You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Br...@nokia.com on 2004/02/03 22:09:58 UTC
SOLUTION: SSL certificates HOW-TO
It seems that obtaining and installing SSL certificates from different Certificate Authorities is not consistent. Even within the same CA, the procedure for real and test certificates is not necessarily the same. To make matters worse there appear to be differences in the operation of the Java keystore from 1.3.x to 1.4.2. Finally, documentation in Tomcat and in the CA sites is slightly out of date. These things combined make life difficult.
The following is a summary of procedures that I have found to work with JDK 1.4.2_03 and Tomcat 5.0.
For all options:
· Use password "changeit" for BOTH the keystore and the keys.
· Use the server's fully qualified hostname as "first and last name" as first & last name, i.e.: myserver.mydomain.com
· When requesting certificates, you must get an X.509 server certificate. If you get a PKCS#7 certificate you must convert it to an X.509 one before use.
Using a self-signed certificate:
· cd
· keytool -genkey -alias tomcat -keyalg RSA
Using Verisign certificate:
The official Verisign instructions were incorrect at the time of this writing, but the following procedure will work for "REAL" certificates. For test certificates you theoretically only need and install the test root and test server certificates steps (not successfully tested), which are different from the regular root and server certificates.
· cd
· keytool -genkey -alias tomcat -keyalg RSA
· keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
· Use the .csr to request a certificate
· Obtain the Verisign root certificate, intermediate certificate and server certificate
· keytool -import -alias verisignroot -trustcacert -file verisignroot.cer
· keytool -import -alias root -file intermediate.cer
· keytool -import -alias tomcat -file server.cer
Using Thawte certificate
The Thawte instructions were incorrect at the time of this writing, but the following procedure will work for (at least) test certificates.
· cd
· keytool -genkey -alias mykey -keyalg RSA
· keytool -certreq -keyalg RSA -alias mykey -file certreq.csr
· Use the .csr to request an X.509 certificate, you will get a server certificate.
· keytool -import -alias tomcat -trustcacerts -file server.cer
I hope this helps others to avoid the headaches I experienced. :P
Bruno
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SOLUTION: SSL certificates HOW-TO
Posted by Adam Hardy <ah...@cyberspaceroad.com>.
Good one Bruno.
On 02/03/2004 10:09 PM Bruno.Melloni@nokia.com wrote:
> It seems that obtaining and installing SSL certificates from different Certificate Authorities is not consistent. Even within the same CA, the procedure for real and test certificates is not necessarily the same. To make matters worse there appear to be differences in the operation of the Java keystore from 1.3.x to 1.4.2. Finally, documentation in Tomcat and in the CA sites is slightly out of date. These things combined make life difficult.
>
> The following is a summary of procedures that I have found to work with JDK 1.4.2_03 and Tomcat 5.0.
>
> For all options:
> · Use password "changeit" for BOTH the keystore and the keys.
> · Use the server's fully qualified hostname as "first and last name" as first & last name, i.e.: myserver.mydomain.com
> · When requesting certificates, you must get an X.509 server certificate. If you get a PKCS#7 certificate you must convert it to an X.509 one before use.
> Using a self-signed certificate:
> · cd
> · keytool -genkey -alias tomcat -keyalg RSA
> Using Verisign certificate:
> The official Verisign instructions were incorrect at the time of this writing, but the following procedure will work for "REAL" certificates. For test certificates you theoretically only need and install the test root and test server certificates steps (not successfully tested), which are different from the regular root and server certificates.
> · cd
> · keytool -genkey -alias tomcat -keyalg RSA
> · keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
> · Use the .csr to request a certificate
> · Obtain the Verisign root certificate, intermediate certificate and server certificate
> · keytool -import -alias verisignroot -trustcacert -file verisignroot.cer
> · keytool -import -alias root -file intermediate.cer
> · keytool -import -alias tomcat -file server.cer
> Using Thawte certificate
> The Thawte instructions were incorrect at the time of this writing, but the following procedure will work for (at least) test certificates.
> · cd
> · keytool -genkey -alias mykey -keyalg RSA
> · keytool -certreq -keyalg RSA -alias mykey -file certreq.csr
> · Use the .csr to request an X.509 certificate, you will get a server certificate.
> · keytool -import -alias tomcat -trustcacerts -file server.cer
> I hope this helps others to avoid the headaches I experienced. :P
>
> Bruno
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
--
struts 1.1 + tomcat 5.0.16 + java 1.4.2
Linux 2.4.20 Debian
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org