You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Hein Behrens <in...@curvaciones.com> on 2005/04/01 08:32:25 UTC
Re: SSL configuration question
I thought the two are not related my key is stored in the java keystore. I
did everything with keytool, part of java.
Tomcat only needs the password and name.
The SSL certificate is not generated for or by tomcat.
Hein
----- Original Message -----
From: "Mikhail Kruk" <me...@cs.brandeis.edu>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Thursday, March 31, 2005 11:42 PM
Subject: RE: SSL configuration question
> > The certificate I imported was not self-signed (or should not be). It
is
> > what I received back from Entrust after submitting a CSR. It was already
in
> > use on Apache before I decided not to use Apache anymore. It worked
before
> > on Apache. I shut down apache and was intending to use the cert on only
> > Tomcat.
>
> You can't easily import the certificate that was generated for Apache into
> Tomcat -- you need to have the prvite key part in your keystore and your
> private key is in your Apache. There must be a way to get the key from
> Apache and move it to Tomcat, but I'm not sure what it is.
> This might help:
> http://kb.thawte.com/thawte/thawte/esupport.asp?id=vs24694
>
> >
> >
> > Thanks,
> > -Mark
> >
> >
> > -----Original Message-----
> > From: Sasisekar S Sundaram [mailto:sekarmdu@louisiana.edu]
> > Sent: Thursday, March 31, 2005 2:43 PM
> > To: Tomcat Users List
> > Subject: Re: SSL configuration question
> >
> > It shows both "issued to" and "issue by" because it is a self signed
> > certificate. when you get you certificate authorized by some one like
> > verisign, and then import that certificate into your keystore, you'll
get
> > "issued by" as that certifying authority's name.
> > ----- Original Message -----
> > From: "Faine, Mark" <Ma...@msfc.nasa.gov>
> > To: "'Tomcat Users List'" <to...@jakarta.apache.org>
> > Sent: Thursday, March 31, 2005 1:13 PM
> > Subject: RE: SSL configuration question
> >
> >
> > > Thanks, I tried that before and got a permission error, but it works
now.
> > >
> > > -Mark
> > >
> > >
> > > -----Original Message-----
> > > From: Hein Behrens [mailto:info@curvaciones.com]
> > > Sent: Thursday, March 31, 2005 12:41 PM
> > > To: Tomcat Users List
> > > Subject: Re: SSL configuration question
> > >
> > > Answer to number 2 is edit your server.xml change 8443 to 443 in the
ssl
> > > section also check that the the normal port redirects to 443.
> > >
> > > Where you see 8443 change to 443.
> > >
> > > 2 changes in your server.xml.
> > >
> > >
> > > ----- Original Message -----
> > > From: "Faine, Mark" <Ma...@msfc.nasa.gov>
> > > To: <to...@jakarta.apache.org>
> > > Sent: Thursday, March 31, 2005 7:44 PM
> > > Subject: SSL configuration question
> > >
> > >
> > > > Solaris 8, Tomcat 5.0.28
> > > >
> > > > I've configured my tomcat installation with my SSL key from Entrust
and
> > it
> > > > is working (sort of).
> > > >
> > > > 1. It is not correctly configured. It shows my organization as
both
> > > > "issued to" and "issue by" when I view the certificate information.
> > Could
> > > > someone explain what I have done wrong and how to correct it.
> > > >
> > > > 2. It must be run on port 8443 because I need to run it as a user
other
> > > > than root. How can I bypass this limitation and run it on the
standard
> > > 443
> > > > port?
> > > >
> > > > Thanks,
> > > > -Mark
> > > >
> > >
> ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > > >
> > > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL configuration question
Posted by Mikhail Kruk <me...@cs.brandeis.edu>.
> I thought the two are not related my key is stored in the java keystore. I
> did everything with keytool, part of java.
>
> Tomcat only needs the password and name.
>
> The SSL certificate is not generated for or by tomcat.
Getting a valid certificate is a four step process.
1) Generate private key (keytool -genkey)
this puts a private key into your keystore. It's secret, hide it.
2) Generate certificate request (keytool -certreq)
creates a file which contains information about you (common name,
city, state etc) and the public key which corresponds to private
key from step 1
3) submit the request from step 2 to the authority (Thawte, Verisign...)
4) get signed certificate from the authority and import it into the
keystore (keytool -import)
For step 4 to work correctly the keystore must contain the private key
from step 1. You can't generate private key in a Apache and then import
corresponding certificate into Tomcat -- you must first move the private
key from Apache to Tomcat.
>
> ----- Original Message -----
> From: "Mikhail Kruk" <me...@cs.brandeis.edu>
> To: "Tomcat Users List" <to...@jakarta.apache.org>
> Sent: Thursday, March 31, 2005 11:42 PM
> Subject: RE: SSL configuration question
>
>
> > > The certificate I imported was not self-signed (or should not be). It
> is
> > > what I received back from Entrust after submitting a CSR. It was already
> in
> > > use on Apache before I decided not to use Apache anymore. It worked
> before
> > > on Apache. I shut down apache and was intending to use the cert on only
> > > Tomcat.
> >
> > You can't easily import the certificate that was generated for Apache into
> > Tomcat -- you need to have the prvite key part in your keystore and your
> > private key is in your Apache. There must be a way to get the key from
> > Apache and move it to Tomcat, but I'm not sure what it is.
> > This might help:
> > http://kb.thawte.com/thawte/thawte/esupport.asp?id=vs24694
> >
> > >
> > >
> > > Thanks,
> > > -Mark
> > >
> > >
> > > -----Original Message-----
> > > From: Sasisekar S Sundaram [mailto:sekarmdu@louisiana.edu]
> > > Sent: Thursday, March 31, 2005 2:43 PM
> > > To: Tomcat Users List
> > > Subject: Re: SSL configuration question
> > >
> > > It shows both "issued to" and "issue by" because it is a self signed
> > > certificate. when you get you certificate authorized by some one like
> > > verisign, and then import that certificate into your keystore, you'll
> get
> > > "issued by" as that certifying authority's name.
> > > ----- Original Message -----
> > > From: "Faine, Mark" <Ma...@msfc.nasa.gov>
> > > To: "'Tomcat Users List'" <to...@jakarta.apache.org>
> > > Sent: Thursday, March 31, 2005 1:13 PM
> > > Subject: RE: SSL configuration question
> > >
> > >
> > > > Thanks, I tried that before and got a permission error, but it works
> now.
> > > >
> > > > -Mark
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Hein Behrens [mailto:info@curvaciones.com]
> > > > Sent: Thursday, March 31, 2005 12:41 PM
> > > > To: Tomcat Users List
> > > > Subject: Re: SSL configuration question
> > > >
> > > > Answer to number 2 is edit your server.xml change 8443 to 443 in the
> ssl
> > > > section also check that the the normal port redirects to 443.
> > > >
> > > > Where you see 8443 change to 443.
> > > >
> > > > 2 changes in your server.xml.
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Faine, Mark" <Ma...@msfc.nasa.gov>
> > > > To: <to...@jakarta.apache.org>
> > > > Sent: Thursday, March 31, 2005 7:44 PM
> > > > Subject: SSL configuration question
> > > >
> > > >
> > > > > Solaris 8, Tomcat 5.0.28
> > > > >
> > > > > I've configured my tomcat installation with my SSL key from Entrust
> and
> > > it
> > > > > is working (sort of).
> > > > >
> > > > > 1. It is not correctly configured. It shows my organization as
> both
> > > > > "issued to" and "issue by" when I view the certificate information.
> > > Could
> > > > > someone explain what I have done wrong and how to correct it.
> > > > >
> > > > > 2. It must be run on port 8443 because I need to run it as a user
> other
> > > > > than root. How can I bypass this limitation and run it on the
> standard
> > > > 443
> > > > > port?
> > > > >
> > > > > Thanks,
> > > > > -Mark
> > > > >
> > > >
> > ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > > > >
> > > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org