You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by ka...@shopping.com on 2004/09/22 00:29:52 UTC
tomcat problems with SSL / PKCS12
hi. i'm having difficulty getting tomcat to work with SSL. i'm hoping to
succeed with this, and not end up using apache+SSL in front of tomcat,
tho i can. also, i have done much googling, and have tried many of the
suggestions, to no avail.
i'll limit my problem description to my attempts with using pkcs12, not
JKS. the players: linux, tomcat-5.0.27, IBMJava2-141, cert SSL generated
with openssl.
i generated the CSR for my site with openssl, and got the server cert
from verisign. fwiw, the Issuer line from the cert:
Issuer: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign Interna
tional Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref.
LIABILITY LTD .(c)97 VeriSign
do i need to include the verisign intermediate cert with this?
(http://www.verisign.com/support/install/intermediate.html) i'm not
sure, but i'm assuming i do.
then i performed the next step "import an existing certificate signed by
your own CA into a PKCS12 keystore using OpenSSL":
$ openssl pkcs12 -inkey server.key -in server.crt -certfile \
intermediateCA.crt -export -out certs.p12
i do notice tomcat docs say include the "-chain". when i appended
"-chain" to the above openssl command, i got the error "Error unable to
get local issuer certificate getting chain." so i chose to go without it
and try the subsequently generated certs.p12 file. (could lacking
"-chain" be my problem?)
next i put certs.p12 in tomcat's homedir. here is the relavent
server.xml snippet:
<Connector port="443"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75" enableLookups="false"
disableUploadTimeout="true" acceptCount="100"
debug="0" scheme="https" secure="true"
clientAuth="false" keystoreFile="/home/tomcat/certs.p12"
keystoreType="PKCS12" algorithm="IbmX509" sslProtocol="SSL"/>
when i crank up catalina, i get this error:
SEVERE: Error initializing endpoint
java.io.IOException: Unable to verify MAC.
at com.ibm.crypto.provider.PKCS12KeyStore.engineLoad(Unknown Source)
at java.security.KeyStore.load(KeyStore.java:695)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:278)
any helps out there? fwiw, i've seen tips out there on converting the
pkcs12 format into JKS. i'm hoping not to go that route.
thanks in advance,
kallen
--
kallen@shopping.com
Reality is that which, when you stop believing in it, doesn't go away.
- Philip K. Dick
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: tomcat problems with SSL / PKCS12
Posted by ka...@shopping.com.
*sigh* - i'm reposting this because i noticed i cut n paste some
incorrect commands from my notes on this. here is the corrected version:
hi. i'm having difficulty getting tomcat to work with SSL. i'm hoping to
succeed with this, and not end up using apache+SSL in front of tomcat,
tho i can. also, i have done much googling, and have tried many of the
suggestions, to no avail.
i'll limit my problem description to my attempts with using pkcs12, not
JKS. the players: linux, tomcat-5.0.27, IBMJava2-141, cert CSR generated
with openssl, not keytool. i got the server cert from verisign. fwiw,
the Issuer line from the cert:
Issuer: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign Interna
tional Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref.
LIABILITY LTD .(c)97 VeriSign
do i need to include the verisign intermediate cert with this?
(http://www.verisign.com/support/install/intermediate.html) i'm not
sure, but i'm assuming i do.
then i performed the next step "import an existing certificate signed by
your own CA into a PKCS12 keystore using OpenSSL":
$ openssl pkcs12 -export -in server.crt -inkey server.key -out certs.p12 \
-name tomcat -certfile intermediateCA.crt -caname root
[where server.crt is the host cert signed by versign, intermediateCA.crt
also from verisign]
i do notice tomcat docs say include the "-chain". when i appended
"-chain" to the above openssl command, i got the error "Error unable to
get local issuer certificate getting chain." so i chose to go without it
and try the subsequently generated certs.p12 file. (could lacking
"-chain" be my problem?)
next i put certs.p12 in tomcat's homedir. here is the relavent
server.xml snippet:
<Connector port="443"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75" enableLookups="false"
disableUploadTimeout="true" acceptCount="100"
debug="0" scheme="https" secure="true"
clientAuth="false" keystoreFile="/home/tomcat/certs.p12"
keystoreType="PKCS12" algorithm="IbmX509" sslProtocol="SSL"/>
when i crank up catalina, i get this error:
SEVERE: Error initializing endpoint
java.io.IOException: Unable to verify MAC.
at com.ibm.crypto.provider.PKCS12KeyStore.engineLoad(Unknown Source)
at java.security.KeyStore.load(KeyStore.java:695)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:278)
any helps out there? fwiw, i've seen tips out there on converting the
pkcs12 format into JKS. i'm hoping not to go that route.
thanks in advance,
kallen
--
kallen@shopping.com
office: 650.616.6708
Reality is that which, when you stop believing in it, doesn't go away.
- Philip K. Dick
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: tomcat problems with SSL / PKCS12
Posted by ka...@shopping.com.
On Tue, 21 Sep 2004, Dennis Dai wrote:
> I was able to export a p12 cert with complete chain half a year ago, but I
> couldn't reproduce it now. However, I found this:
>
> http://sense.bigbrother.net/archives/00000275.html
thanks for that tip. tried it, correctly i think. no love.
first i generate the .p12 from the server cert provided by verisign:
openssl pkcs12 -export -inkey server.key -in server.crt -name tomcat \
-out server.p12
then i place server.p12 and intermediateCA.crt onto a windows box, fire
up IE. in IE: Internet Options -> Content -> Certificates... under
Personal tab, i import the server.p12 file, place no password on it, and
"Mark it as exportable".
from windows box, i grab another copy of verisign's intermediate cert
and save it. under "Intermediate Cert Authorities" tab, i import
verisign's intermediate cert.
now to export - export the server.p12 from IE: select it, hit export,
yes - export private key, check "include all certs in cert path".
i move that new .pfx file onto the tomcat server, in a place where
server.xml will use it. same error:
SEVERE: Error initializing endpoint
java.io.IOException: Unable to verify MAC.
at com.ibm.crypto.provider.PKCS12KeyStore.engineLoad(Unknown Source)
at java.security.KeyStore.load(KeyStore.java:695)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocket Factory.java:278)
--
kallen@shopping.com
office: 650.616.6708
Reality is that which, when you stop believing in it, doesn't go away.
- Philip K. Dick
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: tomcat problems with SSL / PKCS12
Posted by Dennis Dai <ml...@ddai.net>.
On 9/21/2004 6:41 PM, kallen@shopping.com wrote:
> On Tue, 21 Sep 2004, Dennis Dai wrote:
>
>> Ok here's the deal with openssl. I'm using OpenSSL 0.9.7d and J2SE 1.4.2_05.
>> Assuming:
>>
>> * server.key - your certificate's private key
>> * server.crt - your certificate
>> * inter.crt - the intermediate CA that signed your certificate
>> * root.crt - the root CA that signed the intermediate CA
>
> where do i get this "root.crt"? fwiw, i'll show "openssl x509 -text"
> output below. if we are on the right track wrt making the correct cert
> chain, i wonder if i've got the right pieces to create it.
>
> info from the server.crt which i received from verisign after providing
> them with the CSR:
>
> Serial Number:
> 47:19:49:03:05:01:c4:fd:79:06:69:a9:be:d9:22:2d
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign
> International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by
> Ref. LIABILITY LTD .(c)97 VeriSign
> [snip]
> Subject: C=US, ST=California, L=Brisbane, O=Shopping.com, OU=Terms
> of use at www.verisign.com/rpa (c)00, CN=blahdeeblah.shopping.com
>
> info from the intermediate cert i obtained from
> http://www.verisign.com/support/install/intermediate.html:
>
> Serial Number:
> 25:4b:8a:85:38:42:cc:e3:58:f8:c5:dd:ae:22:6e:a4
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
> [snip]
> Subject: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
>
> if i had the cert that signed this intermediate cert, would i have the
> right pieces to create the right chain?
You should be able to export it from your browser ... it's built into
major browsers' root CA store I'm sure. Once you export the root cert,
you can just use it as root.crt in my example.
And yes, you got the right piece. If you look at the issuer of your
certificate, it's the same as the subject of the intermediate one you
got from verisign. Now you only need the one that signed this
intermediate one, which can be found and exported from major browsers.
