You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Lyallex <ly...@gmail.com> on 2017/04/04 19:11:02 UTC
renewing an ssl certificate
Tomcatters
After some sterling support from this list a while ago which included
a code change I have been successfully running
Apache Tomcat 7.0.70 stand alone (no httpd front end) with SSL/TLS for
a year now without problems, it just works, it never falls over
and it has withstood some concerted attacks by all sorts of
scallywags. Impressive.
It is now time to renew my ssl certificate and I'm getting a bit jumpy.
I managed to get everything working first time around following the docs at
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#General_Tips_on_Running_SSL
According to my service provider (comodo) I have to submit a new
certificate signing request which (I think) means creating a self
signed certificate.
Will this mess up me existing cert, it still has 10 days to go?
Is the process the same as installing first time or are there some
gotchas I need to be aware of
Thanks, nervously
Lyallex
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: renewing an ssl certificate
Posted by Lyallex <ly...@gmail.com>.
On 6 April 2017 at 14:18, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Lyllax,
>
> On 4/6/17 5:52 AM, Lyallex wrote:
>> I get a zipped archive from Comodo containing individual files but
>> I'll look into pem files
>
> Oh, those individual files *are* the PEM files.
Er
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
www_mydomain_com.crt
> LE is the answer.
I run a commercial site and getting security warn offs because a CA is
not recognised by the browser/user agent
is not an option. I run about 20 different browsers/versions on
several platforms which is about the limit for us (Americans would
call us a 'mom and pop shop') I'll read up on LE and find out what
they call themselves (the 'CA name' I guess) then check to see how
many of my browsers know about them.
Primitave maybe but it's what I got.
Thanks for the info
Lyallex
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: renewing an ssl certificate
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Lyllax,
On 4/6/17 5:52 AM, Lyallex wrote:
> I get a zipped archive from Comodo containing individual files but
> I'll look into pem files
Oh, those individual files *are* the PEM files.
>> Come to this year's ApacheCon NA in Miami. There will be a few
>> talks about TLS, including one on the basics and another one on
>> using Let's Encrypt to get free automated certs so you never have
>> to manually do this process ever again -- unless you want an EV
>> cert ;)
>
> Love to, but I'm in the UK.
Plenty of folks from Europe (sorry... Mighty Independent Britain, I
guess) are coming to the conference. There's also an EU conference
(almost) every year.
> I delegate payment to a service provider, the only external
> resource I use, so I don't store users financial data, just makes
> life simpler.and means I don't really need an EV cert.
Cool. In that case, consider moving to Let's Encrypt. 100% free and
they *force* you to automated.
> Despite their vehement denial, https is a ranking signal to
> Google, maybe it would be nice if they offered a free basic ssl
> cert so small businesses like mine don't have to pay over GBP 100
> inc VAT every year.
LE is the answer.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJY5kAQAAoJEBzwKT+lPKRYr00P/jxeYay/3HdbW1sO8S35x9S4
hVKnjPganMtH7yorfCrANwMtso1o0BOSSmjQr9lkuS8d6c5VqNPoPG7oLq+9dzdD
BtQq/3EbjDBtYogTErHeWycqXY1hiNLO/YcPvnUQiu7HcyaiNhIRFJ+2jUw0NpDB
wsrPUUwTlNKK7ycnHID5cQdHu7FKCQ9sU/CzZ+6O1VrjoYIo3VYrVzMw0Bsb+kOH
xwz2akUNcViyGlcUnJIvYU2voGaHHfFkWYfb91cu+gQDMPci+p5PZsC+1IdNE/TN
9qOEg4uUcE2POILnpFynGxk00LdIlcJmtIqOCcr+BOzq+UjL1x6SrPzZOp4cWrT9
Tr0Be6UDCpfcgYVwqZDmETid6qNbuiza5yHCSReSo9M7n/hiDlbm7Dep2Dlwt0Gr
k+kYnjd9/o4Cd5BP0qWOFbaEAnPhO89QppSw6BKR/VfNAlCz1VbdBfum4n2CW7m7
CzjoiuQyZnNORQltqRjZuzelPafs/Qruyd/Gjsz9vi0xr5tpE0dgfIv5D1XhyZ+p
ATjuTRjcfOjB3DSYtrShyO5dCiNqvOz1HDCn2SmimOCOe4rkWao/MySmDo2JlgHU
Xdu1gn5NHJaYSPpEUjDTOw/KC4jJ9d0XRlrils5M/20dXTRx7OcddWPp3GowbLPc
+bNXjBFGJGzuTPfFt3GH
=X9Di
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: renewing an ssl certificate
Posted by Lyallex <ly...@gmail.com>.
