How to remove self-signed root from tomcat 6 server?

Question

How to remove self-signed root from tomcat 6 server?

I have a geotrust verified SSL certificate. The server is tomcat 6. I did the following:

1 - Create keystore file

keytool -genkey -alias -keyalg RSA -keysize 2048 -keystore -sigalg SHA256withRSA

2 - Generate CSR

keytool -certreq -alias -file -keystore -sigalg SHA256withRSA

3 - Import the downloaded p7b file provided by Symantec vs CSR and imported the certificate

keytool -import -alias -trustcacerts -file -keystore

Everything works fine, but the following warning appears in the Symantec SSL Toolbar

Recommendations: Root is installed on the server. For best practice, remove the self-signed root from the server.

Any ideas how I can remove Root from Server to avoid this warning?

+3

ssl ssl-certificate

amanda chaw May 31 '15 @ 6:21 am

source to share

2 answers

Jaume mussons abad · Answer 1 · 2017-07-10T07:43:09+0000

To remove the root self-signed certificate from tomcat, you need to remove it from your java installation. This action is performed using the keytool binary key, which is located in the bin folder inside your java jdk installation.

The options you should use to remove the self signed certificate from tomcat are as follows:

keytool -delete -noprompt -alias ${cert.alias} -keystore ${keystore.file} 
-storepass ${keystore.pass}

For example, to remove the self signed tomcat cert that I installed on my machine, I had to use the following:

"%JAVA_HOME%\bin\keytool" -delete -noprompt -alias tomcat

Additional Information:

https://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html

Michael cole · Answer 2 · 2015-09-05T03:46:43+0000

The only thing I found was this article , which basically says "Browsers will get your paid certificate, also get your self-signed certificate" and it is their job to figure it out.

IMHO the Symantic product wasted my time chasing wild geese. They also recommend patching BEAST with RC4 (I suppose) which is not recommended. Browsers fix BEAST.

BEAST
The BEAST attack is not mitigated on this server.
Root installed on the server.
For best practices, remove the self-signed root from the server.

I recommend this service instead: https://www.ssllabs.com/ssltest/analyze.html

Their fix articles are very helpful.

This was the article I used to configure nginx. To get A +

How to remove self-signed root from tomcat 6 server?

Recommendations: Root is installed on the server. For best practice, remove the self-signed root from the server.

More articles: