TOMCAT SSL错误:别名没有标识密钥条目 [英] TOMCAT SSL Error: Alias name does not identify a key entry
问题描述
我正在尝试使用SSL(通过某人提供给我们的证书)来配置Tomcat 6.我的SSL经验只有几天,但是我仍然必须配置这些东西.
为我提供了DER格式的证书(从IE下载).
接下来,我创建了一个密钥库:
keytool -import -alias btIEgen -file MyCompany.der -keystore b2b.keystore
说我用"password"作为密码
我在SSL部分的Tomcat的server.xml中对此进行了配置:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="webapps/b2b.keystore" keystorePass="password" keyAlias="btIEgen"
clientAuth="false" sslProtocol="TLS" />
启动Tomcat时,出现织补错误.
然后我在b2b.keystore上做了一个keytool -list,并注意到别名全是小写字母,因此在更新server.xml并重新启动后,我仍然遇到相同的错误,但是对于小写别名.
然后,尽管我也许我需要一个根CA.因此,我重新创建了b2b.keystore,如下所示:
keytool -import -alias root -file myCA.cer -keystore b2b.keystore
然后我针对MyCompany.der重新执行了keytool命令
但是我仍然遇到相同的错误,即别名不能识别键条目.
我想知道我是在配置tomcat时犯了一些根本性的错误,还是应该正常工作,而我只是犯了一个愚蠢的粗心的错误?
任何指导将不胜感激.
Tomcat需要的是证书及其私钥.证书是您的任何用户都可以看到的公共信息,但是私钥应该仅是您的:这是防止其他人使用您的证书运行网站的原因.通过导入MyCompany.der,您只在导入证书.
您需要先找到私钥在哪里. (通常,即使向您颁发证书的人也不知道其私钥.)
在证书申请过程中,私钥可能是在您的浏览器中生成的.尝试查看是否可以以.p12/.pfx(PKCS#12)格式导出:如果存在,这也应该捆绑私钥.如果是这样,您应该能够直接使用PKCS12存储类型:keystoreFile="store.pfx" keystorePass="password" keystoreType="PKCS12"将生成的文件用作密钥存储(您可能不需要密钥别名,因为将只有一个密钥条目).
I am trying to configure Tomcat 6 using SSL with a certificate provided to us (by someone). My SSL experience only spans a few days, but I still have to configure the darn thing.
I was provided a certificate (downloaded from IE) in DER format.
Next I created a keystore:
keytool -import -alias btIEgen -file MyCompany.der -keystore b2b.keystore
Say I used "password" for password
I configured this in Tomcat's server.xml in the SSL section:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="webapps/b2b.keystore" keystorePass="password" keyAlias="btIEgen"
clientAuth="false" sslProtocol="TLS" />
Upon starting Tomcat I get the darn error.
I then did a keytool -list on b2b.keystore, and noticed that the alias is in all lowercase, so after updating server.xml and restarting, I still get the same error, but for the lower case alias.
Then I though that perhaps I need a root CA. So I recreated the b2b.keystore as follows:
keytool -import -alias root -file myCA.cer -keystore b2b.keystore
Then I re-executed my keytool command against MyCompany.der
But I still get the same error, that the alias does not identify a key entry.
I am wondering if I am making some fundamental error in configuring tomcat, or should this thing be working and I'm just making a stupid careless mistake?
Any guidance would be greatly appreciated.
What Tomcat needs is the certificate and its private key. The certificate is public information that any of your user can see, but the private key should be yours only: this is what prevents others from running a website with your certificate. By importing MyCompany.der, you're only importing the certificate.
You would need to find where you private key is first. (Normally, even the person who issued the certificate to you shouldn't know its private key.)
The private key may have been generated within your browser during the certificate application process. Try to see if you can export in .p12/.pfx (PKCS#12) format: this should bundle the private key too if it's there. If so, you should be able to use the resulting file as a keystore directly using the PKCS12 store type: keystoreFile="store.pfx" keystorePass="password" keystoreType="PKCS12" (you probably won't need a key alias, since there will only be one key entry).
这篇关于TOMCAT SSL错误:别名没有标识密钥条目的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