Regards,
--
Dennis Dai
ml@ddai.net
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: tomcat problems with SSL / PKCS12
Posted by ka...@shopping.com.
On Tue, 21 Sep 2004, Dennis Dai wrote:
> Ok here's the deal with openssl. I'm using OpenSSL 0.9.7d and J2SE 1.4.2_05.
> Assuming:
>
> * server.key - your certificate's private key
> * server.crt - your certificate
> * inter.crt - the intermediate CA that signed your certificate
> * root.crt - the root CA that signed the intermediate CA
where do i get this "root.crt"? fwiw, i'll show "openssl x509 -text"
output below. if we are on the right track wrt making the correct cert
chain, i wonder if i've got the right pieces to create it.
info from the server.crt which i received from verisign after providing
them with the CSR:
Serial Number:
47:19:49:03:05:01:c4:fd:79:06:69:a9:be:d9:22:2d
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign
International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by
Ref. LIABILITY LTD .(c)97 VeriSign
[snip]
Subject: C=US, ST=California, L=Brisbane, O=Shopping.com, OU=Terms
of use at www.verisign.com/rpa (c)00, CN=blahdeeblah.shopping.com
info from the intermediate cert i obtained from
http://www.verisign.com/support/install/intermediate.html:
Serial Number:
25:4b:8a:85:38:42:cc:e3:58:f8:c5:dd:ae:22:6e:a4
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
[snip]
Subject: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
if i had the cert that signed this intermediate cert, would i have the
right pieces to create the right chain?
thanks again
--
kallen@shopping.com
office: 650.616.6708
Reality is that which, when you stop believing in it, doesn't go away.
- Philip K. Dick
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: tomcat problems with SSL / PKCS12
Posted by Dennis Dai <ml...@ddai.net>.
Ok here's the deal with openssl. I'm using OpenSSL 0.9.7d and J2SE
1.4.2_05. Assuming:
* server.key - your certificate's private key
* server.crt - your certificate
* inter.crt - the intermediate CA that signed your certificate
* root.crt - the root CA that signed the intermediate CA
First, concatenate the CA certs, make sure the intermediate CA goes first:
$ cat inter.crt root.crt > chain.crt
Next, export the pkcs12 file:
$ openssl pkcs12 -export -chain -inkey server.key -in server.crt\
-name "server" -CAfile chain.crt -out server.p12
When prompt for export password, enter something and don't leave it empty.
Now, use keytool to verify:
$ keytool -list -v -storetype pkcs12 -keystore server.p12
Enter the export password for the keystore password. Then you should see
a line like this from the output:
....
Certificate chain length: 3
....
Then you're done!
HTH,
Dennis
On 9/21/2004 4:37 PM, Dennis Dai wrote:
> Hi Kallen,
>
> I was able to export a p12 cert with complete chain half a year ago, but
> I couldn't reproduce it now. However, I found this:
>
> http://sense.bigbrother.net/archives/00000275.html
>
> Maybe you can try it out while I continue playing with openssl ...
>
> Dennis
>
> On 9/21/2004 3:29 PM, kallen@shopping.com wrote:
>> hi. i'm having difficulty getting tomcat to work with SSL. i'm hoping to
>> succeed with this, and not end up using apache+SSL in front of tomcat,
>> tho i can. also, i have done much googling, and have tried many of the
>> suggestions, to no avail.
>>
>> i'll limit my problem description to my attempts with using pkcs12, not
>> JKS. the players: linux, tomcat-5.0.27, IBMJava2-141, cert SSL generated
>> with openssl.
>>
>> i generated the CSR for my site with openssl, and got the server cert
>> from verisign. fwiw, the Issuer line from the cert:
>>
>> Issuer: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign Interna
>> tional Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref.
>> LIABILITY LTD .(c)97 VeriSign
>>
>> do i need to include the verisign intermediate cert with this?
>> (http://www.verisign.com/support/install/intermediate.html) i'm not
>> sure, but i'm assuming i do.
>>
>> then i performed the next step "import an existing certificate signed by
>> your own CA into a PKCS12 keystore using OpenSSL":
>>
>> $ openssl pkcs12 -inkey server.key -in server.crt -certfile \
>> intermediateCA.crt -export -out certs.p12
>>
>> i do notice tomcat docs say include the "-chain". when i appended
>> "-chain" to the above openssl command, i got the error "Error unable to
>> get local issuer certificate getting chain." so i chose to go without it
>> and try the subsequently generated certs.p12 file. (could lacking
>> "-chain" be my problem?)
