You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Giulia Hill <gh...@library.berkeley.edu> on 2003/04/02 01:45:49 UTC
SSL problem
Following the How-to, I have almost successfully activated SSL on tomcat
4.1. The problem I'm having is that I can't load the Verisign certificate,
a certificate which I already have and that I'm using with Apache.
this is what I have done
% keytool -genkey -alias tomcat -keyalg RSA -keystore ./.keystore
and entered the values of CN etc. as they appear also on the certificate
I have downloaded the verisign.crt from the site indicated on the docs
% keytool -import -alias root -keystore ./.keystore -trustcacerts -file verisign.crt
However if I use my certificate as it is, I get the error
% keytool -import -alias tomcat -keystore ./.keystore -trustcacerts -file sunsite2.crt
java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.at
sun.security.util.DerInputStream.getLength(DerInputStream.java:513)
I thougth it could be that the certificate was not in X509 format, so I
have done the conversion as
% /opt/openssl-0.9.6b/apps/openssl x509 -outform DER -in sunsite2.crt -out sunsite2.X509.crt
But, when I try to load it into the keystore I get the error:
% keytool -import -alias tomcat -keystore ./.keystore -trustcacerts -file sunsite2.X509crt
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
What am I doing wrong? Generating a new certificate is not an option since
we have already paid for the current one, so I need to be able to use what
I already have
Thank for your suggestions,
Giulia
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL problem
Posted by Jan Fetyko <ja...@phase2online.com>.
Ramsay,
I have the Apache 2.0.45 and Tomcat 4.1.24 working for unencrypted access, however I cannot get the SSL run as I need to.
For now I have set the server name to 127.0.0.1 and I followed your configuration you provided as far as it was similar to what I need.
When I use http to access the server , everything works fine and Tomcat server the pages, I guess that means JK2 is working, right ? But when I try https , I get an error that the connection ended unexpectedly ( that's in Mozilla ).
...amd the following error is loged in the mod_jk.log. Any ideas what that means ?
[Tue Apr 08 12:54:16 2003] [jk_ajp_common.c (298)]: Error ajp_marshal_into_msgb - No such method g
BTW: I compiled mod_jk with out any problems, but the above error is the same with the precompiled mod_jk also.
Thank you, you've been a great help.
Jf
On Mon, 7 Apr 2003 09:14:11 -0500
Jan Fetyko <ja...@phase2online.com> wrote:
> Well, good question, but I'm not familiar with Apache + SSL - Tomcat configuration, and using only Tomcat seemed easier.
>
> Do you have any guidelines ?
> Is it hard, not hard ?
> I just don't know what it takes , so.....
>
> Jf
>
> On Mon, 07 Apr 2003 14:50:26 +0100
> Ramsay Domloge <rd...@arkemedia.com> wrote:
>
> > I believe that this is something to do with support. If you use an
> > opensource server such as Apache they tell you that they will not
> > support you. So you probably want to go for the Apache option, since
> > this most accurately describes your situation.
> >
> > Incidentally, why *aren't* you using Apache?
> >
> > Ramsay
> >
> >
> > Jan Fetyko wrote:
> >
> > >Daniel,
> > >
> > >If I'm about to create a new cert. request to be submitted to Verisign, what signing type or whatever it's called should I request ? They are asking me for the Server type/version. I'm not sure what that has to do with anything, but you or somebody else might know.
> > >
> > >I'm using Tomcat, and they don't have it in the list.
> > >
> > >Thank you.
> > >
> > >
> > >Jf
> > >--------------------------
> > >It sounds to me like you are trying to generate a ney key pair with
> > >keytool and then use your existing certificate with that key pair.
> > >Based on my understanding of the certificate process, that won't work.
> > >
> > >Here is a very simplified view of what happens when you create a cert.
> > >
> > >1. You (or your webserver) generate a public/private key pair.
> > >2. You create a "certificate request" for a particular domain name
> > > using the keys you generated in step 1. This certificate contains
> > > the public key info.
> > >3. You send the cert request off to a CA (like Verisign or Thawte)
> > > and they "sign" your certificate request using _their_ key. At
> > > this point the CA is stating that you are who your cert says you
> > > are.
> > >4. You then import the CA-signed certificate into your keystore (or
> > > webserver). Clients (browsers, etc.) will accept your certificate
> > > because they accept the root CA who signed your certificate.
> > >
> > >So if you generate a new keypair, the new pair won't have _squat_ to
> > >do with the pair that was used when your had your first certificate
> > >created.
> > >
> > >My understanding is that in order to re-use your existing certs, you
> > >will need to be able to create a java keystore from your existing
> > >private key and signed certificate. The cert you can export and then
> > >re-import into a java keystore created via keytool, but I don't think
> > >(could be wrong) keytool allows you to import a keypair from an
> > >external source. You might could write some java code to do this but
> > >it would be beyond me.
> > >
> > >Two options... explain to verisign your situation and see if they will
> > >re-issue the cert for a new key-pair. Or if you do have to buy a new
> > >cert you might be able to get better prices from another CA. We are
> > >using Thawte certificates with our tomcat SSL keystores.
