You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-user@james.apache.org by ro...@xemaps.com on 2012/05/08 16:52:52 UTC
using SSL cert
Hello,
So I can't seem to figure out how to get our SSL cert working on James so I was hoping someone could help me out?
I generated an RSA 2048 private key and certificate request using openssl. I've read on googles that this is probably where I originally went wrong as some people claim that if you do not use a java keystore from the beginning to generate the request then its never going to work.
Anyway I got my certificate from entrust which has a chain cert and a root cert. I went through their instructions (and others) and imported the root cert and then the chain cert and then finally our cert. Attempting to use the cert gives me a "no cipher suites in common" error.
Doing research on this I find out that I need the private key in the keystore since I did not generate the request from keytool with a keystore orginally. So I tried with the keystore I already had as well as a keystore from scratch. When I do this I see SSL communication but it looks like its referencing some default self-signed cert I created for testing or someone had added to the default java keystore? The instructions I used I found here:
http://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i
Was hoping to avoid re-doing the cert. Does anybody have experience with setting up SSL?
Regards,
Roy
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: using SSL cert
Posted by dgarvey <dg...@collab.net>.
You can test your root CA and intermediate CA by using this command.
Put your CA's into this file /tmp/ca.crt and test. It should return
verified (0) if your server is setup correctly. Then just import the
/tmp/ca.crt into your client cacerts truststore.
openssl s_client -connect localhost:443 -state -debug -CAfile /tmp/ca.crt
On 05/08/2012 09:15 AM, Young Gu wrote:
> How do you install your SSL certification? What client are you using?
> Can you post the log details?
>
> Please be free to contact with me for any question or suggestion.
> Thanks& Best Regards .
> ------------------------------------------------------------------
> Young Gu
> Software Engineer
> http://www.infor.com
>
>
> On 05/08/2012 10:52 PM, roy.james@xemaps.com wrote:
>> Hello,
>>
>> So I can't seem to figure out how to get our SSL cert working on
>> James so I was hoping someone could help me out?
>>
>> I generated an RSA 2048 private key and certificate request using
>> openssl. I've read on googles that this is probably where I
>> originally went wrong as some people claim that if you do not use a
>> java keystore from the beginning to generate the request then its
>> never going to work.
>>
>> Anyway I got my certificate from entrust which has a chain cert and a
>> root cert. I went through their instructions (and others) and
>> imported the root cert and then the chain cert and then finally our
>> cert. Attempting to use the cert gives me a "no cipher suites in
>> common" error.
>>
>> Doing research on this I find out that I need the private key in the
>> keystore since I did not generate the request from keytool with a
>> keystore orginally. So I tried with the keystore I already had as
>> well as a keystore from scratch. When I do this I see SSL
>> communication but it looks like its referencing some default
>> self-signed cert I created for testing or someone had added to the
>> default java keystore? The instructions I used I found here:
>>
>> http://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i
>>
>>
>> Was hoping to avoid re-doing the cert. Does anybody have experience
>> with setting up SSL?
>>
>> Regards,
>> Roy
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>> For additional commands, e-mail: server-user-help@james.apache.org
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: using SSL cert
Posted by dgarvey <dg...@collab.net>.
The clients need the CA and/or intermediate CA(root cert) if not already
there in the trust-store ie (cacerts). If self-sign, then you need a
private CA that signs "self-signed" cert.
http://www.flatmtn.com/article/setting-openssl-create-certificates
On 05/08/2012 09:15 AM, Young Gu wrote:
> How do you install your SSL certification? What client are you using?
> Can you post the log details?
>
> Please be free to contact with me for any question or suggestion.
> Thanks& Best Regards .
> ------------------------------------------------------------------
> Young Gu
> Software Engineer
> http://www.infor.com
>
>
> On 05/08/2012 10:52 PM, roy.james@xemaps.com wrote:
>> Hello,
>>
>> So I can't seem to figure out how to get our SSL cert working on
>> James so I was hoping someone could help me out?
>>
>> I generated an RSA 2048 private key and certificate request using
>> openssl. I've read on googles that this is probably where I
>> originally went wrong as some people claim that if you do not use a
>> java keystore from the beginning to generate the request then its
>> never going to work.
