I'm trying to get a CA cert/SSL working on an AWS EC2 instance with Ubuntu and Tomcat 7.0.52. Browser's fail to connect. Here are the steps I went thru:
keytool -genkey -alias mydomain -keyalg RSA -keystore mydomain.keystore -keysize 2048
<fill out information>
keytool -certreq -keyalg RSA -alias mydomain -file certreq.csr -keystore ../mydomain.keystore
submit csr to ssls.com/Geotrust, and receive back: bundle.crt www.mydomain.net.crt
import certs into keystore:
keytool -import -trustcacerts -alias root -keystore ../mydomain.keystore -file bundle.crt
keytool -import -alias mydomain -keystore ../mydomain.keystore -file www.mydomain.net.crt
next, update $TOMCAT_HOME/config/server.xml:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<Connector port="8443" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/home/ubuntu/mydomain.keystore"
keystorePass="xxxxxxx"
clientAuth="false" sslProtocol="TLS" />
and restart tomcat.
EC2 instance with security groups are set up to allow port 80 and 443.
ipables changes made to redirect 80->8080 and 443->8443:
sudo iptables -t nat -n -L PREROUTING --line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 8443
2 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
DNS for www.mydomain.net is not yet in place, so I'm currently testing with a modified /etc/hosts:
54.200.126.130 www.mydomain.net
54.200.126.130 mydomain.net
sslscan does not return any valid ciphers. They are all listed as "Rejected".
openssl test:
openssl s_client -connect www.mydomain.net:443
CONNECTED(00000003)
64007:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:602:
switching to a self-signed cert generated with keytool works fine (other than the obligatory browser warning). So it seems the issue must be with the certs and/or keystore, but I'm not sure what the issue is.
There are three steps to install an SSL/TLS certificate on your EC2 Windows instance: Create a Certificate Signing Request (CSR) and request your SSL certificate. Install your SSL certificate. Assign the SSL certificate to your IIS deployment.
Nitro Enclaves is an Amazon EC2 capability that enables creation of isolated compute environments to protect and securely process highly sensitive data, such as SSL/TLS certificates and private keys.
If you're using Apache Tomcat, chances are that at least some of the data you're handling is sensitive, and SSL is an easy way to offer your users security. The good news is that Tomcat fully supports the SSL protocol.
Tomat assumes a keystore alias of "tomcat" unless you specify the keyAlias
attribute on the Connector.
Just add keyAlias=mydomain
, or rename your alias to "tomcat" with the keytool.
Tomcat docs say of keyAlias: "If not specified the first key read in the keystore will be used.", but it's a good catch. However, it didn't solve all my issues. I contacted GeoTrust and they recommended downloading a PKCS #7 cert, which worked. Odd, given that tomcat docs say "Tomcat currently operates only on JKS, PKCS11 or PKCS12 format keystores". In the end it was two support chats with the CA, stack overflow post with bounty, hours of openssl and keytool testing. Lesson learned: it appears the CA's, given they get the support calls, have the best documentation for this (not tomcat).
https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO15323
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With