> > >
> > >Daniel
> > >
> > >
> > >
> > >
> > >On 3 April 2003, Giulia Hill wrote:
> > >
> > >
> > >
> > >>Jan,
> > >>
> > >>No, I haven't got anywhere yet with this. I have taken a look at the
> > >>suggested pkcs12 http://www.openssl.org/docs/apps/pkcs12.html but that
> > >>hasn't broght me that much further.
> > >>
> > >>I'll let you know if I find a solution, and, please, do likewise - surely
> > >>I wouldn't to buy a new certificate.
> > >>
> > >>Giulia
> > >>
> > >>=Are you getting somewhere with this issue ? I have the same problem ( I
> > >>=need to use
> > >>=the certificate that was previously on Apache ) and I'm at the dead end
> > >>=s
> > >>=of now,
> > >>=hoping for a response from this list. Yes or No would do also, but no
> > >>=response yet. :((
> > >>
> > >>=Jf
> > >>
> > >>
> > >>On Tue, 1 Apr 2003, Giulia Hill wrote:
> > >>
> > >>
> > >>
> > >>>Following the How-to, I have almost successfully activated SSL on tomcat
> > >>>4.1. The problem I'm having is that I can't load the Verisign certificate,
> > >>>a certificate which I already have and that I'm using with Apache.
> > >>>
> > >>>this is what I have done
> > >>>
> > >>>% keytool -genkey -alias tomcat -keyalg RSA -keystore ./.keystore
> > >>>and entered the values of CN etc. as they appear also on the certificate
> > >>>
> > >>>I have downloaded the verisign.crt from the site indicated on the docs
> > >>>% keytool -import -alias root -keystore ./.keystore -trustcacerts -file ver
> > >>>
> > >>>
> > >>isign.crt
> > >>
> > >>
> > >>>However if I use my certificate as it is, I get the error
> > >>>% keytool -import -alias tomcat -keystore ./.keystore -trustcacerts -file
> > >>>
> > >>>
> > >>sunsite2.crt
> > >>
> > >>
> > >>>java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.at
> > >>>sun.security.util.DerInputStream.getLength(DerInputStream.java:513)
> > >>>
> > >>>I thougth it could be that the certificate was not in X509 format, so I
> > >>>have done the conversion as
> > >>>% /opt/openssl-0.9.6b/apps/openssl x509 -outform DER -in sunsite2.crt -out
> > >>>
> > >>>
> > >> sunsite2.X509.crt
> > >>
> > >>
> > >>>But, when I try to load it into the keystore I get the error:
> > >>>% keytool -import -alias tomcat -keystore ./.keystore -trustcacerts -file
> > >>>
> > >>>
> > >>sunsite2.X509crt
> > >>
> > >>
> > >>>keytool error: java.lang.Exception: Public keys in reply and keystore don't
> > >>>
> > >>>
> > >> match
> > >>
> > >>
> > >>>What am I doing wrong? Generating a new certificate is not an option since
> > >>>we have already paid for the current one, so I need to be able to use what
> > >>>I already have
> > >>>
> > >>>Thank for your suggestions,
> > >>>
> > >>>Giulia
> > >>>
> > >>>
> > >>>
> > >>----------------------------
> > >>Giulia Hill
> > >> Programmer/Analyst
> > >> Library Systems Office
> > >> University of California at Berkeley
> > >> 386 Doe Annex
> > >> Berkeley, CA 94720
> > >>
> > >>
> > >
> > >---------------------------------------------------------------------
> > >To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > >For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > >
> > >
> >
> >
> > ============================================================================
> >
> > A R K E M E D I A T E C H N O L O G I E S L T D
> >
> > VIEW POINT BASING VIEW BASINGSTOKE HAMPSHIRE RG21 4RG
> >
> > http://www.arkemedia.com
> >
> > mailto:info@arkemedia.com
> >
> > Tel : +44 1256 869 200 Fax : +44 1256 329 119
> >
> > ============================================================================
> >
> > The information in this e-mail and in any attachments is confidential and
> > is intended solely for the attention and use of the named addressee(s).
> >
> > ============================================================================
> >
> > If you are not the intended recipient, or a person responsible for passing
> > it on to the intended recipient, you are not authorised to hold a copy of
> > this information and you must therefore not disclose, copy, distribute, or
> > retain this message or any part of it. MAILTO:Administrator@arkemedia.com
> >
> > ============================================================================
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
>
>
> Jan Fetyko
> ScriptFighter
> Phase 2 Development
> 4100 Perimeter Center, #310
> Oklahoma City
> OK 73112
>
> email: janof@phase2online.com
> (p) 405.917.3777
> (p) direct line: 405.917.3779
> (url) http://www.phase2online.com
> "Oklahoma City's fastest growing web development company"
>
> Today's "fortune":
>
> I'd rather be led to hell than managed to heavan.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
Jan Fetyko
ScriptFighter
Phase 2 Development
4100 Perimeter Center, #310
Oklahoma City
OK 73112
email: janof@phase2online.com
(p) 405.917.3777
(p) direct line: 405.917.3779
(url) http://www.phase2online.com
"Oklahoma City's fastest growing web development company"
Today's "fortune":
'I don't believe in sweeping social change being manifested by one person, unless he has an atomic weapon.' -- Howard Chaykin
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL problem
Posted by Keith Brady <kb...@newbay.com>.