>>
>> Anyway I got my certificate from entrust which has a chain cert and a
>> root cert. I went through their instructions (and others) and
>> imported the root cert and then the chain cert and then finally our
>> cert. Attempting to use the cert gives me a "no cipher suites in
>> common" error.
>>
>> Doing research on this I find out that I need the private key in the
>> keystore since I did not generate the request from keytool with a
>> keystore orginally. So I tried with the keystore I already had as
>> well as a keystore from scratch. When I do this I see SSL
>> communication but it looks like its referencing some default
>> self-signed cert I created for testing or someone had added to the
>> default java keystore? The instructions I used I found here:
>>
>> http://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i
>>
>>
>> Was hoping to avoid re-doing the cert. Does anybody have experience
>> with setting up SSL?
>>
>> Regards,
>> Roy
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>> For additional commands, e-mail: server-user-help@james.apache.org
>>
>
Re: using SSL cert
Posted by Eric Charles <er...@apache.org>.
Hi Roy,
Did you read http://james.apache.org/server/3/config-ssl-tls.html ?
(it's quite basic and may contain inaccuracies, that's a work in
progress, especially behavior or may change on different JDK versions).
Thx,
Ăˆric
On 05/08/2012 06:15 PM, Young Gu wrote:
> How do you install your SSL certification? What client are you using?
> Can you post the log details?
>
> Please be free to contact with me for any question or suggestion.
> Thanks& Best Regards .
> ------------------------------------------------------------------
> Young Gu
> Software Engineer
> http://www.infor.com
>
>
> On 05/08/2012 10:52 PM, roy.james@xemaps.com wrote:
>> Hello,
>>
>> So I can't seem to figure out how to get our SSL cert working on James
>> so I was hoping someone could help me out?
>>
>> I generated an RSA 2048 private key and certificate request using
>> openssl. I've read on googles that this is probably where I originally
>> went wrong as some people claim that if you do not use a java keystore
>> from the beginning to generate the request then its never going to work.
>>
>> Anyway I got my certificate from entrust which has a chain cert and a
>> root cert. I went through their instructions (and others) and imported
>> the root cert and then the chain cert and then finally our cert.
>> Attempting to use the cert gives me a "no cipher suites in common" error.
>>
>> Doing research on this I find out that I need the private key in the
>> keystore since I did not generate the request from keytool with a
>> keystore orginally. So I tried with the keystore I already had as well
>> as a keystore from scratch. When I do this I see SSL communication but
>> it looks like its referencing some default self-signed cert I created
>> for testing or someone had added to the default java keystore? The
>> instructions I used I found here:
>>
>> http://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i
>>
>>
>> Was hoping to avoid re-doing the cert. Does anybody have experience
>> with setting up SSL?
>>
>> Regards,
>> Roy
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>> For additional commands, e-mail: server-user-help@james.apache.org
>>
>
--
eric | http://about.echarles.net | @echarles
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: using SSL cert
Posted by dgarvey <dg...@collab.net>.
You can test your root CA and intermediate CA by using this command.
Put your CA's into this file /tmp/ca.crt and test. It should return
verified (0) if your server is setup correctly. Then just import the
/tmp/ca.crt into your client cacerts truststore.
openssl s_client -connect localhost:443 -state -debug -CAfile /tmp/ca.crt
On 05/08/2012 09:15 AM, Young Gu wrote:
> How do you install your SSL certification? What client are you using?
> Can you post the log details?
>
> Please be free to contact with me for any question or suggestion.
> Thanks& Best Regards .
> ------------------------------------------------------------------
> Young Gu
> Software Engineer
> http://www.infor.com
>
>
> On 05/08/2012 10:52 PM, roy.james@xemaps.com wrote:
>> Hello,
>>
>> So I can't seem to figure out how to get our SSL cert working on
>> James so I was hoping someone could help me out?
>>
>> I generated an RSA 2048 private key and certificate request using
>> openssl. I've read on googles that this is probably where I
>> originally went wrong as some people claim that if you do not use a
>> java keystore from the beginning to generate the request then its
>> never going to work.
