xml and add parameters so that it resembles the following:

<Connector   port=”8443”  protocol=”HTTP/1.1”  SSLEnabled=”true”  maxThreads=”150”  scheme=”https”  secure=”true”  enableLookups=”false”  disableUploadTimeout=”true”  acceptCount=”100”  clientAuth=”false”  sslProtocol=”TLS”  URIEncoding=”UTF-8”  keystorePass=”<password_from_Step1>”  keystoreFile=”<tomcat_home_dir>/conf/.keystore” />

Restart Tomcat and point your browser to https://hostname.your.domain.com:8443 to verify the cert.  Doesn’t get any simpler than that.

apache-Tomcat error on starting after changing the SSL Key / Keystore

apache-Tomcat error on starting after changing the SSL Key / Keystore

The keystore and SSL key must be the same as listed in ~/conf/server.xml

SEVERE: Error starting endpoint
java.io.IOException: Cannot recover key

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:527)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:156)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
at org.apache.catalina.connector.Connector.start(Connector.java:1095)
at org.apache.catalina.core.StandardService.start(StandardService.java:540)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)

Solution:

Fix via keytool on with passords on the command line, interactive passwd changing via CLI generates an error saying they must be different. 

keytool -keypasswd -alias your_alias -keypass old_passwd -new new_passwd -keystore ./keystore