On Mon, 2003-04-07 at 15:14, Jan Fetyko wrote:
> Well, good question, but I'm not familiar with Apache + SSL - Tomcat configuration, and using only Tomcat seemed easier.
>
> Do you have any guidelines ?
> Is it hard, not hard ?
> I just don't know what it takes , so.....
They presumably want to know what server you are using so that they will
know what format your request will be in and what format to send back
the cert in (along with any other fiddly extensions needed etc.)
Assuming you are using the Sun JDK and so the Sun crypto providers you
should probably pick any option that says Java. You will presumably be
using the standard keytool to generate the keypair, prepare the keystore
and load the certificate.
cheers,
Keith
--
Keith Brady
NewBay Software
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL problem
Posted by Jan Fetyko <ja...@phase2online.com>.
Well, good question, but I'm not familiar with Apache + SSL - Tomcat configuration, and using only Tomcat seemed easier.
Do you have any guidelines ?
Is it hard, not hard ?
I just don't know what it takes , so.....
Jf
On Mon, 07 Apr 2003 14:50:26 +0100
Ramsay Domloge <rd...@arkemedia.com> wrote:
> I believe that this is something to do with support. If you use an
> opensource server such as Apache they tell you that they will not
> support you. So you probably want to go for the Apache option, since
> this most accurately describes your situation.
>
> Incidentally, why *aren't* you using Apache?
>
> Ramsay
>
>
> Jan Fetyko wrote:
>
> >Daniel,
> >
> >If I'm about to create a new cert. request to be submitted to Verisign, what signing type or whatever it's called should I request ? They are asking me for the Server type/version. I'm not sure what that has to do with anything, but you or somebody else might know.
> >
> >I'm using Tomcat, and they don't have it in the list.
> >
> >Thank you.
> >
> >
> >Jf
> >--------------------------
> >It sounds to me like you are trying to generate a ney key pair with
> >keytool and then use your existing certificate with that key pair.
> >Based on my understanding of the certificate process, that won't work.
> >
> >Here is a very simplified view of what happens when you create a cert.
> >
> >1. You (or your webserver) generate a public/private key pair.
> >2. You create a "certificate request" for a particular domain name
> > using the keys you generated in step 1. This certificate contains
> > the public key info.
> >3. You send the cert request off to a CA (like Verisign or Thawte)
> > and they "sign" your certificate request using _their_ key. At
> > this point the CA is stating that you are who your cert says you
> > are.
> >4. You then import the CA-signed certificate into your keystore (or
> > webserver). Clients (browsers, etc.) will accept your certificate
> > because they accept the root CA who signed your certificate.
> >
> >So if you generate a new keypair, the new pair won't have _squat_ to
> >do with the pair that was used when your had your first certificate
> >created.
> >
> >My understanding is that in order to re-use your existing certs, you
> >will need to be able to create a java keystore from your existing
> >private key and signed certificate. The cert you can export and then
> >re-import into a java keystore created via keytool, but I don't think
> >(could be wrong) keytool allows you to import a keypair from an
> >external source. You might could write some java code to do this but
> >it would be beyond me.
> >
> >Two options... explain to verisign your situation and see if they will
> >re-issue the cert for a new key-pair. Or if you do have to buy a new
> >cert you might be able to get better prices from another CA. We are
> >using Thawte certificates with our tomcat SSL keystores.
> >
> >Daniel
> >
> >
> >
> >
> >On 3 April 2003, Giulia Hill wrote:
> >
> >
> >
> >>Jan,
> >>
> >>No, I haven't got anywhere yet with this. I have taken a look at the
> >>suggested pkcs12 http://www.openssl.org/docs/apps/pkcs12.html but that
> >>hasn't broght me that much further.
> >>
> >>I'll let you know if I find a solution, and, please, do likewise - surely
> >>I wouldn't to buy a new certificate.
> >>
> >>Giulia
> >>
> >>=Are you getting somewhere with this issue ? I have the same problem ( I
> >>=need to use
> >>=the certificate that was previously on Apache ) and I'm at the dead end
> >>=s
> >>=of now,
> >>=hoping for a response from this list. Yes or No would do also, but no
> >>=response yet. :((
> >>
> >>=Jf
> >>
> >>
> >>On Tue, 1 Apr 2003, Giulia Hill wrote:
> >>
> >>
> >>
> >>>Following the How-to, I have almost successfully activated SSL on tomcat
> >>>4.1. The problem I'm having is that I can't load the Verisign certificate,
> >>>a certificate which I already have and that I'm using with Apache.
