1

Firstly, I'm trying to configure my java web project for school as HTTPS, so I'm trying to make a self signed certificate and import it to tomcat. My tomcat version is 9.0.591 and I'm using java 17.

I basically followed the documents in the official tomcat website.

I first created a keystore by running this exact command "%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA

this is what I entered

And then I simply added it to the tomcat server.xml file as such -

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="${user.home}/.keystore" keystorePass="changeit" clientAuth="false" sslProtocol="TLS"/>

And I added this to the web.xml file -

<security-constraint> <web-resource-collection> <web-resource-name>DigitalLibrary</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>

Now I'm not gonna lie, I don't really know what the code in the web.xml file means so if you could explain that as well I'd appreciate it. All I know is that it makes the server automatically forward to https instead of http.

Lastly I ran the server, windows of course did not recognize the certificate so I downloaded the CER file straight from chrome and added it to the Trusted Root Certification Authorities through mmc.

When I tried running the server again the certificate still was not recognized. What did I do wrong that made windows not recognize it? It does obviously show up when I run the server but windows won't recognize it.... I have tried just putting up the keystore file in the Trusted Root Certification Authorities and it still didn't work.

Thanks in advance.

Improve this question
7
  • 1
    Not exactly a programming question. Perhaps this would be better posted to a sister site such as serverfault.com or webmasters.stackexchange.com Commented May 3, 2022 at 15:21
  • 1
    By the way, rather than using a self-signed certificate, you might consider using Let’s Encrypt to obtain a real certificate at no cost. I’ve no idea if that would help your problem or not. Commented May 3, 2022 at 15:26
  • Let's Encrypt will require the server to be reachable from the internet. Something like that is not necessary for test setups. Commented May 3, 2022 at 19:34
  • @HiranChaudhuri Test setups should be as close to the production setup as possible. You don't want to be testing different code. Commented May 3, 2022 at 23:32
  • All you did was create a keypair. The keytool happens to wrap the public key in a certificate but not of the kind you want. You need to generate a certificate using that keypair and with the DN equal to the domain name of your server. Commented May 3, 2022 at 23:33

2 Answers 2

Reset to default
1

Meta: this is not programming or development, and will probably get closed or moved. This doesn't fit as a comment but I consent to it being deleted or moved.

HTTPS certificates must contain the domain name you use to connect to the server, or the IP address if you use that instead which is rare on the internet but not uncommon in test environments, or optionally a wildcard matching the domain name.

For Chrome or Edge, you must add the SubjectAlternativeName extension to the cert with the domain name(s) or IP address(es) of the server. See the keytool documentation. For other browsers you may do that or (at least for now) put one name or address of the server as 'Common Name' in Subject, which is what keytool describes inaccurately as "First and Last Name" (but note the confirmation shows it as CN, which is the correct abbreviation for Common Name).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

The problem was really dumb... I can't believe it took me so long to realize this...

Basically it only recognized the certificate when I used the IP in the url, I originally had "localhost" in there. That was the cause of the error in this case.

I also changed at some point to a certificate I made with openssl so it probably has to do with it.

Thank you to everyone that answered and I'm sorry for posting in the wrong site, I didn't even know there were other ones....

Improve this answer

1 Comment

Don't use https URLs with IP addresses, this is the wrong move. Even if technically you can have certificates with IP addresses in them, this is the exception and not the norm. Let's Encrypt has a specific page explaining how to handle the "localhost" case, see letsencrypt.org/docs/certificates-for-localhost (it is not specific to their CA).

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.