You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Geet Chandra <ge...@gmail.com> on 2012/01/28 15:22:33 UTC
How to configure certificate file (*.cer) in Tomcat 6
Hi,
My requirements is how to configure *.cer in Tomcat's server.xml file.
Actually I don't want to use "keytool -import" command to import the *.cer
file into *.keystore file.
Is that possible to use configure *.cer file without using "keytool
-import" command.
Appreciate your help.
--
Thanks & Regards
Geet
Re: How to configure certificate file (*.cer) in Tomcat 6
Posted by Pid <pi...@pidster.com>.
On 02/02/2012 05:06, Geet Chandra wrote:
> Thanks Dale!!!
Please stop top-posting. Please post your reply below each relevant
part of the previous email.
> Few more questions
Like this.
> 1. As I have exported *.cer as I have using Digital Badge in Internet
> Explorer.Can I use the same *.cer to configure in server.xml.If not, how
> can I generate the same file.
Huh?
http://www.google.co.uk/search?q=digital+badge
p
> 2. How can I generate ca2cert.pem file to use in server.xml
>
> On Thu, Feb 2, 2012 at 10:04 AM, Dale Ogilvie <Da...@trimble.com>wrote:
>
>> FYI, Here's how we did it with APR for local workstation SSL.
>>
>> Download APR from here: http://tomcat.apache.org/download-native.cgi
>>
>> Copy the files (openssl.exe and tc-native.dll) into the tomcat bin
>> directory
>>
>> Set up your SSL connector, pointing to your CA signed server
>> SSLCertificateFile and the CA as SSLCACertificateFile:
>>
>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>> maxThreads="150" scheme="https" secure="true"
>> clientAuth="false" sslProtocol="TLS"
>> SSLCertificateFile="c:/temp/localhost.cer"
>> SSLCACertificateFile="c:/temp/ca2cert.pem"
>> />
>>
>> -----Original Message-----
>> From: Geet Chandra [mailto:geetcs@gmail.com]
>> Sent: Thursday, 2 February 2012 3:05 p.m.
>> To: Tomcat Users List
>> Subject: Re: How to configure certificate file (*.cer) in Tomcat 6
>>
>> Thanks Chris!!!
>>
>> Please tell steps to configure *.cer certificate file.
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
--
[key:62590808]
Re: How to configure certificate file (*.cer) in Tomcat 6
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Geet,
On 2/2/12 12:06 AM, Geet Chandra wrote:
> Thanks Dale!!!
>
> Few more questions
>
> 1. As I have exported *.cer as I have using Digital Badge in
> Internet Explorer.Can I use the same *.cer to configure in
> server.xml.If not, how can I generate the same file.
>
> 2. How can I generate ca2cert.pem file to use in server.xml
http://lmgtfy.com/?q=convert+cer+to+pem
- -chris
PS lmgtfy needs a site like lmlmgtfy so I don't have to type so much.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8qot8ACgkQ9CaO5/Lv0PCidQCgm/tUvxQdyIkLSENwaAVueMD7
DaYAn0YTuvOOYTayh6XAVZ1UcQCza+sA
=EN25
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to configure certificate file (*.cer) in Tomcat 6
Posted by Geet Chandra <ge...@gmail.com>.
Thanks Dale!!!
Few more questions
1. As I have exported *.cer as I have using Digital Badge in Internet
Explorer.Can I use the same *.cer to configure in server.xml.If not, how
can I generate the same file.
2. How can I generate ca2cert.pem file to use in server.xml
On Thu, Feb 2, 2012 at 10:04 AM, Dale Ogilvie <Da...@trimble.com>wrote:
> FYI, Here's how we did it with APR for local workstation SSL.
>
> Download APR from here: http://tomcat.apache.org/download-native.cgi
>
> Copy the files (openssl.exe and tc-native.dll) into the tomcat bin
> directory
>
> Set up your SSL connector, pointing to your CA signed server
> SSLCertificateFile and the CA as SSLCACertificateFile:
>
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"
> SSLCertificateFile="c:/temp/localhost.cer"
> SSLCACertificateFile="c:/temp/ca2cert.pem"
> />
>
> -----Original Message-----
> From: Geet Chandra [mailto:geetcs@gmail.com]
> Sent: Thursday, 2 February 2012 3:05 p.m.
> To: Tomcat Users List
> Subject: Re: How to configure certificate file (*.cer) in Tomcat 6
>
> Thanks Chris!!!
>
> Please tell steps to configure *.cer certificate file.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Thanks & Regards
Geet
Re: How to configure certificate file (*.cer) in Tomcat 6
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dale,
On 2/1/12 11:34 PM, Dale Ogilvie wrote:
> FYI, Here's how we did it with APR for local workstation SSL.
>
> Download APR from here:
> http://tomcat.apache.org/download-native.cgi
Nit: that's tcnative, not APR. tcnative requires APR, but they are
separate things.
> Copy the files (openssl.exe and tc-native.dll) into the tomcat
> bin directory
Note that you'll also need libapr.dll.
Also, I believe you'll have to set
"-Djava.library.path=%CATALINA_BASE%\bin", otherwise the JVM won't
find the libraries.
> Set up your SSL connector, pointing to your CA signed server
> SSLCertificateFile and the CA as SSLCACertificateFile:
>
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true" clientAuth="false"
> sslProtocol="TLS" SSLCertificateFile="c:/temp/localhost.cer"
> SSLCACertificateFile="c:/temp/ca2cert.pem" />
Just make sure that everything is in PEM form.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8qooIACgkQ9CaO5/Lv0PB/cwCgxDDHRBD/h7JfjjSdeRz4Q9g1
EK8AoKbF0/cLo/zz4vYV1pXmjP21Z8/c
=czvq
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: How to configure certificate file (*.cer) in Tomcat 6
Posted by Dale Ogilvie <Da...@trimble.com>.
FYI, Here's how we did it with APR for local workstation SSL.
Download APR from here: http://tomcat.apache.org/download-native.cgi
Copy the files (openssl.exe and tc-native.dll) into the tomcat bin
directory
Set up your SSL connector, pointing to your CA signed server
SSLCertificateFile and the CA as SSLCACertificateFile:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
SSLCertificateFile="c:/temp/localhost.cer"
SSLCACertificateFile="c:/temp/ca2cert.pem"
/>
-----Original Message-----
From: Geet Chandra [mailto:geetcs@gmail.com]
Sent: Thursday, 2 February 2012 3:05 p.m.
To: Tomcat Users List
Subject: Re: How to configure certificate file (*.cer) in Tomcat 6
Thanks Chris!!!
Please tell steps to configure *.cer certificate file.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to configure certificate file (*.cer) in Tomcat 6
Posted by Geet Chandra <ge...@gmail.com>.
Thanks Chris!!!
Please tell steps to configure *.cer certificate file.
On Wed, Feb 1, 2012 at 2:18 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Geet,
>
> On 1/29/12 11:42 PM, Geet Chandra wrote:
> >> Actually I don't want to use "keytool -import" command to import
> >> the *.cer file into *.keystore file.
> >>
> >>> Any particular reason for your preference?
> >
> > - The customer has got very secure environment...they don't want to
> > use the *.keystore being shipped with particular product.
>
> You can create your own keystore. Just remember that it has to have
> the server key as well as the certificate itself.
>
> >> - I am using Tomcat 6.x, J2EE based web application on Windows
> >> 2003 64 bit R2, SP2 OS.
>
> Very secure environment, eh?
>
> > Is it possible to configure like this
> >
> > <Connector port="8446" maxHttpHeaderSize="8192"
> > protocol="org.apache.coyote.http11.Http11Protocol"
> > SSLEnabled="true" maxThreads="150" minSpareThreads="25"
> > maxSpareThreads="75" enableLookups="false"
> > disableUploadTimeout="true" acceptCount="100" scheme="https"
> > secure="true" clientAuth="want" sslProtocol="TLS"
> > keystoreFile="c:/tomcat.keystore" truststoreFile ="C:/user.cer"
>
> It doesn't work that way. I think the only trust store types usable by
> Tomcat are "JKS" which are those that "keytool" creates and maintains.
>
> > Please let me know the correct syntax to configure "user.cer" in
> > server.xml
>
> You'll have to use APR (which uses OpenSSL) in order to use bare
> certificate files like that.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk8oU6wACgkQ9CaO5/Lv0PALNwCdEH8p8SV9kkcrh56exib2IhOu
> PvgAnj2wpRkBQ1oU2DOO/dUwG6lET6eu
> =1+X5
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Thanks & Regards
Geet
Re: How to configure certificate file (*.cer) in Tomcat 6
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Geet,
On 1/29/12 11:42 PM, Geet Chandra wrote:
>> Actually I don't want to use "keytool -import" command to import
>> the *.cer file into *.keystore file.
>>
>>> Any particular reason for your preference?
>
> - The customer has got very secure environment...they don't want to
> use the *.keystore being shipped with particular product.
You can create your own keystore. Just remember that it has to have
the server key as well as the certificate itself.
>> - I am using Tomcat 6.x, J2EE based web application on Windows
>> 2003 64 bit R2, SP2 OS.
Very secure environment, eh?
> Is it possible to configure like this
>
> <Connector port="8446" maxHttpHeaderSize="8192"
> protocol="org.apache.coyote.http11.Http11Protocol"
> SSLEnabled="true" maxThreads="150" minSpareThreads="25"
> maxSpareThreads="75" enableLookups="false"
> disableUploadTimeout="true" acceptCount="100" scheme="https"
> secure="true" clientAuth="want" sslProtocol="TLS"
> keystoreFile="c:/tomcat.keystore" truststoreFile ="C:/user.cer"
It doesn't work that way. I think the only trust store types usable by
Tomcat are "JKS" which are those that "keytool" creates and maintains.
> Please let me know the correct syntax to configure "user.cer" in
> server.xml
You'll have to use APR (which uses OpenSSL) in order to use bare
certificate files like that.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8oU6wACgkQ9CaO5/Lv0PALNwCdEH8p8SV9kkcrh56exib2IhOu
PvgAnj2wpRkBQ1oU2DOO/dUwG6lET6eu
=1+X5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to configure certificate file (*.cer) in Tomcat 6
Posted by Ognjen Blagojevic <og...@gmail.com>.
On 30.1.2012 12:44, Geet Chandra wrote:
> 1. By "*.keystore", do you mean keystore or truststore? Do you understand
> the difference between them?
> - Could you please explain the difference.
Google is your friend:
http://stackoverflow.com/questions/318441/truststore-and-keystore-definitions
> 2. Is your customer aware that there is no essential difference in term of
> security between JSSE and OpenSSL security implementations?
>
> - They may not be, but I shall get confirmation from them.
Ok, do that. Then, inform us are they still insisting on not using JSSE.
> 3. Do you plan to use client authentication via HTTPS or not? You are
> mentioning truststoreFile later.
> - Yes customer wants to use client authentication.
How did your customer generate client certificates? Do you have those
certificates? You will need them in order to add them to
truststoreFile/SSLCACertificatePath.
> 4. Is your server certificate self signed or signed by trusted CA? If you
> don't use client authentication using HTTPS, and your server is signed by
> trusted CA, perhaps there is no need to ship certificate with your
> application.
> - It is self signed.
If you need non-interactive server authentication, you will most
probably need to export server certificate, and distribute it with your
application, or make it available for download to the clients.
Server certificate may be inside truststore or .crt file. Client
technology should dictate that.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to configure certificate file (*.cer) in Tomcat 6
Posted by Geet Chandra <ge...@gmail.com>.
Thanks Ognjen!
Please find my inline comments.
1. By "*.keystore", do you mean keystore or truststore? Do you understand
the difference between them?
- Could you please explain the difference.
2. Is your customer aware that there is no essential difference in term of
security between JSSE and OpenSSL security implementations?
- They may not be, but I shall get confirmation from them.
3. Do you plan to use client authentication via HTTPS or not? You are
mentioning truststoreFile later.
- Yes customer wants to use client authentication.
4. Is your server certificate self signed or signed by trusted CA? If you
don't use client authentication using HTTPS, and your server is signed by
trusted CA, perhaps there is no need to ship certificate with your
application.
- It is self signed.
On Mon, Jan 30, 2012 at 5:06 PM, Ognjen Blagojevic <
ognjen.d.blagojevic@gmail.com> wrote:
> Geet,
>
> Bottom-posting style is standard on this list (
> http://en.wikipedia.org/wiki/**Posting_style#Bottom-posting<http://en.wikipedia.org/wiki/Posting_style#Bottom-posting>
> ).
>
>
>
> On 30.1.2012 5:42, Geet Chandra wrote:
>
>> - The customer has got very secure environment...they don't want to use
>> the
>> *.keystore being shipped
>> with particular product.
>>
>
> Uhm... lots of questions here:
>
> 1. By "*.keystore", do you mean keystore or truststore? Do you understand
> the difference between them?
>
> 2. Is your customer aware that there is no essential difference in term of
> security between JSSE and OpenSSL security implementations?
>
> 3. Do you plan to use client authentication via HTTPS or not? You are
> mentioning truststoreFile later.
>
> 4. Is your server certificate self signed or signed by trusted CA? If you
> don't use client authentication using HTTPS, and your server is signed by
> trusted CA, perhaps there is no need to ship certificate with your
> application.
>
>
>
> Is it possible to configure like this
>>
>> <Connector port="8446" maxHttpHeaderSize="8192"
>> protocol="org.apache.coyote.**http11.Http11Protocol" SSLEnabled="true"
>> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>> enableLookups="false" disableUploadTimeout="true"
>> acceptCount="100" scheme="https" secure="true"
>> clientAuth="want" sslProtocol="TLS"
>> keystoreFile="c:/tomcat.**keystore"
>> truststoreFile ="C:/user.cer"
>> />
>> @END_ENABLESTANDALONEHTTPS@-->
>>
>
> No.