> >>>
> >>>this is what I have done
> >>>
> >>>% keytool -genkey -alias tomcat -keyalg RSA -keystore ./.keystore
> >>>and entered the values of CN etc. as they appear also on the certificate
> >>>
> >>>I have downloaded the verisign.crt from the site indicated on the docs
> >>>% keytool -import -alias root -keystore ./.keystore -trustcacerts -file ver
> >>>
> >>>
> >>isign.crt
> >>
> >>
> >>>However if I use my certificate as it is, I get the error
> >>>% keytool -import -alias tomcat -keystore ./.keystore -trustcacerts -file
> >>>
> >>>
> >>sunsite2.crt
> >>
> >>
> >>>java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.at
> >>>sun.security.util.DerInputStream.getLength(DerInputStream.java:513)
> >>>
> >>>I thougth it could be that the certificate was not in X509 format, so I
> >>>have done the conversion as
> >>>% /opt/openssl-0.9.6b/apps/openssl x509 -outform DER -in sunsite2.crt -out
> >>>
> >>>
> >> sunsite2.X509.crt
> >>
> >>
> >>>But, when I try to load it into the keystore I get the error:
> >>>% keytool -import -alias tomcat -keystore ./.keystore -trustcacerts -file
> >>>
> >>>
> >>sunsite2.X509crt
> >>
> >>
> >>>keytool error: java.lang.Exception: Public keys in reply and keystore don't
> >>>
> >>>
> >> match
> >>
> >>
> >>>What am I doing wrong? Generating a new certificate is not an option since
> >>>we have already paid for the current one, so I need to be able to use what
> >>>I already have
> >>>
> >>>Thank for your suggestions,
> >>>
> >>>Giulia
> >>>
> >>>
> >>>
> >>----------------------------
> >>Giulia Hill
> >> Programmer/Analyst
> >> Library Systems Office
> >> University of California at Berkeley
> >> 386 Doe Annex
> >> Berkeley, CA 94720
> >>
> >>
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
>
>
> ============================================================================
>
> A R K E M E D I A T E C H N O L O G I E S L T D
>
> VIEW POINT BASING VIEW BASINGSTOKE HAMPSHIRE RG21 4RG
>
> http://www.arkemedia.com
>
> mailto:info@arkemedia.com
>
> Tel : +44 1256 869 200 Fax : +44 1256 329 119
>
> ============================================================================
>
> The information in this e-mail and in any attachments is confidential and
> is intended solely for the attention and use of the named addressee(s).
>
> ============================================================================
>
> If you are not the intended recipient, or a person responsible for passing
> it on to the intended recipient, you are not authorised to hold a copy of
> this information and you must therefore not disclose, copy, distribute, or
> retain this message or any part of it. MAILTO:Administrator@arkemedia.com
>
> ============================================================================
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
Jan Fetyko
ScriptFighter
Phase 2 Development
4100 Perimeter Center, #310
Oklahoma City
OK 73112
email: janof@phase2online.com
(p) 405.917.3777
(p) direct line: 405.917.3779
(url) http://www.phase2online.com
"Oklahoma City's fastest growing web development company"
Today's "fortune":
I'd rather be led to hell than managed to heavan.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL problem
Posted by Ramsay Domloge <rd...@arkemedia.com>.
I believe that this is something to do with support. If you use an
opensource server such as Apache they tell you that they will not
support you. So you probably want to go for the Apache option, since
this most accurately describes your situation.
Incidentally, why *aren't* you using Apache?
Ramsay
Jan Fetyko wrote:
>Daniel,
>
>If I'm about to create a new cert. request to be submitted to Verisign, what signing type or whatever it's called should I request ? They are asking me for the Server type/version. I'm not sure what that has to do with anything, but you or somebody else might know.
>
>I'm using Tomcat, and they don't have it in the list.
>
>Thank you.
>
>
>Jf
>--------------------------
>It sounds to me like you are trying to generate a ney key pair with
>keytool and then use your existing certificate with that key pair.
>Based on my understanding of the certificate process, that won't work.
>
>Here is a very simplified view of what happens when you create a cert.
>
>1. You (or your webserver) generate a public/private key pair.
>2. You create a "certificate request" for a particular domain name
> using the keys you generated in step 1. This certificate contains
> the public key info.
>3. You send the cert request off to a CA (like Verisign or Thawte)
> and they "sign" your certificate request using _their_ key. At
> this point the CA is stating that you are who your cert says you
> are.
>4. You then import the CA-signed certificate into your keystore (or
> webserver). Clients (browsers, etc.) will accept your certificate
> because they accept the root CA who signed your certificate.
>
>So if you generate a new keypair, the new pair won't have _squat_ to
>do with the pair that was used when your had your first certificate
>created.
>
>My understanding is that in order to re-use your existing certs, you
>will need to be able to create a java keystore from your existing
>private key and signed certificate. The cert you can export and then
>re-import into a java keystore created via keytool, but I don't think
>(could be wrong) keytool allows you to import a keypair from an
>external source. You might could write some java code to do this but
>it would be beyond me.
>
>Two options... explain to verisign your situation and see if they will
>re-issue the cert for a new key-pair. Or if you do have to buy a new
>cert you might be able to get better prices from another CA. We are
>using Thawte certificates with our tomcat SSL keystores.
