You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "BONNET, Frank" <fr...@esiee.fr> on 2014/02/14 14:10:15 UTC

Generate pkcs12 certificates from offical COMODO certs

Hello


I have officials certificates for apache2 from COMODO that I would like to

import into  tomcat (  pkcs12 ) if someone has links / infos to do this task

it would be a great help ( google doesn't help much )


thanks you

Re: Generate pkcs12 certificates from offical COMODO certs

Posted by Ognjen Blagojevic <og...@gmail.com>.

Frank,

On 15.2.2014 7:02, Frank BONNET wrote:
> seems to work without it !

I recommend that you always import intermediate certificates into the 
keystore. If you don't, some clients / web browsers will find a way to 
lookup for missing certificates, but others will fail.

Therefore, it is much better if you serve the complete chain (server 
certificate + intermediate certificates) to the client.

If you are not sure if certificate chain served to the clients is 
complete, there is plenty of on-line tools to check that for you.

-Ognjen

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Generate pkcs12 certificates from offical COMODO certs

Posted by Frank BONNET <fr...@esiee.fr>.

seems to work without it !
thanks

Envoyé de mon iPhone.


Le 14 févr. 2014 à 16:16, Ognjen Blagojevic
<og...@gmail.com> a écrit :

> Frank,
>
> On 14.2.2014 15:00, BONNET, Frank wrote:
>> the intermediate cert in the one named "chain" right ?
>
> Yes, it is usually named that way.
>
> -Ognjen
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Generate pkcs12 certificates from offical COMODO certs

Posted by Ognjen Blagojevic <og...@gmail.com>.

Frank,

On 14.2.2014 15:00, BONNET, Frank wrote:
> the intermediate cert in the one named "chain" right ?

Yes, it is usually named that way.

-Ognjen



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Generate pkcs12 certificates from offical COMODO certs

Posted by "BONNET, Frank" <fr...@esiee.fr>.

Hello Ognjen

the intermediate cert in the one named "chain" right ?


*Frank BONNET*

Systemes UNIX et Reseaux

ESIEE PARIS

01.45.92.66.17 - 06.70.37.37.69


2014-02-14 14:57 GMT+01:00 Ognjen Blagojevic <og...@gmail.com>
:

> Frank,
>
>
> On 14.2.2014 14:10, BONNET, Frank wrote:
>
>> I have officials certificates for apache2 from COMODO that I would like to
>> import into  tomcat (  pkcs12 ) if someone has links / infos to do this
>> task
>> it would be a great help ( google doesn't help much )
>>
>
> You didn't mention if you have any preference whether you want to use:
>
> i. BIO or NIO HTTPS connectors (based on JSSE), or
> ii. APR HTTPS connector (based on OpenSSL).
>
> Since you mentioned that you want to use PKCS#12 format, I guess you are
> interested in JSSE connectors. If you want to use APR, then the procedure
> is different then the one described here.
>
>
> Let's say that you have
>
> 1. Server key in file server.key
> 2. Server certificate in file server.pem
> 3. Intermediate certificates in file intermediates.pem
>
> Then, all you need to do is:
>
> openssl pkcs12 -export -out keystore.p12 -name myserver -in server.pem
> -inkey server.key -certfile intermediates.pem
>
>
> Note that it is not necessary that intermediates.pem contains root
> certificate.
>
>
> Then, configure HTTPS connector in conf/server.xml as
>
> <Connector port="443"
>            protocol="org.apache.coyote.http11.Http11Protocol"
>            SSLEnabled="true" maxThreads="150" scheme="https"
>            secure="true" clientAuth="false" sslProtocol="TLS"
>            keystoreFile="keystore.p12" keyAlias="myserver"
>            keystoreType="pkcs12" />
>
>
> I also recommend that if you check your ciphers strenth, and restrict them
> accordingly.
>
> -Ognjen
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Generate pkcs12 certificates from offical COMODO certs

Posted by Ognjen Blagojevic <og...@gmail.com>.

Frank,

On 14.2.2014 14:10, BONNET, Frank wrote:
> I have officials certificates for apache2 from COMODO that I would like to
> import into  tomcat (  pkcs12 ) if someone has links / infos to do this task
> it would be a great help ( google doesn't help much )

You didn't mention if you have any preference whether you want to use:

i. BIO or NIO HTTPS connectors (based on JSSE), or
ii. APR HTTPS connector (based on OpenSSL).

Since you mentioned that you want to use PKCS#12 format, I guess you are 
interested in JSSE connectors. If you want to use APR, then the 
procedure is different then the one described here.

Let's say that you have

1. Server key in file server.key
2. Server certificate in file server.pem
3. Intermediate certificates in file intermediates.pem

Then, all you need to do is:

openssl pkcs12 -export -out keystore.p12 -name myserver -in server.pem 
-inkey server.key -certfile intermediates.pem

Note that it is not necessary that intermediates.pem contains root 
certificate.

Then, configure HTTPS connector in conf/server.xml as

<Connector port="443"
            protocol="org.apache.coyote.http11.Http11Protocol"
            SSLEnabled="true" maxThreads="150" scheme="https"
            secure="true" clientAuth="false" sslProtocol="TLS"
            keystoreFile="keystore.p12" keyAlias="myserver"
            keystoreType="pkcs12" />

I also recommend that if you check your ciphers strenth, and restrict 
them accordingly.

-Ognjen

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Generate pkcs12 certificates from offical COMODO certs

Posted by "BONNET, Frank" <fr...@esiee.fr>.

I need to convert/import from PEM format to P12

thanks





2014-02-14 14:14 GMT+01:00 Sanaullah <sa...@gmail.com>:

> Hi Frank,
>
> I am not expert with apache. can you please let me know which format of
> certificate you do have? pem, der, p12. and also in which format you would
> like to convert? or import
>
> Regards,
> Sanaullah
>
>
> On Fri, Feb 14, 2014 at 6:10 PM, BONNET, Frank <fr...@esiee.fr>wrote:
>
>> Hello
>>
>>
>> I have officials certificates for apache2 from COMODO that I would like to
>>
>> import into  tomcat (  pkcs12 ) if someone has links / infos to do this
>> task
>>
>> it would be a great help ( google doesn't help much )
>>
>>
>> thanks you
>>
>
>