>>
>> next i put certs.p12 in tomcat's homedir. here is the relavent
>> server.xml snippet:
>>
>> <Connector port="443"
>> maxThreads="150" minSpareThreads="25"
>> maxSpareThreads="75" enableLookups="false"
>> disableUploadTimeout="true" acceptCount="100"
>> debug="0" scheme="https" secure="true"
>> clientAuth="false" keystoreFile="/home/tomcat/certs.p12"
>> keystoreType="PKCS12" algorithm="IbmX509" sslProtocol="SSL"/>
>>
>> when i crank up catalina, i get this error:
>>
>> SEVERE: Error initializing endpoint
>> java.io.IOException: Unable to verify MAC.
>> at com.ibm.crypto.provider.PKCS12KeyStore.engineLoad(Unknown Source)
>> at java.security.KeyStore.load(KeyStore.java:695)
>> at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:278)
>>
>> any helps out there? fwiw, i've seen tips out there on converting the
>> pkcs12 format into JKS. i'm hoping not to go that route.
>>
>> thanks in advance,
>> kallen
>
>
--
Dennis Dai
ml@ddai.net
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: tomcat problems with SSL / PKCS12
Posted by Dennis Dai <ml...@ddai.net>.
Hi Kallen,
I was able to export a p12 cert with complete chain half a year ago, but
I couldn't reproduce it now. However, I found this:
http://sense.bigbrother.net/archives/00000275.html
Maybe you can try it out while I continue playing with openssl ...
Dennis
On 9/21/2004 3:29 PM, kallen@shopping.com wrote:
> hi. i'm having difficulty getting tomcat to work with SSL. i'm hoping to
> succeed with this, and not end up using apache+SSL in front of tomcat,
> tho i can. also, i have done much googling, and have tried many of the
> suggestions, to no avail.
>
> i'll limit my problem description to my attempts with using pkcs12, not
> JKS. the players: linux, tomcat-5.0.27, IBMJava2-141, cert SSL generated
> with openssl.
>
> i generated the CSR for my site with openssl, and got the server cert
> from verisign. fwiw, the Issuer line from the cert:
>
> Issuer: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign Interna
> tional Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref.
> LIABILITY LTD .(c)97 VeriSign
>
> do i need to include the verisign intermediate cert with this?
> (http://www.verisign.com/support/install/intermediate.html) i'm not
> sure, but i'm assuming i do.
>
> then i performed the next step "import an existing certificate signed by
> your own CA into a PKCS12 keystore using OpenSSL":
>
> $ openssl pkcs12 -inkey server.key -in server.crt -certfile \
> intermediateCA.crt -export -out certs.p12
>
> i do notice tomcat docs say include the "-chain". when i appended
> "-chain" to the above openssl command, i got the error "Error unable to
> get local issuer certificate getting chain." so i chose to go without it
> and try the subsequently generated certs.p12 file. (could lacking
> "-chain" be my problem?)
>
> next i put certs.p12 in tomcat's homedir. here is the relavent
> server.xml snippet:
>
> <Connector port="443"
> maxThreads="150" minSpareThreads="25"
> maxSpareThreads="75" enableLookups="false"
> disableUploadTimeout="true" acceptCount="100"
> debug="0" scheme="https" secure="true"
> clientAuth="false" keystoreFile="/home/tomcat/certs.p12"
> keystoreType="PKCS12" algorithm="IbmX509" sslProtocol="SSL"/>
>
> when i crank up catalina, i get this error:
>
> SEVERE: Error initializing endpoint
> java.io.IOException: Unable to verify MAC.
> at com.ibm.crypto.provider.PKCS12KeyStore.engineLoad(Unknown Source)
> at java.security.KeyStore.load(KeyStore.java:695)
> at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:278)
>
> any helps out there? fwiw, i've seen tips out there on converting the
> pkcs12 format into JKS. i'm hoping not to go that route.
>
> thanks in advance,
> kallen
--
Dennis Dai
ml@ddai.net
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org