>
>Daniel
>
>
>
>
>On 3 April 2003, Giulia Hill wrote:
>
>
>
>>Jan,
>>
>>No, I haven't got anywhere yet with this. I have taken a look at the
>>suggested pkcs12 http://www.openssl.org/docs/apps/pkcs12.html but that
>>hasn't broght me that much further.
>>
>>I'll let you know if I find a solution, and, please, do likewise - surely
>>I wouldn't to buy a new certificate.
>>
>>Giulia
>>
>>=Are you getting somewhere with this issue ? I have the same problem ( I
>>=need to use
>>=the certificate that was previously on Apache ) and I'm at the dead end
>>=s
>>=of now,
>>=hoping for a response from this list. Yes or No would do also, but no
>>=response yet. :((
>>
>>=Jf
>>
>>
>>On Tue, 1 Apr 2003, Giulia Hill wrote:
>>
>>
>>
>>>Following the How-to, I have almost successfully activated SSL on tomcat
>>>4.1. The problem I'm having is that I can't load the Verisign certificate,
>>>a certificate which I already have and that I'm using with Apache.
>>>
>>>this is what I have done
>>>
>>>% keytool -genkey -alias tomcat -keyalg RSA -keystore ./.keystore
>>>and entered the values of CN etc. as they appear also on the certificate
>>>
>>>I have downloaded the verisign.crt from the site indicated on the docs
>>>% keytool -import -alias root -keystore ./.keystore -trustcacerts -file ver
>>>
>>>
>>isign.crt
>>
>>
>>>However if I use my certificate as it is, I get the error
>>>% keytool -import -alias tomcat -keystore ./.keystore -trustcacerts -file
>>>
>>>
>>sunsite2.crt
>>
>>
>>>java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.at
>>>sun.security.util.DerInputStream.getLength(DerInputStream.java:513)
>>>
>>>I thougth it could be that the certificate was not in X509 format, so I
>>>have done the conversion as
>>>% /opt/openssl-0.9.6b/apps/openssl x509 -outform DER -in sunsite2.crt -out
>>>
>>>
>> sunsite2.X509.crt
>>
>>
>>>But, when I try to load it into the keystore I get the error:
>>>% keytool -import -alias tomcat -keystore ./.keystore -trustcacerts -file
>>>
>>>
>>sunsite2.X509crt
>>
>>
>>>keytool error: java.lang.Exception: Public keys in reply and keystore don't
>>>
>>>
>> match
>>
>>
>>>What am I doing wrong? Generating a new certificate is not an option since
>>>we have already paid for the current one, so I need to be able to use what
>>>I already have
>>>
>>>Thank for your suggestions,
>>>
>>>Giulia
>>>
>>>
>>>
>>----------------------------
>>Giulia Hill
>> Programmer/Analyst
>> Library Systems Office
>> University of California at Berkeley
>> 386 Doe Annex
>> Berkeley, CA 94720
>>
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
============================================================================
A R K E M E D I A T E C H N O L O G I E S L T D
VIEW POINT BASING VIEW BASINGSTOKE HAMPSHIRE RG21 4RG
http://www.arkemedia.com
mailto:info@arkemedia.com
Tel : +44 1256 869 200 Fax : +44 1256 329 119
============================================================================
The information in this e-mail and in any attachments is confidential and
is intended solely for the attention and use of the named addressee(s).
============================================================================
If you are not the intended recipient, or a person responsible for passing
it on to the intended recipient, you are not authorised to hold a copy of
this information and you must therefore not disclose, copy, distribute, or
retain this message or any part of it. MAILTO:Administrator@arkemedia.com
============================================================================
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL problem
Posted by Jan Fetyko <ja...@phase2online.com>.
Daniel,
If I'm about to create a new cert. request to be submitted to Verisign, what signing type or whatever it's called should I request ? They are asking me for the Server type/version. I'm not sure what that has to do with anything, but you or somebody else might know.
I'm using Tomcat, and they don't have it in the list.
Thank you.
Jf
--------------------------
It sounds to me like you are trying to generate a ney key pair with
keytool and then use your existing certificate with that key pair.
Based on my understanding of the certificate process, that won't work.
Here is a very simplified view of what happens when you create a cert.
1. You (or your webserver) generate a public/private key pair.
2. You create a "certificate request" for a particular domain name
using the keys you generated in step 1. This certificate contains
the public key info.
3. You send the cert request off to a CA (like Verisign or Thawte)
and they "sign" your certificate request using _their_ key. At
this point the CA is stating that you are who your cert says you
are.
4. You then import the CA-signed certificate into your keystore (or
webserver). Clients (browsers, etc.) will accept your certificate
because they accept the root CA who signed your certificate.
So if you generate a new keypair, the new pair won't have _squat_ to
do with the pair that was used when your had your first certificate
created.
My understanding is that in order to re-use your existing certs, you
will need to be able to create a java keystore from your existing
private key and signed certificate. The cert you can export and then
re-import into a java keystore created via keytool, but I don't think
(could be wrong) keytool allows you to import a keypair from an
external source. You might could write some java code to do this but
it would be beyond me.