On 6 April 2017 at 00:42, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Lyllax,
>
> On 4/4/17 3:11 PM, Lyallex wrote:
>> After some sterling support from this list a while ago which
>> included a code change I have been successfully running Apache
>> Tomcat 7.0.70 stand alone (no httpd front end) with SSL/TLS for a
>> year now without problems, it just works, it never falls over and
>> it has withstood some concerted attacks by all sorts of scallywags.
>> Impressive.
>
> Great! Time to upgrade to Tomcat 8! It's really not bad at all. If you
> have a testing environment, I think you'll be able to do it in about
> 30 minutes. After you do it once, it'll take you more like 5 minutes.
Already runnung on my dev and stage boxes
<snip>
> It should be that simple every time. Again, always keep a backup...
All I do is create a brand new keystore in a new location and do
everything from there
When I'm happy I simply change the location of the keystore in the
relevant connector in conf/server.xml
and restart tomcat. If it all goes belly up I simply change the config
to point to the old keystore.
Of course this only works if you don't leave everything to the last
minute and the old cert times out :-)
<snip>
>
> When you are using PEM files, it's very clear what everything is, and,
> if you have a one-PEM-file-to-rule-them-all, then you can at least see
> everything labelled appropriately with a simple text editor. You can
> also get your private key out of the bundle without resorting to
> chicanery.
I get a zipped archive from Comodo containing individual files but
I'll look into pem files
> Come to this year's ApacheCon NA in Miami. There will be a few talks
> about TLS, including one on the basics and another one on using Let's
> Encrypt to get free automated certs so you never have to manually do
> this process ever again -- unless you want an EV cert ;)
Love to, but I'm in the UK.
I delegate payment to a service provider, the only external resource I
use, so I don't store
users financial data, just makes life simpler.and means I don't really
need an EV cert.
Despite their vehement denial, https is a ranking signal to Google,
maybe it would be nice if they offered a free basic ssl cert so small
businesses like mine don't have to pay over GBP 100 inc VAT every
year.
I won't hold my breath.
Thanks for taling the time to reply
Lyallex
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
[OT] Re: renewing an ssl certificate
Posted by Olaf Kock <to...@olafkock.de>.
Am 06.04.2017 um 01:42 schrieb Christopher Schultz:
> Great! Time to upgrade to Tomcat 8! It's really not bad at all. If you
> have a testing environment, I think you'll be able to do it in about
> 30 minutes. After you do it once, it'll take you more like 5 minutes.
>
*Everybody* has a testing environment. Some of us are lucky in that they
have a completely independent production environment.
(Sorry, I can't attribute this any better than "Source: Internet", saw
it in some conference presentation slides)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: renewing an ssl certificate
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Lyllax,
On 4/4/17 3:11 PM, Lyallex wrote:
> After some sterling support from this list a while ago which
> included a code change I have been successfully running Apache
> Tomcat 7.0.70 stand alone (no httpd front end) with SSL/TLS for a
> year now without problems, it just works, it never falls over and
> it has withstood some concerted attacks by all sorts of scallywags.
> Impressive.
Great! Time to upgrade to Tomcat 8! It's really not bad at all. If you
have a testing environment, I think you'll be able to do it in about
30 minutes. After you do it once, it'll take you more like 5 minutes.
> It is now time to renew my ssl certificate and I'm getting a bit
> jumpy.
No sweat.
> I managed to get everything working first time around following the
> docs at
> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#General_Tips_on
_Running_SSL
>
> According to my service provider (comodo) I have to submit a new
> certificate signing request which (I think) means creating a self
> signed certificate.
>
> Will this mess up me existing cert, it still has 10 days to go?
That depends upon exactly how you do things.
> Is the process the same as installing first time or are there some
> gotchas I need to be aware of
I would start from scratch every time. Here's why:
1. Java keystores are ... an abomination. The less you have to mess
with them, the better.
2. In the unlikely event that your private key has been compromised
(e.g. someone broke into your server and copied it off there).
3. For conversations that aren't using "forward security", the RSA
private key is the master key to all of those conversations. If
someone (e.g. US-NSA) has compromised your private key and is recoring
all your conversations with your clients, then a compromised key means
a compromise of all of those conversations, past or future. Generating
a new private key limits the amount of damage that can be caused by
this kind of compromise.
