You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Ken <ka...@pacific.net> on 2000/08/18 18:10:01 UTC

SSL and verisign certificates in tomcat standalone

Does tomcat support certificates for www.domainname.com domains signed
by verisign?
According to the jsse docs, it can, but has it been implemented into
tomcat?
I am trying to import an existing SSL certificate into keystore used by
tomcat. 
Here is what I am doing:

----import the certificate--------
keytool -import -file /usr/local/ssl/certs/www.domainname.com.cert
Trust this certificate? [no]:  yes
Certificate was added to keystore

------list keys in keystore file-------
keytool -list
Enter keystore password:  XXXXXXX
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry:
www.domainname.com, Thu Aug 17 16:42:03 PDT 2000, keyEntry,
Certificate fingerprint (MD5):
09:57:BC:20:77:F9:E4:5D:09:41:1F:59:32:82:DF:0E

-----------------------------------

Browser complains - "Netscape and this server cannot communicate
securely because they have no common encryption algorithms"

Do I need to generate a new certificate request with keytool?
Does Verisign sign keys generated with keytool -csr that are usable in
Tomcat?
Is there a doc on the exact syntax for this? 
Something like:
keytool -csr -alias www.mydomain.com -sigalg (is RSA an option here???)

Any ideas on the correct syntax or procedure would be appreciated
Thanks,
Ken

Re: SSL and verisign certificates in tomcat standalone

Posted by Ken <ka...@pacific.net>.

The problem:

Domain Name owners already have an investment in SSL certificates. I'd
hate for them to have to purchase new certificates for tomcat support. I
realize that running tomcat through apache works around the need for
tomcat to support SSL on it's own, but then we face security issues with
virutal hosts on the same machine, running java processes as user
"nobody" or "www". This is why SuExec and other SetUID programs and
wrappers are in use on webservers for perl and and other cgi processes. 
Starting Tomcat standalone to support servlets in a standalone / per
username fashion will work better for us, until the security issues are
worked out.

I've tried the keytool -genkey -keyalg RSA, but genkey simply creates
self signed certs.
I've tried:
keytool -import -alias blah -file
/usr/local/ssl/certs/www.domainname.com.cert
Enter keystore password:  foo
keytool error: Public keys in reply and keystore don't match

Is there any way to import existing RSA signed certificates into the
keystore, or do new certificate requests need to be generated first?

Any help on this one?
Thanks,
Ken

Philip Smith wrote:
> 
> Ken wrote:
> 
> > Does tomcat support certificates for www.domainname.com domains signed
> > by verisign?
> > According to the jsse docs, it can, but has it been implemented into
> > tomcat?
> > I am trying to import an existing SSL certificate into keystore used by
> > tomcat.
> > Here is what I am doing:
> >
> > ----import the certificate--------
> > keytool -import -file /usr/local/ssl/certs/www.domainname.com.cert
> > Trust this certificate? [no]:  yes
> > Certificate was added to keystore
> >
> > ------list keys in keystore file-------
> > keytool -list
> > Enter keystore password:  XXXXXXX
> > Keystore type: jks
> > Keystore provider: SUN
> > Your keystore contains 1 entry:
> > www.domainname.com, Thu Aug 17 16:42:03 PDT 2000, keyEntry,
> > Certificate fingerprint (MD5):
> > 09:57:BC:20:77:F9:E4:5D:09:41:1F:59:32:82:DF:0E
> >
> > -----------------------------------
> >
> > Browser complains - "Netscape and this server cannot communicate
> > securely because they have no common encryption algorithms"
> 
> This is usually because certificate being presented to browser has a key
> encrypted using DSA rather than RSA. When I have created certificates for
> my application I have used the "keytool -genkey -keyalg RSA option"
> options. I am not sure what you need to do when importing a certificate.
> 
> --
> Philip A. Smith         Imana, Inc.
> 415.437.1447 tel        480 Potrero Ave.
> 415.436.9793 fax        San Francisco, CA 94110
> philip@imana.com        http://www.imana.com

Re: SSL and verisign certificates in tomcat standalone

Posted by Philip Smith <ph...@imana.com>.


Ken wrote:

> Does tomcat support certificates for www.domainname.com domains signed
> by verisign?
> According to the jsse docs, it can, but has it been implemented into
> tomcat?
> I am trying to import an existing SSL certificate into keystore used by
> tomcat.
> Here is what I am doing:
>
> ----import the certificate--------
> keytool -import -file /usr/local/ssl/certs/www.domainname.com.cert
> Trust this certificate? [no]:  yes
> Certificate was added to keystore
>
> ------list keys in keystore file-------
> keytool -list
> Enter keystore password:  XXXXXXX
> Keystore type: jks
> Keystore provider: SUN
> Your keystore contains 1 entry:
> www.domainname.com, Thu Aug 17 16:42:03 PDT 2000, keyEntry,
> Certificate fingerprint (MD5):
> 09:57:BC:20:77:F9:E4:5D:09:41:1F:59:32:82:DF:0E
>
> -----------------------------------
>
> Browser complains - "Netscape and this server cannot communicate
> securely because they have no common encryption algorithms"

This is usually because certificate being presented to browser has a key
encrypted using DSA rather than RSA. When I have created certificates for
my application I have used the "keytool -genkey -keyalg RSA option"
options. I am not sure what you need to do when importing a certificate.

--
Philip A. Smith         Imana, Inc.
415.437.1447 tel        480 Potrero Ave.
415.436.9793 fax        San Francisco, CA 94110
philip@imana.com        http://www.imana.com