tags:

views:

58

answers:

1
Q: 

Tomcat SSL: No trusted certificate found

I created a certificate using keytool: 

keytool -genkey -alias tomcat -keyalg RSA

Exported and imported it into my keystore:

keytool -export -alias tomcat name.crt
keytool -import -file name.crt

When I do keytool -list I have 2 entries:

tomcat, Sept 15, 2010, keyEntry,
Certificate fingerprint (MD5): ...
mykey, Sept 17, 2010, trustedCertEntry
Certificate fingerprint (MD5):...

Note that the fingerprints for both entries are the same.

I configured my server.xml to point to my .keystore file

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
       maxThreads="150" scheme="https" secure="true"
       keystoreFile="${user.home}/.keystore" keystorePass="changeit"
       clientAuth="false" sslProtocol="TLS" />

<Connector port="8009" protocol="AJP/1.3" redirectPort="443" />

But in my tomcat logs I see when I perform an action in my Java app:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
...
sun.security.validator.ValidatorException: No trusted certificate found

Is there any other configuration that needs to be done?

A: 

You need the client (i.e. the browser) to trust your servers certificates.

For this you either import the certificate of the server in the browser as a trusted certificate, which only works when you have the browser under your control. Or you get your certificate signed by a trusted authority, which costs money.

exporting and reimporting under a different name doesn't make any sense.

Update:

I think I start to understand what you are trying to do. You want a java client access a webapp via https. yes?

In this case you need to provide a 'truststore' i.e. a keystore containing the trusted certificates. You'll want to set the system Property javax.net.ssl.trustStore to the name of the truststore to use.

You'll probably can use a handcrafted TrustManager as well. This site seems to give information about that: http://download.oracle.com/javase/1.4.2/docs/guide/security/jsse/JSSERefGuide.html

This simple example might help as well: http://stilius.net/java/java_ssl.php

Jens Schauder  2010-09-19 16:33:55
I did import the certificate to my browser. So I can't use a self-signed certificate?
CoolGravatar  2010-09-19 17:11:22

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL