AWG Blogs

Tuesday, March 20, 2018

Create keypair for Tomcat SSL and import same to Java keystore

Create the keypair:
keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -keystore tomcat-keystore.jks -validity 730

Export the certificate:
keytool -export -alias tomcat -file tomcat-keystore.cer -keystore tomcat-keystore.jks

Import to Java keystore:
keytool -import -alias tomcat -file tomcat-keystore.cer -keystore C:\jdk1.7.0_51\jre\lib\security\cacerts

Add it to Tomcat's server.xml:

    <Connector SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false" maxThreads="25"
    port="8443" keystoreFile="/path/to/tomcat-keystore.jks" keystorePass="password"
    protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
    secure="true" sslProtocol="TLS" />

Now you can avoid errors in java programs like:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed...

References:
https://dzone.com/articles/setting-ssl-tomcat-5-minutes
https://stackoverflow.com/a/7812567/1714485