Grade F tomcat cert in ssltest

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

i have already a cert for apache, and i need the same cert for the tomcat server
I ran this command:
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_and_key.p12 -name tomcat -CAfile chain.pem -caname root -password pass: xxx

keytool -importkeystore -deststorepass xxx -destkeypass xxx -destkeystore MyDSKeyStore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -srcstorepass xxx -alias tomcat

keytool -import -trustcacerts -alias root -file chain.pem -keystore MyDSKeyStore.jks -storepass xxx

after i modified the server.xml

Note Apache had a A grade

It produced this output:
when i do a ssltest i have a F grade. i use this page

My web server is (include version):
Apache, Tomcat

The operating system my web server runs on is (include version):
Ubuntu 16.04 (xenial)

I have access to a server shell

hi @p3dr0

The certificate has not impact on cipher selection that is a server configuration.

I have had a look at your server recently and it seems you have a high grade

If you are using a different port let me know as I think SSLLabs uses 443 and that may be your apache config.



Oh , sorry i forgot, the port its 8080, i made this configurations

and its equal.

I just did made this configurations, and i get the B- grade. You have right, i seem a misconfiguration of the server.
Sorry by the inconvenient.
I will keep reading about theme.
here its the config, if you see someelse bad in the config, I really appreciate that you can tell me about for i get a better grade.

it’s mostly your eliptic curve configuration

you can turn on OCSP and HSTS if you want


btw be careful with pasting configs


i know that people can get on the server and see the tomcat file configs to see the keystore password but no need to make it too easy :smiley:


It looks like you are now getting an A.
Just on a side note, if you want an A+ add the line:
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
to your config. It enables HSTS

Jajjaja Thanks!
I’ll keep it in mind.

ok, i’m reading about that, but i find, that this config its in the web.xml ?
im going keep looking

You can add it to your Apache2 configuration for your website, not the whole install.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.