Two options... explain to verisign your situation and see if they will
re-issue the cert for a new key-pair. Or if you do have to buy a new
cert you might be able to get better prices from another CA. We are
using Thawte certificates with our tomcat SSL keystores.
Daniel
On 3 April 2003, Giulia Hill wrote:
> Jan,
>
> No, I haven't got anywhere yet with this. I have taken a look at the
> suggested pkcs12 http://www.openssl.org/docs/apps/pkcs12.html but that
> hasn't broght me that much further.
>
> I'll let you know if I find a solution, and, please, do likewise - surely
> I wouldn't to buy a new certificate.
>
> Giulia
>
> =Are you getting somewhere with this issue ? I have the same problem ( I
> =need to use
> =the certificate that was previously on Apache ) and I'm at the dead end
> =s
> =of now,
> =hoping for a response from this list. Yes or No would do also, but no
> =response yet. :((
>
> =Jf
>
>
> On Tue, 1 Apr 2003, Giulia Hill wrote:
>
> >
> > Following the How-to, I have almost successfully activated SSL on tomcat
> > 4.1. The problem I'm having is that I can't load the Verisign certificate,
> > a certificate which I already have and that I'm using with Apache.
> >
> > this is what I have done
> >
> > % keytool -genkey -alias tomcat -keyalg RSA -keystore ./.keystore
> > and entered the values of CN etc. as they appear also on the certificate
> >
> > I have downloaded the verisign.crt from the site indicated on the docs
> > % keytool -import -alias root -keystore ./.keystore -trustcacerts -file ver
> isign.crt
> >
> > However if I use my certificate as it is, I get the error
> > % keytool -import -alias tomcat -keystore ./.keystore -trustcacerts -file
> sunsite2.crt
> > java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.at
> > sun.security.util.DerInputStream.getLength(DerInputStream.java:513)
> >
> > I thougth it could be that the certificate was not in X509 format, so I
> > have done the conversion as
> > % /opt/openssl-0.9.6b/apps/openssl x509 -outform DER -in sunsite2.crt -out
> sunsite2.X509.crt
> >
> > But, when I try to load it into the keystore I get the error:
> > % keytool -import -alias tomcat -keystore ./.keystore -trustcacerts -file
> sunsite2.X509crt
> > keytool error: java.lang.Exception: Public keys in reply and keystore don't
> match
> >
> > What am I doing wrong? Generating a new certificate is not an option since
> > we have already paid for the current one, so I need to be able to use what
> > I already have
> >
> > Thank for your suggestions,
> >
> > Giulia
> >
>
> ----------------------------
> Giulia Hill
> Programmer/Analyst
> Library Systems Office
> University of California at Berkeley
> 386 Doe Annex
> Berkeley, CA 94720
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL problem
Posted by "Mark W. Webb" <ma...@dolphtech.com>.
PKCS12 is a certificate storage file type.
look at "openssl pkcs12"
Jan Fetyko wrote:
>Sorry for the dump question but what is pkcs12 ? And how did you use the certification files with that ?
>
>Jf
>
>On Wed, 02 Apr 2003 10:34:34 -0500
>"Mark W. Webb" <ma...@dolphtech.com> wrote:
>
>
>
>>I ended up using a pkcs12 file instead of a java keystore. Not sure if
>>this helps, but it looks like you are using openssl, so you should be
>>able to use the openssl command line tools.
>>
>>Giulia Hill wrote:
>>
>>
>>
>>>Following the How-to, I have almost successfully activated SSL on tomcat
>>>4.1. The problem I'm having is that I can't load the Verisign certificate,
>>>a certificate which I already have and that I'm using with Apache.
>>>
>>>this is what I have done
>>>
>>>% keytool -genkey -alias tomcat -keyalg RSA -keystore ./.keystore
>>>and entered the values of CN etc. as they appear also on the certificate
>>>
>>>I have downloaded the verisign.crt from the site indicated on the docs
>>>% keytool -import -alias root -keystore ./.keystore -trustcacerts -file verisign.crt
>>>
>>>However if I use my certificate as it is, I get the error
>>>% keytool -import -alias tomcat -keystore ./.keystore -trustcacerts -file sunsite2.crt
>>>java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.at
>>>sun.security.util.DerInputStream.getLength(DerInputStream.java:513)
>>>
>>>I thougth it could be that the certificate was not in X509 format, so I
>>>have done the conversion as
>>>% /opt/openssl-0.9.6b/apps/openssl x509 -outform DER -in sunsite2.crt -out sunsite2.X509.crt
>>>
>>>But, when I try to load it into the keystore I get the error:
>>>% keytool -import -alias tomcat -keystore ./.keystore -trustcacerts -file sunsite2.X509crt
>>>keytool error: java.lang.Exception: Public keys in reply and keystore don't match
>>>
>>>What am I doing wrong? Generating a new certificate is not an option since
>>>we have already paid for the current one, so I need to be able to use what
>>>I already have
>>>
>>>Thank for your suggestions,
>>>
>>>Giulia
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>
>>>
>>>
>>>
>>>
>>--
>>Mark Webb
>>Software Engineer
>>Dolphin Technology
>>474 Phoenix Drive
>>Rome, NY 13441-4911
>>
>>Phone : 315.838.7000
>> : 315.838.7024
>>Fax : 315.838.7096
>>Email : mark@dolphtech.com
>>
>>
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>>
>
>
>Jan Fetyko
>ScriptFighter
>Phase 2 Development
>4100 Perimeter Center, #310
>Oklahoma City
>OK 73112
>
>email: janof@phase2online.com
>(p) 405.917.3777
>(p) direct line: 405.917.3779
>(url) http://www.phase2online.com
>"Oklahoma City's fastest growing web development company"
>
>Today's "fortune":
>
>Kirk to Enterprise -- beam down yeoman Rand and a six-pack.
