You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jin H <h_...@hotmail.com> on 2011/04/19 23:54:03 UTC
Need help with SSL Certificate install on Tomcat 6.0.29 APR.
Hi. We are a school running Tomcat 6.0.29 for Windows server 2003 with APR. I currently have an SSL certificate installed. I'm trying to update it with the renewed SSL certificate but I'm having no luck.
Here are the commands I used to create the CSR.
in the jdk1.6.0_17\bin folder i used this command:
keytool -certreq -keyalg RSA -alias alias2011 -file cert.csr -keystore key2011.key -keysize 2048
It then asks for a password which i enter.
I generated the CSR and sent it to my SSL vendor. They e-mailed my ssl certificate back to me.
But they told me that I had to install 2 intermediate Certificate files.
I dowloaded a primary.crt and secondary.crt files from them.
I then ran this command to import the primary.crt
keytool -import -trustcacerts -alias primary -keystore key2011.key -file primary.crt
Then the secondary.crt
keytool -import -trustcacerts -alias secondary -keystore key2011.key -file secondary.crt
finally the SSL certificate they e-mailed back.
keytool -import -trustcacerts -alias alias2011 -keystore key2011.key -file 2011.crt
After this I copy the key2011.key and 2011.crt to the root of tomcat.
I edited server.xml to this:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEnabled="true"
SSLCertificateFile="${catalina.home}/2011.crt"
SSLCertificateKeyFile="${catalina.home}/key2011.key"
keystorePass="somethingkey"
keyalias="alias2011"
SSLPassword="somethingkey"/>
I didn't know the difference between SSLPassword and keystorePass so I put both in there.
I never put a password for my previous ssl certificate and it worked so I'm confused why I have to put one in now.
BTW here is the current server.xml that works with the about to expire SSL certificate.
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEnabled="true"
SSLCertificateFile="${catalina.home}/hostname.crt"
SSLCertificateKeyFile="${catalina.home}/hostname.key" />
Please help. Thanks in advance.
Re: Need help with SSL Certificate install on Tomcat 6.0.29 APR.
Posted by Crypto Sal <cr...@gmail.com>.
Hi Jin,
In my experiences with the APR and Tomcat, you need to use 'OpenSSL' to
generate the keypair (CSR/key) I am fairly certain the APR can't read
Java Keystore files. You would only use a keystore (JKS) using 'keytool'
with JSSE.
I think you have at least 2 options at this point:
1. Generate new key pair with OpenSSL using the 'req' utility.
2. Export new keystore that was created with 'keytool' to a PKCS12 file
and then use openSSL to create PEM key, certificate and Certificate
authority files.
I would suggest you do #1 vs. that of #2, unless #2 cause you extra
money or you don't mind doing a little 'work'. :-P
--Crypto.Sal
On 04/19/2011 05:54 PM, Jin H wrote:
> Hi. We are a school running Tomcat 6.0.29 for Windows server 2003 with APR. I currently have an SSL certificate installed. I'm trying to update it with the renewed SSL certificate but I'm having no luck.
>
> Here are the commands I used to create the CSR.
>
> in the jdk1.6.0_17\bin folder i used this command:
>
> keytool -certreq -keyalg RSA -alias alias2011 -file cert.csr -keystore key2011.key -keysize 2048
>
> It then asks for a password which i enter.
>
> I generated the CSR and sent it to my SSL vendor. They e-mailed my ssl certificate back to me.
> But they told me that I had to install 2 intermediate Certificate files.
> I dowloaded a primary.crt and secondary.crt files from them.
>
> I then ran this command to import the primary.crt
>
> keytool -import -trustcacerts -alias primary -keystore key2011.key -file primary.crt
>
> Then the secondary.crt
>
> keytool -import -trustcacerts -alias secondary -keystore key2011.key -file secondary.crt
>
> finally the SSL certificate they e-mailed back.
>
> keytool -import -trustcacerts -alias alias2011 -keystore key2011.key -file 2011.crt
>
> After this I copy the key2011.key and 2011.crt to the root of tomcat.
>
> I edited server.xml to this:
>
> <Connector port="8443" maxHttpHeaderSize="8192"
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" disableUploadTimeout="true"
> acceptCount="100" scheme="https" secure="true"
> SSLEnabled="true"
> SSLCertificateFile="${catalina.home}/2011.crt"
> SSLCertificateKeyFile="${catalina.home}/key2011.key"
> keystorePass="somethingkey"
> keyalias="alias2011"
> SSLPassword="somethingkey"/>
>
> I didn't know the difference between SSLPassword and keystorePass so I put both in there.
> I never put a password for my previous ssl certificate and it worked so I'm confused why I have to put one in now.
>
> BTW here is the current server.xml that works with the about to expire SSL certificate.
>
> <Connector port="8443" maxHttpHeaderSize="8192"
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" disableUploadTimeout="true"
> acceptCount="100" scheme="https" secure="true"
> SSLEnabled="true"
> SSLCertificateFile="${catalina.home}/hostname.crt"
> SSLCertificateKeyFile="${catalina.home}/hostname.key" />
>
>
>
> Please help. Thanks in advance.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Need help with SSL Certificate install on Tomcat 6.0.29 APR.
Posted by Igor Cicimov <ic...@gmail.com>.
So why did you enter password when you created the csr if you dont want it?
On Apr 20, 2011 7:54 AM, "Jin H" <h_...@hotmail.com> wrote:
Hi. We are a school running Tomcat 6.0.29 for Windows server 2003 with APR.
I currently have an SSL certificate installed. I'm trying to update it
with the renewed SSL certificate but I'm having no luck.
Here are the commands I used to create the CSR.
in the jdk1.6.0_17\bin folder i used this command:
keytool -certreq -keyalg RSA -alias alias2011 -file cert.csr -keystore
key2011.key -keysize 2048
It then asks for a password which i enter.
I generated the CSR and sent it to my SSL vendor. They e-mailed my ssl
certificate back to me.
But they told me that I had to install 2 intermediate Certificate files.
I dowloaded a primary.crt and secondary.crt files from them.
I then ran this command to import the primary.crt
keytool -import -trustcacerts -alias primary -keystore key2011.key -file
primary.crt
Then the secondary.crt
keytool -import -trustcacerts -alias secondary -keystore key2011.key -file
secondary.crt
finally the SSL certificate they e-mailed back.
keytool -import -trustcacerts -alias alias2011 -keystore key2011.key -file
2011.crt
After this I copy the key2011.key and 2011.crt to the root of tomcat.
I edited server.xml to this:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEnabled="true"
SSLCertificateFile="${catalina.home}/2011.crt"
SSLCertificateKeyFile="${catalina.home}/key2011.key"
keystorePass="somethingkey"
keyalias="alias2011"
SSLPassword="somethingkey"/>
I didn't know the difference between SSLPassword and keystorePass so I put
both in there.
I never put a password for my previous ssl certificate and it worked so I'm
confused why I have to put one in now.
BTW here is the current server.xml that works with the about to expire SSL
certificate.
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEnabled="true"
SSLCertificateFile="${catalina.home}/hostname.crt"
SSLCertificateKeyFile="${catalina.home}/hostname.key" />
Please help. Thanks in advance.