Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Adding a foreign server's self-signed certificate to the trusted certificates of my Tomcat

My Tomcat needs to connect to another web server (at https://foreign.example.com) using SSL (TLS).

foreign.example.com has a self-signed certificate, which I trust. Of course, my Tomcat does not by default - so I have to tell it. One way to do this is:

$JRE/bin/keytool -import -alias my -file ssl-cert-myselfsigned.cer -keystore 
 $JRE/lib/security/cacerts

This works: My Tomcat allows the SSL connection.

However, I don't like to do it this way: It imports the certificate into the trusted keys of my Java installation. I don't want to say: "Every application that runs Java on my machine should trust that certificate". Only Tomcat (or the user that runs Tomcat) should trust it.

So I tried importing it into the tomcat-user's keystore at ~/.keystore, and setting up Tomcat's <Connector> with these attributes:

keystoreFile="${user.home}/.keystore"
keystorePass="thePassphraseICreatedTheKeystoreWith"

However, that doesn't work at all (I believe, this is only for the server certificate of my Tomcat, not for server certificates of foreign servers, right?)

I tried the same with the truststoreFile/truststorePass attributes, but they didn't work either. (The attributes are documented at http://tomcat.apache.org/tomcat-6.0-doc/config/http.html)

Is there a way to set up Tomcat with the foreign server's server cert, or maybe to add some command line parameters to java which makes my keystore (and keystore passphrase) available to the JVM instance?

like image 609
Chris Lercher Avatar asked Jun 27 '11 18:06

Chris Lercher


People also ask

Where are certificates stored in Tomcat?

By default Tomcat looks for your Keystore with the file name . keystore in the home directory with the default password "changeit". The home directory is generally /home/user_name/ on Unix and Linux systems, and C:\Documents and Settings\user_name\ on Microsoft Windows systems.


1 Answers

JBoss (which is based on Tomcat) can be run with the following cmd arguments. The cacerts file (or however you would like to name it) must contain the cert of the endpoint.

-Djavax.net.ssl.trustStore=C:\Applications\jboss-as\server\default\conf\cacerts -Djavax.net.ssl.trustStorePassword=changeit

Therefor this should also work for Tomcat.

like image 113
rit Avatar answered Oct 31 '22 01:10

rit