4. If you break something, you'll have the old keystore as a backup
and can roll-back immediately without worrying if you have broken
anything in the original keystore. (Of course, you could just make a
backup copy of the keystore, but this start-fresh process has a
built-in backup, so you don't have to remember it.)
> [From a followup post]
>
> actually all I was asking was 'is it possible to use an existing
> keystore (and therefor an existing private key)' to install a new
> certification chain'
You can, but see above.
> In the end I created a brand new keystore, generated a new private
> key and CSR, submitted the CSR to Comodo then installed the new
> chain when it arrived. Then I simply switched the server
> (../conf/server.xml) to look at the new keystore and it just
> worked. Result.
It should be that simple every time. Again, always keep a backup...
just in case.
> I was under the impression the certs were 'installed' in the
> keystore but I don't think this is right so now I have to figure
> out where they are as I'd like to remove the old ones. Every time I
> mess about with this SSL/TLS stuff I age several years :-)
This is the thing about Java keystores: they merge concepts together
in a way that I dislike. If you crack-open your keystore, you'll end
up finding the following:
1. a private key
2. a self-signed certificate
3. the CA-signed certificate
4. the CA's intermediate certificate (usually)
But "keytool" makes it look like #1 and #2 are the same thing.
When you are using PEM files, it's very clear what everything is, and,
if you have a one-PEM-file-to-rule-them-all, then you can at least see
everything labelled appropriately with a simple text editor. You can
also get your private key out of the bundle without resorting to
chicanery.
Come to this year's ApacheCon NA in Miami. There will be a few talks
about TLS, including one on the basics and another one on using Let's
Encrypt to get free automated certs so you never have to manually do
this process ever again -- unless you want an EV cert ;)
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJY5YDeAAoJEBzwKT+lPKRYhsAQAIQf3n1wMXOCMR/vPbTfrmgC
WprNU79oVAOEi9ZRzYTsK502tVwawvs78u/p7r4GtzcILW0/Ne8ZK61iNWNOxb7E
AHGWVCP5h5gkSdTCcNDpoGIHuEQSisXZA4/X/oYJ/d9vYOEZE8DCdLudq1BPWnkw
4RvGr6aWJKaG13lnYS6GNRTZDavFGWrVYIzGdi/qCLnVKkQwUWANXxMd6iPF2FEp
3ZFeK+X6Go8t9Y7mwRuAd6uwPgTKZx26UazH1qtIMBcgYk7bcmu7wp4mDBKqa/Rh
UUy49qqwKxmKs611bYYlsnYVWCOBcI1KZKFskXqLgF3HWXgJsvUxi6dz1rxvNaMI
qLrC3xlCNVH4sCIhVYPKwQT0r3GBGYh08MBRycg+afd9ac2VZtIJm4W7fEhLF6qa
WJESqbaznczCx6vrNsxlBQbiLAcFhWEEE5i/o2+mQx32PZeFDtPjydUdS8ezIdhU
uY83aRLaTWEIwSN/5aNwd7zyKpTx4qLDdv8sLyq8bXa2LbXcn3HTiPX6qUkj0A/S
2Qq+4z/flYIOi5JYHvcBGh8+xsU3aKqBe7maZH+gakgXvo3Ib3YsaciNQjoKAsNM
ai9jhWlA67bknd818NSlq85iimrtjJhQs9kLgku5Db7NWZ8LXxZTRVzH809912//
EXvaht0R+11VUZHk7hwR
=OMjh
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: renewing an ssl certificate
Posted by Lyallex <ly...@gmail.com>.
Drat ... missed the list
Martin
Thank you for your comprehensive reply ...
actually all I was asking was 'is it possible to use an existing keystore
(and therefor an existing private key)' to install a new certification
chain'
In the end I created a brand new keystore, generated a new private key and
CSR, submitted the CSR to Comodo then installed the new chain when it
arrived. Then I simply switched the server (../conf/server.xml) to look at
the new keystore and it just worked. Result.