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
--
Mark Webb
Software Engineer
Dolphin Technology
474 Phoenix Drive
Rome, NY 13441-4911
Phone : 315.838.7000
: 315.838.7024
Fax : 315.838.7096
Email : mark@dolphtech.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL problem
Posted by Jan Fetyko <ja...@phase2online.com>.
Sorry for the dump question but what is pkcs12 ? And how did you use the certification files with that ?
Jf
On Wed, 02 Apr 2003 10:34:34 -0500
"Mark W. Webb" <ma...@dolphtech.com> wrote:
> I ended up using a pkcs12 file instead of a java keystore. Not sure if
> this helps, but it looks like you are using openssl, so you should be
> able to use the openssl command line tools.
>
> Giulia Hill wrote:
>
> >Following the How-to, I have almost successfully activated SSL on tomcat
> >4.1. The problem I'm having is that I can't load the Verisign certificate,
> >a certificate which I already have and that I'm using with Apache.
> >
> >this is what I have done
> >
> >% keytool -genkey -alias tomcat -keyalg RSA -keystore ./.keystore
> >and entered the values of CN etc. as they appear also on the certificate
> >
> >I have downloaded the verisign.crt from the site indicated on the docs
> >% keytool -import -alias root -keystore ./.keystore -trustcacerts -file verisign.crt
> >
> >However if I use my certificate as it is, I get the error
> >% keytool -import -alias tomcat -keystore ./.keystore -trustcacerts -file sunsite2.crt
> >java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.at
> >sun.security.util.DerInputStream.getLength(DerInputStream.java:513)
> >
> >I thougth it could be that the certificate was not in X509 format, so I
> >have done the conversion as
> >% /opt/openssl-0.9.6b/apps/openssl x509 -outform DER -in sunsite2.crt -out sunsite2.X509.crt
> >
> >But, when I try to load it into the keystore I get the error:
> >% keytool -import -alias tomcat -keystore ./.keystore -trustcacerts -file sunsite2.X509crt
> >keytool error: java.lang.Exception: Public keys in reply and keystore don't match
> >
> >What am I doing wrong? Generating a new certificate is not an option since
> >we have already paid for the current one, so I need to be able to use what
> >I already have
> >
> >Thank for your suggestions,
> >
> >Giulia
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
>
> --
> Mark Webb
> Software Engineer
> Dolphin Technology
> 474 Phoenix Drive
> Rome, NY 13441-4911
>
> Phone : 315.838.7000
> : 315.838.7024
> Fax : 315.838.7096
> Email : mark@dolphtech.com
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
Jan Fetyko
ScriptFighter
Phase 2 Development
4100 Perimeter Center, #310
Oklahoma City
OK 73112
email: janof@phase2online.com
(p) 405.917.3777
(p) direct line: 405.917.3779
(url) http://www.phase2online.com
"Oklahoma City's fastest growing web development company"
Today's "fortune":
Kirk to Enterprise -- beam down yeoman Rand and a six-pack.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL problem
Posted by "Mark W. Webb" <ma...@dolphtech.com>.
I ended up using a pkcs12 file instead of a java keystore. Not sure if
this helps, but it looks like you are using openssl, so you should be
able to use the openssl command line tools.
Giulia Hill wrote:
>Following the How-to, I have almost successfully activated SSL on tomcat
>4.1. The problem I'm having is that I can't load the Verisign certificate,
>a certificate which I already have and that I'm using with Apache.
>
>this is what I have done
>
>% keytool -genkey -alias tomcat -keyalg RSA -keystore ./.keystore
>and entered the values of CN etc. as they appear also on the certificate
>
>I have downloaded the verisign.crt from the site indicated on the docs
>% keytool -import -alias root -keystore ./.keystore -trustcacerts -file verisign.crt
>
>However if I use my certificate as it is, I get the error
>% keytool -import -alias tomcat -keystore ./.keystore -trustcacerts -file sunsite2.crt
>java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.at
>sun.security.util.DerInputStream.getLength(DerInputStream.java:513)
>
>I thougth it could be that the certificate was not in X509 format, so I
>have done the conversion as
>% /opt/openssl-0.9.6b/apps/openssl x509 -outform DER -in sunsite2.crt -out sunsite2.X509.crt
>
>But, when I try to load it into the keystore I get the error:
>% keytool -import -alias tomcat -keystore ./.keystore -trustcacerts -file sunsite2.X509crt
>keytool error: java.lang.Exception: Public keys in reply and keystore don't match
>
>What am I doing wrong? Generating a new certificate is not an option since
>we have already paid for the current one, so I need to be able to use what
>I already have
>
>Thank for your suggestions,
>
>Giulia
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
--
Mark Webb
Software Engineer
Dolphin Technology
474 Phoenix Drive
Rome, NY 13441-4911
Phone : 315.838.7000
: 315.838.7024
Fax : 315.838.7096
Email : mark@dolphtech.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL problem
Posted by Jan Fetyko <ja...@phase2online.com>.
