You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "James H. H. Lampert" <ja...@touchtonecorp.com> on 2013/09/10 19:12:04 UTC
Using a P7B certificate file
We have a customer that wants to apply an existing multi-domain
certificate to the tomcat server in our application.
The only thing is, all we've seen is a P7B file, not a keystore, and we
don't even know what sort of keystore they used to generate the original
CSR.
The only time a similar situation came up in the past was when somebody
jumped the gun, and assumed that since the Tomcat server was running on
an AS/400, it would use keystores and certificates created through IBM's
Digital Certificate Manager, in IBM's proprietary format. All I can say
about that is that I hope they either got their money back for the
totally unusable keystore, or got credit on the correct one. Needless to
say, we generally take full control of certificate installation, in
order to reduce the potential for expensive mistakes.
At any rate, what can be done with this customer who wants to use their
multi-domain certificate in Tomcat?
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using a P7B certificate file
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
James,
On 9/13/13 5:29 PM, James H. H. Lampert wrote:
> On 9/11/13 5:22 AM, Christopher Schultz wrote:
>> Okay, great: you have a chain of certificates and could, with a
>> bit of effort, convert that into a Java keystore or a PEM-encoded
>> file for use with OpenSSL (and httpd, tcnative, etc.).
>>
>> Without the private key, though, you aren't going to get very
>> far. Go back to the client and tell them that you need that,
>> too.
>
> FINALLY!
>
> (And this is why we discourage our customers from building their
> own keystores: there's enough chance of screwing it up if I do it,
> and I've done it a few times; unless the customer has a Tomcat
> expert on staff, they're going to be as lost as I was the first
> time.)
Well, one could argue that the server key really is the key to the
kingdom, so exercising a certain amount of caution about sharing it
around is appropriate in general. It sounds like this wasn't a
security consideration, though, but basic incompetence on their part.
> We got the customer to send us the originating keystore (on the
> second try!), and the non-default password for it, and I managed to
> marry it to the signed certificate in the P7B file, and get it
> installed (screwing up the syntax of server.xml, the first time I
> tried to adjust it from our choice of keystore name and alias to
> their choices and their non-default password), and finally managed
> to get it to come up.
>
> Thanks, Mr. Schultz, et al. You were more helpful than you might
> realize.
Uh.. sure! I suspect I just confirmed something that you already knew:
you didn't have everything you needed to do the job you were asked to do.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSM4TEAAoJEBzwKT+lPKRYjG0QAKfXB9F9VjpKZJkCmrnbaq3w
EVtvlDPtiA5fEgOETgAXbrMhyb78SFvBg2rGVvjpZ9uGLebahI7tjQgRX1pAWDfA
1V4BmSX86kx49TWEYi11rsC+KzxGbVZBidj8C0iVIdW7msNfPdW6PXpO8u4T9v86
CQkY2TxVQ91pNadWOddzgnWuEfXmgFHhsYinLiyOMQVGKTAGckTeV3BLH06YkTM3
wZVe231zDluQXm1NtPXS0ReCiugGOIeKvptnxWL2VnnXj0reh8FieniW2+zZ+7F6
k15Xu53Gc2Mu3N1DH80JM2kkMygJBAxDVPXrKcvuZ+JUL9kuwBMcOCQf+TrnZrIk
R+9qK1SY5tGR4cNZpM2O6A2v9ixrOrNYBGpYfB3RrqV7XQPrtCZbvoaL8Ai+6TKN
Jpqyu9STxsbMLaxo/9uDKwo1SCINW99vOG0eKFXrfC1+S2HJdhTot/SvzTqrN660
mP0TOgS5XPjJeCgt54LYRsMcIllSHIteFU1YyPpVPJbGkYQSB20j5p2wLOljpk4X
oPyV+XcxzT/AyAKQGQ1lFiw8NmkIMUvS6xzbYDeQU2RojJWQaSR23eMPYG6XyRGN
nLe74doyrtArcRQiiWskkltJiTCgl+Ow+H7lEurql2OogVI7iTg4WGo7VmXIecF5
D/zOFGVBzTw1Brzs7Xex
=n+rP
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using a P7B certificate file
Posted by "James H. H. Lampert" <ja...@touchtonecorp.com>.
On 9/11/13 5:22 AM, Christopher Schultz wrote:
> Okay, great: you have a chain of certificates and could, with a bit of
> effort, convert that into a Java keystore or a PEM-encoded file for
> use with OpenSSL (and httpd, tcnative, etc.).
>
> Without the private key, though, you aren't going to get very far. Go
> back to the client and tell them that you need that, too.
FINALLY!
(And this is why we discourage our customers from building their own
keystores: there's enough chance of screwing it up if I do it, and I've
done it a few times; unless the customer has a Tomcat expert on staff,
they're going to be as lost as I was the first time.)
We got the customer to send us the originating keystore (on the second
try!), and the non-default password for it, and I managed to marry it to
the signed certificate in the P7B file, and get it installed (screwing
up the syntax of server.xml, the first time I tried to adjust it from
our choice of keystore name and alias to their choices and their
non-default password), and finally managed to get it to come up.
Thanks, Mr. Schultz, et al. You were more helpful than you might realize.
--
James H. H. Lampert
Touchtone Corporation
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Using a P7B certificate file
Posted by Prashant Shinde <pr...@hoonartek.com>.
Hi
I am getting following error when I try with wget
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.
Thanks & Regards,
Prashant Shinde
Senior Consultant
Hoonar Tekwurks Consulting LLP
email: prashant.shinde@hoonartek.com | cell: +91 98220 38097| desk: +91 20 4900 5204
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 11 September 2013 14:22
To: Tomcat Users List
Subject: Re: Using a P7B certificate file
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
James,
On 9/10/13 6:50 PM, James H. H. Lampert wrote:
> On 9/10/13 2:19 PM, Christopher Schultz wrote:
>> "P7B" is otherwise known as a PKCS#7 file and usually contains a
>> certificate. Does the file contain *only* a certificate, or does it
>> also contain the key that was used to generate the CSR? If you have
>> the cert but not the key, you won't be able to use it for serving
>> HTTPS.
>>
>> Let's start with what you've actually got. You said you have a file.
>> What's in the file?
>
> Well, from what little I'd read, "A P7B file only contains
> certificates and chain certificates, not the private key." (from
> <https://www.sslshopper.com/ssl-converter.html>)
>
> Is there a way it *can* contain the private key as well?
>
> At any rate, it contains the typical unintelligible block of
> characters between "BEGIN PKCS7" and "END PKCS7" marks, 98 lines of
> 64 characters and a 99th line of 4 characters, approximately 6kb. I
> did a bit of futzing around with it, found I could use "keychain
> access" on my Mac to import it into an empty "keychain" file for
> inspection, and I found that it it appears to contain a root
> certificate, an intermediate certificate, and the signed SSL
> certificate. Looking at it with the corresponding utility on my
> WinDoze box gives the same result. Unless you know of something else
> that can inspect a P7B file, I'm guessing that it's just a reply to a
> CSR, waiting to be installed in the originating keystore.
You could use OpenSSL to inspect it, but I suspect it would give you the same result.
Okay, great: you have a chain of certificates and could, with a bit of effort, convert that into a Java keystore or a PEM-encoded file for use with OpenSSL (and httpd, tcnative, etc.).
Without the private key, though, you aren't going to get very far. Go back to the client and tell them that you need that, too.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSMGB1AAoJEBzwKT+lPKRY3V4QALfCpfIut8j3+CMLlYxe2l+d
q9M884k+CaBST5FBCUpGF0sdtBinoPnq9JINDQihBBg1WIJ7kji8CEi5/78ePqmv
7aZcPqZDt2/32+QWX+WNKRJy0IawLJl89DnB2DnnJdb4GaSzrJXPhUwBCzA61wXc
eRjRmKrx8oQTRYDKHp2eaY4HrYFn6tmiU3a6mZKO6NF7bLWyk8vPbEpCO9WXM+fd
SqxwlWqr6JKLyiEmswxhZsHQN7u7Pppr+wMvmRVmnNRRgYzRUT9NKvobd6XyaWau
T4dFlkSMWZqnUctH8L4vmoPm/TBzM6bwqDCSnRg1QCeMvfLeribo2AWzsMXgtvlN
iNdzp9pwKXWhowKcWN+pZxMwUXgkusZEDth0JnA59tZaufWYTMucv2sW7+890kJ6
ZyCOKhfAF7U4gJNuJXy1cFOHpVhsLGFwM/dnOSqzuA7lvf8Duc5jY2Hm7BA69lRT
HwiSyunw2IARcp0nWbEiVKdF1WU2+bzevhk896S2qwWmXwATMc6gy38EnL/TRSpw
QXyXCrglCTl2yt1pbE45+1Zb3CVC8RWsvaSGsFRzPxotTcOEZGwLjv4FtvHOHn4o
1+EP+6oanG43OEKKm6+PHQ1BnDCnko3dKEeSftrHVeW6N3/sLMpjKa/JsKXL8CpZ
mnUDjvnZ3ZLbBuvOncpl
=mDnw
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using a P7B certificate file
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
James,
On 9/10/13 6:50 PM, James H. H. Lampert wrote:
> On 9/10/13 2:19 PM, Christopher Schultz wrote:
>> "P7B" is otherwise known as a PKCS#7 file and usually contains a
>> certificate. Does the file contain *only* a certificate, or does
>> it also contain the key that was used to generate the CSR? If you
>> have the cert but not the key, you won't be able to use it for
>> serving HTTPS.
