You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Giulia Hill <gh...@library.berkeley.edu> on 2003/04/07 17:32:45 UTC
SSL problem
Following the Keith Brady's directions - his email included at the end - I
was able to use my old certificate and keys.
Here in a nutshell the two pieces I changed, see Keith's mail for more
details.
server.xml
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
[...]
<Factor
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" keystoreType="PKCS12"
keystoreFile="/opt/catalina/keystore/keystore.p12"
keystorePass="myPasswd" protocol="TLS" />
</Connector>
% openssl pkcs12 -export -inkey sunsite2.berkeley.edu.key -in \
sunsite2.berkeley.edu.crt -descert -name tomcat -out keystore.p12
Giulia
---------- Forwarded message ----------
Date: Fri, 04 Apr 2003 19:51:08 +0100
From: Keith Brady <kb...@newbay.com>
To: ghill@library.berkeley.edu
Subject: [tomcat-user] Re: SSL problem
[sorry for replying off list but I have only just subscribed and only
have the web record of the discussion]
You will have read Daniel Hallmark's suggestions on the list. He is
basically correct in saying that you can't use an existing cert with a
new keypair since the certificate is proof of the validity of the public
key in the certificate itself (and so of data signed with the associated
private key).
However you almost certainly have the old key lying around if you are
still using your apache install. What you want to do is combine the key
and existing cert into a format that tomcat can understand.
The way to do this is to use the openssl pkcs12 tool to create a new
PKCS12 using the existing key and cert. Here is the command.
"openssl pkcs12 -export -inkey /etc/httpd/conf/ssl.key/server.key -in
/etc/httpd/conf/ssl.crt/server.crt -descert -name 'JoesServer' -out
keystore.p12"
This will prompt twice for the new passphrase to use.
Note that I assume your key is PEM-encoded, unencrypted in the usual
place for apache keys. I also assume that your server cert is in the
usual place. The '-descert' option provides better protection on the
integrity of the keystore and isn;t really necessary in this case (but
is good practice). '-name' is used to provide a handy alias for the
keys. Note that the keystore format is "PKCS12".
I find the keytool application to be amazingly useless for real
manipulation of keys etc. Generally it is worth rolling your own java to
do what you want. Of course, because of the many layers of indirection
used in JCE et al it is quite fiddly to actually load an unencrypted key
into a keystore.
cheers,
Keith
--
Keith Brady
Senior Technologist
Newbay Software
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL problem
Posted by Jan Fetyko <ja...@phase2online.com>.
Thank you,
this is one of the "save a hard copy forever" emails that saved me a lot of time and my life among other things.
:))
Thanks to both Giulia and Keith.
Jf
On Mon, 7 Apr 2003 08:32:45 -0700 (PDT)
Giulia Hill <gh...@library.berkeley.edu> wrote:
>
> Following the Keith Brady's directions - his email included at the end - I
> was able to use my old certificate and keys.
>
> Here in a nutshell the two pieces I changed, see Keith's mail for more
> details.
>
> server.xml
> <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
> [...]
> <Factor
> className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
> clientAuth="false" keystoreType="PKCS12"
> keystoreFile="/opt/catalina/keystore/keystore.p12"
> keystorePass="myPasswd" protocol="TLS" />
> </Connector>
>
> % openssl pkcs12 -export -inkey sunsite2.berkeley.edu.key -in \
> sunsite2.berkeley.edu.crt -descert -name tomcat -out keystore.p12
>
> Giulia
>
> ---------- Forwarded message ----------
> Date: Fri, 04 Apr 2003 19:51:08 +0100
> From: Keith Brady <kb...@newbay.com>
> To: ghill@library.berkeley.edu
> Subject: [tomcat-user] Re: SSL problem
>
>
> [sorry for replying off list but I have only just subscribed and only
> have the web record of the discussion]
>
> You will have read Daniel Hallmark's suggestions on the list. He is
> basically correct in saying that you can't use an existing cert with a
> new keypair since the certificate is proof of the validity of the public
> key in the certificate itself (and so of data signed with the associated
> private key).
>
> However you almost certainly have the old key lying around if you are
> still using your apache install. What you want to do is combine the key
> and existing cert into a format that tomcat can understand.
>
> The way to do this is to use the openssl pkcs12 tool to create a new
> PKCS12 using the existing key and cert. Here is the command.
>
> "openssl pkcs12 -export -inkey /etc/httpd/conf/ssl.key/server.key -in
> /etc/httpd/conf/ssl.crt/server.crt -descert -name 'JoesServer' -out
> keystore.p12"
>
> This will prompt twice for the new passphrase to use.
>
> Note that I assume your key is PEM-encoded, unencrypted in the usual
> place for apache keys. I also assume that your server cert is in the
> usual place. The '-descert' option provides better protection on the
> integrity of the keystore and isn;t really necessary in this case (but
> is good practice). '-name' is used to provide a handy alias for the
> keys. Note that the keystore format is "PKCS12".
>
> I find the keytool application to be amazingly useless for real
> manipulation of keys etc. Generally it is worth rolling your own java to
> do what you want. Of course, because of the many layers of indirection
> used in JCE et al it is quite fiddly to actually load an unencrypted key
> into a keystore.
>
> cheers,
>
> Keith
>
> --
> Keith Brady
> Senior Technologist
> Newbay Software
>
Jan Fetyko
ScriptFighter
Phase 2 Development
4100 Perimeter Center, #310
Oklahoma City
OK 73112
email: janof@phase2online.com
(p) 405.917.3777
(p) direct line: 405.917.3779
(url) http://www.phase2online.com
"Oklahoma City's fastest growing web development company"
Today's "fortune":
October. This is one of the peculiarly dangerous months to speculate in stocks in. The others are July, January, September, April, November, May, March, June, December, August, and February. -- Mark Twain, 'Pudd'nhead Wilson's Calendar'
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org