>>
>> Anyway I got my certificate from entrust which has a chain cert and a
>> root cert. I went through their instructions (and others) and
>> imported the root cert and then the chain cert and then finally our
>> cert. Attempting to use the cert gives me a "no cipher suites in
>> common" error.
>>
>> Doing research on this I find out that I need the private key in the
>> keystore since I did not generate the request from keytool with a
>> keystore orginally. So I tried with the keystore I already had as
>> well as a keystore from scratch. When I do this I see SSL
>> communication but it looks like its referencing some default
>> self-signed cert I created for testing or someone had added to the
>> default java keystore? The instructions I used I found here:
>>
>> http://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i
>>
>>
>> Was hoping to avoid re-doing the cert. Does anybody have experience
>> with setting up SSL?
>>
>> Regards,
>> Roy
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>> For additional commands, e-mail: server-user-help@james.apache.org
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: using SSL cert
Posted by dgarvey <dg...@collab.net>.
Roy,
Given the error "no cipher suites in common". I would guess that you
client and server can't agree on a cipher to use. Check you
configuration. The server and client must agree on a common cipher
before encryption/decryption can take place.
On 05/08/2012 09:15 AM, Young Gu wrote:
> How do you install your SSL certification? What client are you using?
> Can you post the log details?
>
> Please be free to contact with me for any question or suggestion.
> Thanks& Best Regards .
> ------------------------------------------------------------------
> Young Gu
> Software Engineer
> http://www.infor.com
>
>
> On 05/08/2012 10:52 PM, roy.james@xemaps.com wrote:
>> Hello,
>>
>> So I can't seem to figure out how to get our SSL cert working on
>> James so I was hoping someone could help me out?
>>
>> I generated an RSA 2048 private key and certificate request using
>> openssl. I've read on googles that this is probably where I
>> originally went wrong as some people claim that if you do not use a
>> java keystore from the beginning to generate the request then its
>> never going to work.
>>
>> Anyway I got my certificate from entrust which has a chain cert and a
>> root cert. I went through their instructions (and others) and
>> imported the root cert and then the chain cert and then finally our
>> cert. Attempting to use the cert gives me a "no cipher suites in
>> common" error.
>>
>> Doing research on this I find out that I need the private key in the
>> keystore since I did not generate the request from keytool with a
>> keystore orginally. So I tried with the keystore I already had as
>> well as a keystore from scratch. When I do this I see SSL
>> communication but it looks like its referencing some default
>> self-signed cert I created for testing or someone had added to the
>> default java keystore? The instructions I used I found here:
>>
>> http://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i
>>
>>
>> Was hoping to avoid re-doing the cert. Does anybody have experience
>> with setting up SSL?
>>
>> Regards,
>> Roy
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>> For additional commands, e-mail: server-user-help@james.apache.org
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: using SSL cert
Posted by Young Gu <hy...@gmail.com>.
How do you install your SSL certification? What client are you using?
Can you post the log details?
Please be free to contact with me for any question or suggestion.
Thanks& Best Regards .
------------------------------------------------------------------
Young Gu
Software Engineer
http://www.infor.com
On 05/08/2012 10:52 PM, roy.james@xemaps.com wrote:
> Hello,
>
> So I can't seem to figure out how to get our SSL cert working on James so I was hoping someone could help me out?
>
> I generated an RSA 2048 private key and certificate request using openssl. I've read on googles that this is probably where I originally went wrong as some people claim that if you do not use a java keystore from the beginning to generate the request then its never going to work.
>
> Anyway I got my certificate from entrust which has a chain cert and a root cert. I went through their instructions (and others) and imported the root cert and then the chain cert and then finally our cert. Attempting to use the cert gives me a "no cipher suites in common" error.
>
> Doing research on this I find out that I need the private key in the keystore since I did not generate the request from keytool with a keystore orginally. So I tried with the keystore I already had as well as a keystore from scratch. When I do this I see SSL communication but it looks like its referencing some default self-signed cert I created for testing or someone had added to the default java keystore? The instructions I used I found here:
>
> http://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i
>
> Was hoping to avoid re-doing the cert. Does anybody have experience with setting up SSL?
>
> Regards,
> Roy
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>