>>
>> Let's start with what you've actually got. You said you have a
>> file. What's in the file?
>
> Well, from what little I'd read, "A P7B file only contains
> certificates and chain certificates, not the private key." (from
> <https://www.sslshopper.com/ssl-converter.html>)
>
> Is there a way it *can* contain the private key as well?
>
> At any rate, it contains the typical unintelligible block of
> characters between "BEGIN PKCS7" and "END PKCS7" marks, 98 lines of
> 64 characters and a 99th line of 4 characters, approximately 6kb. I
> did a bit of futzing around with it, found I could use "keychain
> access" on my Mac to import it into an empty "keychain" file for
> inspection, and I found that it it appears to contain a root
> certificate, an intermediate certificate, and the signed SSL
> certificate. Looking at it with the corresponding utility on my
> WinDoze box gives the same result. Unless you know of something
> else that can inspect a P7B file, I'm guessing that it's just a
> reply to a CSR, waiting to be installed in the originating
> keystore.
You could use OpenSSL to inspect it, but I suspect it would give you
the same result.
Okay, great: you have a chain of certificates and could, with a bit of
effort, convert that into a Java keystore or a PEM-encoded file for
use with OpenSSL (and httpd, tcnative, etc.).
Without the private key, though, you aren't going to get very far. Go
back to the client and tell them that you need that, too.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSMGB1AAoJEBzwKT+lPKRY3V4QALfCpfIut8j3+CMLlYxe2l+d
q9M884k+CaBST5FBCUpGF0sdtBinoPnq9JINDQihBBg1WIJ7kji8CEi5/78ePqmv
7aZcPqZDt2/32+QWX+WNKRJy0IawLJl89DnB2DnnJdb4GaSzrJXPhUwBCzA61wXc
eRjRmKrx8oQTRYDKHp2eaY4HrYFn6tmiU3a6mZKO6NF7bLWyk8vPbEpCO9WXM+fd
SqxwlWqr6JKLyiEmswxhZsHQN7u7Pppr+wMvmRVmnNRRgYzRUT9NKvobd6XyaWau
T4dFlkSMWZqnUctH8L4vmoPm/TBzM6bwqDCSnRg1QCeMvfLeribo2AWzsMXgtvlN
iNdzp9pwKXWhowKcWN+pZxMwUXgkusZEDth0JnA59tZaufWYTMucv2sW7+890kJ6
ZyCOKhfAF7U4gJNuJXy1cFOHpVhsLGFwM/dnOSqzuA7lvf8Duc5jY2Hm7BA69lRT
HwiSyunw2IARcp0nWbEiVKdF1WU2+bzevhk896S2qwWmXwATMc6gy38EnL/TRSpw
QXyXCrglCTl2yt1pbE45+1Zb3CVC8RWsvaSGsFRzPxotTcOEZGwLjv4FtvHOHn4o
1+EP+6oanG43OEKKm6+PHQ1BnDCnko3dKEeSftrHVeW6N3/sLMpjKa/JsKXL8CpZ
mnUDjvnZ3ZLbBuvOncpl
=mDnw
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using a P7B certificate file
Posted by "James H. H. Lampert" <ja...@touchtonecorp.com>.
