You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "J.V." <jv...@gmail.com> on 2012/09/20 21:28:52 UTC
need help: how to Tomcat self signed cert?
I am generating a self signed cert using open SSL with the following
commands
openssl req -x509 -notes -days 365 -newkey rsa:2048 -keyout
privateKey.key -out ca.crt
I accept all the defaults when prompted except for 'Common Name' and
enter my IP address there.
This generates : ca.crt
It then export this to a ca.p12 with:
$openssl pkcs12 -export -in ca.crt -inkey privateKey.key -out ca.p12
I then copy this file to $TOMCAT_HOME/conf/a.keystore
Then I run this command
$open ssl pkcs12 -in ca.p12 -out ca.pem -clcerts -nokeys -nodes
and copy this to $TOMCAT_HOME/conf/ca.pem
Before doing this, I remove some junk at the top of the file before
---BEGIN CERTIFICATE ----
---
I then modify my server.xml and open port 8443 and point to the
a.keystore file.
This seems to work OK.
However when I generate a.keystore and ca.pem using BouncyCastle, the
certs do not seem to work but I have all the same settings. When
generating in pure Java, I am required to install the JCE to generate
the keys. I am not sure why openssl does not require some download or
license to generate the RSA keys and why it lets me generate with a key
size of 2048 without some sort of extension (openssl must have some
export controls correct)?
My first question is:
1) Why does the first method (using openssl) work? Would I not need to
apply JCE to my local jdk/jre when running Tomcat for the certs to work?
2) What is wrong with generating the keys in Java?
I am essentially following this:
http://blog.thilinamb.com/2010/01/how-to-generate-self-signed.html
Except there is no keystore to initially load so I skipped that part.
any help on generating a self signed cert in Java that would mirror the
openssl generation would be greatly appreciated.
J.V.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: need help: how to Tomcat self signed cert?
Posted by Mark Thomas <ma...@apache.org>.
Which HTTP connector are you using?
Mark
"J.V." <jv...@gmail.com> wrote:
>I am generating a self signed cert using open SSL with the following
>commands
>
>openssl req -x509 -notes -days 365 -newkey rsa:2048 -keyout
>privateKey.key -out ca.crt
>
>I accept all the defaults when prompted except for 'Common Name' and
>enter my IP address there.
>
>This generates : ca.crt
>
>It then export this to a ca.p12 with:
> $openssl pkcs12 -export -in ca.crt -inkey privateKey.key -out ca.p12
>
>I then copy this file to $TOMCAT_HOME/conf/a.keystore
>
>Then I run this command
>$open ssl pkcs12 -in ca.p12 -out ca.pem -clcerts -nokeys -nodes
>
>and copy this to $TOMCAT_HOME/conf/ca.pem
>
>Before doing this, I remove some junk at the top of the file before
>---BEGIN CERTIFICATE ----
>
>---
>I then modify my server.xml and open port 8443 and point to the
>a.keystore file.
>
>This seems to work OK.
>
>However when I generate a.keystore and ca.pem using BouncyCastle, the
>certs do not seem to work but I have all the same settings. When
>generating in pure Java, I am required to install the JCE to generate
>the keys. I am not sure why openssl does not require some download or
>license to generate the RSA keys and why it lets me generate with a key
>
>size of 2048 without some sort of extension (openssl must have some
>export controls correct)?
>
>My first question is:
>
>1) Why does the first method (using openssl) work? Would I not need to
>
>apply JCE to my local jdk/jre when running Tomcat for the certs to
>work?
>
>2) What is wrong with generating the keys in Java?
>I am essentially following this:
>http://blog.thilinamb.com/2010/01/how-to-generate-self-signed.html
>
>Except there is no keystore to initially load so I skipped that part.
>
>any help on generating a self signed cert in Java that would mirror the
>
>openssl generation would be greatly appreciated.
>
>J.V.
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org