>
> Parameters keystoreFile and truststoreFile are to be used with Java
> keystores. For .cer files (OpenSSL) you must use APR connector and SSL*
> attributes. See:
>
> http://tomcat.apache.org/**tomcat-6.0-doc/apr.html#HTTPS<http://tomcat.apache.org/tomcat-6.0-doc/apr.html#HTTPS>
>
> -Ognjen
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Thanks & Regards
Geet
Re: How to configure certificate file (*.cer) in Tomcat 6
Posted by Ognjen Blagojevic <og...@gmail.com>.
Geet,
Bottom-posting style is standard on this list
(http://en.wikipedia.org/wiki/Posting_style#Bottom-posting).
On 30.1.2012 5:42, Geet Chandra wrote:
> - The customer has got very secure environment...they don't want to use the
> *.keystore being shipped
> with particular product.
Uhm... lots of questions here:
1. By "*.keystore", do you mean keystore or truststore? Do you
understand the difference between them?
2. Is your customer aware that there is no essential difference in term
of security between JSSE and OpenSSL security implementations?
3. Do you plan to use client authentication via HTTPS or not? You are
mentioning truststoreFile later.
4. Is your server certificate self signed or signed by trusted CA? If
you don't use client authentication using HTTPS, and your server is
signed by trusted CA, perhaps there is no need to ship certificate with
your application.
> Is it possible to configure like this
>
> <Connector port="8446" maxHttpHeaderSize="8192"
> protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" disableUploadTimeout="true"
> acceptCount="100" scheme="https" secure="true"
> clientAuth="want" sslProtocol="TLS"
> keystoreFile="c:/tomcat.keystore"
> truststoreFile ="C:/user.cer"
> />
> @END_ENABLESTANDALONEHTTPS@-->
No.
Parameters keystoreFile and truststoreFile are to be used with Java
keystores. For .cer files (OpenSSL) you must use APR connector and SSL*
attributes. See:
http://tomcat.apache.org/tomcat-6.0-doc/apr.html#HTTPS
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to configure certificate file (*.cer) in Tomcat 6
Posted by Geet Chandra <ge...@gmail.com>.
My requirements is how to configure *.cer in Tomcat's server.xml file.
You mean you want to set up a connector that uses SSL?
- Yes
Actually I don't want to use "keytool -import" command to import the
*.cer file into *.keystore file.
Any particular reason for your preference?
- The customer has got very secure environment...they don't want to use the
*.keystore being shipped
with particular product.
You're not really giving us much information to go on. What version of
Tomcat? Java? Operating system?
- I am using Tomcat 6.x, J2EE based web application on Windows 2003 64 bit
R2, SP2 OS.
Is it possible to configure like this
<Connector port="8446" maxHttpHeaderSize="8192"
protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="want" sslProtocol="TLS"
keystoreFile="c:/tomcat.keystore"
truststoreFile ="C:/user.cer"
/>
@END_ENABLESTANDALONEHTTPS@-->
Please let me know the correct syntax to configure "user.cer" in server.xml
On Sat, Jan 28, 2012 at 10:17 PM, Pid <pi...@pidster.com> wrote:
> On 28/01/2012 14:22, Geet Chandra wrote:
> > Hi,
> >
> > My requirements is how to configure *.cer in Tomcat's server.xml file.
>
> You mean you want to set up a connector that uses SSL?
>
>
> > Actually I don't want to use "keytool -import" command to import the
> *.cer
> > file into *.keystore file.
>
> Any particular reason for your preference?
>
>
> > Is that possible to use configure *.cer file without using "keytool
> > -import" command.
>
> You can configure SSL using either JSSE/keystore or OpenSSL and .crt/.pem.
>
>
> > Appreciate your help.
>
> You're not really giving us much information to go on. What version of
> Tomcat? Java? Operating system?
>
>
> p
>
>
> --
>
> [key:62590808]
>
>
--
Thanks & Regards
Geet
Re: How to configure certificate file (*.cer) in Tomcat 6
Posted by Pid <pi...@pidster.com>.
On 28/01/2012 14:22, Geet Chandra wrote:
> Hi,
>
> My requirements is how to configure *.cer in Tomcat's server.xml file.
You mean you want to set up a connector that uses SSL?
> Actually I don't want to use "keytool -import" command to import the *.cer
> file into *.keystore file.
Any particular reason for your preference?
> Is that possible to use configure *.cer file without using "keytool
> -import" command.
You can configure SSL using either JSSE/keystore or OpenSSL and .crt/.pem.
> Appreciate your help.
You're not really giving us much information to go on. What version of
Tomcat? Java? Operating system?
p
--
[key:62590808]