Ii was under the impression the certs were 'installed' in the keystore but
I don't think this is right so now I have to figure out where they are as
I'd like to remove the old ones. Every time I mess about with this SSL/TLS
stuff I age several years :-)
Thanks again
On 4 April 2017 at 22:21, Martin Gainty <mg...@hotmail.com> wrote:
> I dont know who from the list said you could replace a valid SSL
> Certificate (that has since expired)
>
> with a self-signed but they are wrong
>
>
> you are MUCH better off by purchasing a valid Thawte/Verisign Certificate
> with public keys signed by a Certificate Authority which will be recognised by
> ALL browsers
>
>
> Mucking around with create-your-own self-signed certs will lead you to
> justifiable grief and aggravation
>
> First step is to create a CSR for X509 (named)certs embedded in pfx
>
> https://en.wikipedia.org/wiki/X.509
> X.509 - Wikipedia <https://en.wikipedia.org/wiki/X.509>
> en.wikipedia.org
> In cryptography, X.509 is a standard that defines the format of public key
> certificates. X.509 certificates are used in many Internet protocols,
> including TLS/SSL ...
>
> the pfx will contain Asymmetric private/public keys:
>
> https://www.ciphercloud.com/blog/cloud-information-
> protection-symmetric-vs-asymmetric-encryption/
>
> <https://www.ciphercloud.com/blog/cloud-information-protection-symmetric-vs-asymmetric-encryption/>
> Symmetric vs. Asymmetric Encryption | CipherCloud
> <https://www.ciphercloud.com/blog/cloud-information-protection-symmetric-vs-asymmetric-encryption/>
> www.ciphercloud.com
> One of the basic questions in considering encryption is to understand the
> differences between symmetric and asymmetric encryption methods, and where
> to apply each ...
>
> first step is to send the CSR to your CA provider Verisign or Thawte
>
> https://knowledge.symantec.com/support/ssl-certificates-
> support/index?page=content&actp=CROSSLINK&id=INFO227
> Certificate Signing Request (CSR) Generation Instructions ...
> <https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=INFO227>
> knowledge.symantec.com
> To generate a CSR, you will need to create a key pair for your server.
> These two items are a digital certificate key pair and cannot be separated.
>
>
>
> yes you can create self-signed certs but CHROME stops transmission when
> they do not recognise certifying authority
> https://www.ibm.com/support/knowledgecenter/SSCP65_5.0.0/
> com.ibm.rational.rrdi.admin.doc/topics/t_browser_ss_cert.html
> Configuring a browser to work with self-signed certificates
> <https://www.ibm.com/support/knowledgecenter/SSCP65_5.0.0/com.ibm.rational.rrdi.admin.doc/topics/t_browser_ss_cert.html>
> www.ibm.com
> When self-signed certificates are installed on the server, configure
> Internet Explorer or Mozilla Firefox to work with these self-signed
> certificates.
>
>
> Let me know if you need further assistance
>
> Martin
> ______________________________________________
>
> _____ _ _____ _ _____ ___ _ _____ _ _ _ |_ _| |_ ___ | _ |___ ___ ___| |_ ___ | __|___| _| |_ _ _ _ ___ ___ ___ | __|___ _ _ ___ _| |___| |_|_|___ ___ | | | | -_| | | . | .'| _| | -_| |__ | . | _| _| | | | .'| _| -_| | __| . | | | | . | .'| _| | . | | |_| |_|_|___| |__|__| _|__,|___|_|_|___| |_____|___|_| |_| |_____|__,|_| |___| |__| |___|___|_|_|___|__,|_| |_|___|_|_| |_|
>
>
>
>
> ------------------------------
> *From:* Lyallex <ly...@gmail.com>
> *Sent:* Tuesday, April 4, 2017 3:11 PM
> *To:* Tomcat Users List
> *Subject:* renewing an ssl certificate
>
> Tomcatters
>
> After some sterling support from this list a while ago which included
> a code change I have been successfully running
> Apache Tomcat 7.0.70 stand alone (no httpd front end) with SSL/TLS for
> a year now without problems, it just works, it never falls over
> and it has withstood some concerted attacks by all sorts of
> scallywags. Impressive.
>
> It is now time to renew my ssl certificate and I'm getting a bit jumpy.
>
> I managed to get everything working first time around following the docs at
> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#
> General_Tips_on_Running_SSL
> Apache Tomcat 7 (7.0.76) - SSL/TLS Configuration HOW-TO
> <http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#General_Tips_on_Running_SSL>
> tomcat.apache.org
> Certificates: In order to implement SSL, a web server must have an
> associated Certificate for each external interface (IP address) that
> accepts secure connections.
>
>
>
> According to my service provider (comodo) I have to submit a new
> certificate signing request which (I think) means creating a self
> signed certificate.
> Will this mess up me existing cert, it still has 10 days to go?
>
> Is the process the same as installing first time or are there some
> gotchas I need to be aware of
>
> Thanks, nervously
> Lyallex
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>