down vote
favorite
The question: I have an application running under tomcat which calls another application under the same tomcat via a gateways which has a self signed SSL certificate installed. When you call the link from your browser it warns you about potentially dangerous site, but you have an option to proceed anyway. However the tomcat cannot proceed anyway until it trusts the certificate. The certificate is issued by KEMP technologies. So how do I make tomcat to trust the certificate? I have .cer and .key files.OS: Windows 2008R2
Tomcat 7
Thanks.
Answer
Important warning. The .key file belongs only on the server side. If the certificate shows on some ‘gateway’ address, this would mean the *.key file belongs only on the ‘gateway’. Don’t play with it. Don’t copy it around randomly. If someone is able to read it, your certificate becomes compromised – it cannot provide trusted authentication anymore.
I understand you want to ensure *.cer file is trusted on the client side. It is irrelevant here that your client is actually the same java process that also ultimately serves the content. Just proceed as with any java app that tries to connect to untrusted self-signed certificate:
- Locate which JAVA_HOME directory you use to run tomcat (could be occasionally customized inside catalina.bat or setenv.bat).
-
Trust your x.cer file:
%JAVA_HOME%\bin\keytool -importcert -keystore %JAVA_HOME%\jre\lib\security\cacerts -file x.cer -alias my-self-signed-cert1 -
The default keystore password is
changemeorchangeit, I keep mixing it up, sigh. - It should work immediately without tomcat restart.
- Document what you did, because any Java update will likely overwrite
cacerts. - If it doesn’t work, it could mean that your java application is ignoring the default cacerts keystore and it is using some custom file. This would leave you on the mercy of the applications’ documentation regarding a trust store.
Attribution
Source : Link , Question Author : Mher Harutyunyan , Answer Author : kubanczyk