Are you getting somewhere with this issue ? I have the same problem ( I need to use the certificate that was previously on Apache ) and I'm at the dead end as of now, hoping for a response from this list. Yes or No would do also, but no response yet. :((
Jf
On Tue, 1 Apr 2003 15:45:49 -0800 (PST)
Giulia Hill <gh...@library.berkeley.edu> wrote:
>
> Following the How-to, I have almost successfully activated SSL on tomcat
> 4.1. The problem I'm having is that I can't load the Verisign certificate,
> a certificate which I already have and that I'm using with Apache.
>
> this is what I have done
>
> % keytool -genkey -alias tomcat -keyalg RSA -keystore ./.keystore
> and entered the values of CN etc. as they appear also on the certificate
>
> I have downloaded the verisign.crt from the site indicated on the docs
> % keytool -import -alias root -keystore ./.keystore -trustcacerts -file verisign.crt
>
> However if I use my certificate as it is, I get the error
> % keytool -import -alias tomcat -keystore ./.keystore -trustcacerts -file sunsite2.crt
> java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.at
> sun.security.util.DerInputStream.getLength(DerInputStream.java:513)
>
> I thougth it could be that the certificate was not in X509 format, so I
> have done the conversion as
> % /opt/openssl-0.9.6b/apps/openssl x509 -outform DER -in sunsite2.crt -out sunsite2.X509.crt
>
> But, when I try to load it into the keystore I get the error:
> % keytool -import -alias tomcat -keystore ./.keystore -trustcacerts -file sunsite2.X509crt
> keytool error: java.lang.Exception: Public keys in reply and keystore don't match
>
> What am I doing wrong? Generating a new certificate is not an option since
> we have already paid for the current one, so I need to be able to use what
> I already have
>
> Thank for your suggestions,
>
> Giulia
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
Jan Fetyko
ScriptFighter
Phase 2 Development
4100 Perimeter Center, #310
Oklahoma City
OK 73112
email: janof@phase2online.com
(p) 405.917.3777
(p) direct line: 405.917.3779
(url) http://www.phase2online.com
"Oklahoma City's fastest growing web development company"
Today's "fortune":
Kirk to Enterprise -- beam down yeoman Rand and a six-pack.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL problem
Posted by Giulia Hill <gh...@library.berkeley.edu>.
Jan,
No, I haven't got anywhere yet with this. I have taken a look at the
suggested pkcs12 http://www.openssl.org/docs/apps/pkcs12.html but that
hasn't broght me that much further.
I'll let you know if I find a solution, and, please, do likewise - surely
I wouldn't to buy a new certificate.
Giulia
=Are you getting somewhere with this issue ? I have the same problem ( I
=need to use
=the certificate that was previously on Apache ) and I'm at the dead end
=s
=of now,
=hoping for a response from this list. Yes or No would do also, but no
=response yet. :((
=Jf
On Tue, 1 Apr 2003, Giulia Hill wrote:
>
> Following the How-to, I have almost successfully activated SSL on tomcat
> 4.1. The problem I'm having is that I can't load the Verisign certificate,
> a certificate which I already have and that I'm using with Apache.
>
> this is what I have done
>
> % keytool -genkey -alias tomcat -keyalg RSA -keystore ./.keystore
> and entered the values of CN etc. as they appear also on the certificate
>
> I have downloaded the verisign.crt from the site indicated on the docs
> % keytool -import -alias root -keystore ./.keystore -trustcacerts -file verisign.crt
>
> However if I use my certificate as it is, I get the error
> % keytool -import -alias tomcat -keystore ./.keystore -trustcacerts -file sunsite2.crt
> java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.at
> sun.security.util.DerInputStream.getLength(DerInputStream.java:513)
>
> I thougth it could be that the certificate was not in X509 format, so I
> have done the conversion as
> % /opt/openssl-0.9.6b/apps/openssl x509 -outform DER -in sunsite2.crt -out sunsite2.X509.crt
>
> But, when I try to load it into the keystore I get the error:
> % keytool -import -alias tomcat -keystore ./.keystore -trustcacerts -file sunsite2.X509crt
> keytool error: java.lang.Exception: Public keys in reply and keystore don't match
>
> What am I doing wrong? Generating a new certificate is not an option since
> we have already paid for the current one, so I need to be able to use what
> I already have
>
> Thank for your suggestions,
>
> Giulia
>
----------------------------
Giulia Hill
Programmer/Analyst
Library Systems Office
University of California at Berkeley
386 Doe Annex
Berkeley, CA 94720
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org