On 9/10/13 2:19 PM, Christopher Schultz wrote:
> "P7B" is otherwise known as a PKCS#7 file and usually contains a
> certificate. Does the file contain *only* a certificate, or does it
> also contain the key that was used to generate the CSR? If you have
> the cert but not the key, you won't be able to use it for serving HTTPS.
>
> Let's start with what you've actually got. You said you have a file.
> What's in the file?
Well, from what little I'd read, "A P7B file only contains certificates
and chain certificates, not the private key." (from
<https://www.sslshopper.com/ssl-converter.html>)
Is there a way it *can* contain the private key as well?
At any rate, it contains the typical unintelligible block of characters
between "BEGIN PKCS7" and "END PKCS7" marks, 98 lines of 64 characters
and a 99th line of 4 characters, approximately 6kb. I did a bit of
futzing around with it, found I could use "keychain access" on my Mac to
import it into an empty "keychain" file for inspection, and I found that
it it appears to contain a root certificate, an intermediate
certificate, and the signed SSL certificate. Looking at it with the
corresponding utility on my WinDoze box gives the same result. Unless
you know of something else that can inspect a P7B file, I'm guessing
that it's just a reply to a CSR, waiting to be installed in the
originating keystore.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using a P7B certificate file
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
James,
On 9/10/13 1:12 PM, James H. H. Lampert wrote:
> We have a customer that wants to apply an existing multi-domain
> certificate to the tomcat server in our application.
>
> The only thing is, all we've seen is a P7B file, not a keystore,
> and we don't even know what sort of keystore they used to generate
> the original CSR.
"P7B" is otherwise known as a PKCS#7 file and usually contains a
certificate. Does the file contain *only* a certificate, or does it
also contain the key that was used to generate the CSR? If you have
the cert but not the key, you won't be able to use it for serving HTTPS.
> The only time a similar situation came up in the past was when
> somebody jumped the gun, and assumed that since the Tomcat server
> was running on an AS/400, it would use keystores and certificates
> created through IBM's Digital Certificate Manager, in IBM's
> proprietary format. All I can say about that is that I hope they
> either got their money back for the totally unusable keystore, or
> got credit on the correct one.
Most CAs will re-issue certificates for the same hostname with a
reasonable explanation.
> Needless to say, we generally take full control of certificate
> installation, in order to reduce the potential for expensive
> mistakes.
>
> At any rate, what can be done with this customer who wants to use
> their multi-domain certificate in Tomcat?
Let's start with what you've actually got. You said you have a file.
What's in the file?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSL4zMAAoJEBzwKT+lPKRYCsgP/i29HaX0liAzys1ULHGRTWra
OObCfl0tCTQ0pI/UndnLWYpfryka4J18UdlxNcwGC5UwoMCXb3nFLCexgJFBROew
1I21wBvo7ZthsnDDRht9Vr4ja+6GS5YKyQkFSLFwOz2niSNJqhgd5BiUKPENAmq4
N64I222B7zDOyY4HbPEjpGamJ4ZigYZMKGU7PzjVuuv4vMdgXNWF7n9W5jaavIZC
Y7n/Y+4hUYEl6JBjfsWogprwhKFk46mzo+mhEvRGGuUiDAjxcR4lyI8R0oDz/Xpp
hIoaS7m4s3z4SuAB0OAUkzWPsui8CyJweSHkcD382bswqvmd9AuaLCiRGyWOf5j0
aPMA0GZUYXe+cYOkgBa53Rx8Ud3mELUPiS08/LLO9Add2qIzCjI3XcxcpwcCMvxR
hjdbuKzS50doQHc5nv+CQ+LYtbCWmvRRscvj8y8UcqbIddwK8ML1Jqij9Jeb7IQF
qZIzpQWMWJ6qvzmepz6f5+P/1PdoT6hT25O5KKcYj+ZRhSQo07euU4j+q95ZV5zX
3b1VoTB6RwVMRth14cEd6KKfVP9FXupkL/uwp+cNxRP6KXC81JL2Y0WbE0PcTsI2
pMhtqu69RY7kBuikNfYkEPsQVcrs8z/TPMXTQHs/lhoPXavHnxskbSn5xS3PmrUX
5e5y9NJ+3rUrBO8b+oMe
=SHPO
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org