You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Giulia Hill <gh...@library.berkeley.edu> on 2003/04/07 17:32:45 UTC

SSL problem

Following the Keith Brady's directions - his email included at the end - I
was able to use my old certificate and keys.

Here in a nutshell the two pieces I changed, see Keith's mail for more
details.

server.xml
    <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
        [...]
      <Factor
           className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
               clientAuth="false" keystoreType="PKCS12"
               keystoreFile="/opt/catalina/keystore/keystore.p12" 
               keystorePass="myPasswd" protocol="TLS" />
    </Connector>

% openssl pkcs12 -export -inkey sunsite2.berkeley.edu.key -in  \
      sunsite2.berkeley.edu.crt -descert -name tomcat -out keystore.p12 

Giulia

---------- Forwarded message ----------
Date: Fri, 04 Apr 2003 19:51:08 +0100
From: Keith Brady <kb...@newbay.com>
To: ghill@library.berkeley.edu
Subject: [tomcat-user] Re:  SSL problem


[sorry for replying off list but I have only just subscribed and only 
have the web record of the discussion]

You will have read Daniel Hallmark's suggestions on the list. He is 
basically correct in saying that you can't use an existing cert with a 
new keypair since the certificate is proof of the validity of the public 
key in the certificate itself (and so of data signed with the associated 
private key).

However you almost certainly have the old key lying around if you are 
still using your apache install. What you want to do is combine the key 
and existing cert into a format that tomcat can understand.

The way to do this is to use the openssl pkcs12 tool to create a new 
PKCS12 using the existing key and cert. Here is the command.

"openssl pkcs12 -export -inkey  /etc/httpd/conf/ssl.key/server.key -in 
/etc/httpd/conf/ssl.crt/server.crt -descert -name 'JoesServer' -out 
keystore.p12"

This will prompt twice for the new passphrase to use.

Note that I assume your key is PEM-encoded, unencrypted in the usual 
place for apache keys. I also assume that your server cert is in the 
usual place. The '-descert' option provides better protection on the 
integrity of the keystore and isn;t really necessary in this case (but 
is good practice). '-name' is used to provide a handy alias for the 
keys. Note that the keystore format is "PKCS12".

I find the keytool application to be amazingly useless for real 
manipulation of keys etc. Generally it is worth rolling your own java to 
do what you want. Of course, because of the many layers of indirection 
used in JCE et al it is quite fiddly to actually load an unencrypted key 
into a keystore.

cheers,

Keith

--
Keith Brady
Senior Technologist
Newbay Software


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: SSL problem

Posted by Jan Fetyko <ja...@phase2online.com>.

Thank you,

this is one of the "save a hard copy forever" emails that saved me a lot of time and my life among other things.

:))

Thanks to both Giulia and Keith.

Jf

On Mon, 7 Apr 2003 08:32:45 -0700 (PDT)
Giulia Hill <gh...@library.berkeley.edu> wrote:

> 
> Following the Keith Brady's directions - his email included at the end - I
> was able to use my old certificate and keys.
> 
> Here in a nutshell the two pieces I changed, see Keith's mail for more
> details.
> 
> server.xml
>     <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
>         [...]
>       <Factor
>            className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
>                clientAuth="false" keystoreType="PKCS12"
>                keystoreFile="/opt/catalina/keystore/keystore.p12" 
>                keystorePass="myPasswd" protocol="TLS" />
>     </Connector>
> 
> % openssl pkcs12 -export -inkey sunsite2.berkeley.edu.key -in  \
>       sunsite2.berkeley.edu.crt -descert -name tomcat -out keystore.p12 
> 
> Giulia
> 
> ---------- Forwarded message ----------
> Date: Fri, 04 Apr 2003 19:51:08 +0100
> From: Keith Brady <kb...@newbay.com>
> To: ghill@library.berkeley.edu
> Subject: [tomcat-user] Re:  SSL problem
> 
> 
> [sorry for replying off list but I have only just subscribed and only 
> have the web record of the discussion]
> 
> You will have read Daniel Hallmark's suggestions on the list. He is 
> basically correct in saying that you can't use an existing cert with a 
> new keypair since the certificate is proof of the validity of the public 
> key in the certificate itself (and so of data signed with the associated 
> private key).
> 
> However you almost certainly have the old key lying around if you are 
> still using your apache install. What you want to do is combine the key 
> and existing cert into a format that tomcat can understand.
> 
> The way to do this is to use the openssl pkcs12 tool to create a new 
> PKCS12 using the existing key and cert. Here is the command.
> 
> "openssl pkcs12 -export -inkey  /etc/httpd/conf/ssl.key/server.key -in 
> /etc/httpd/conf/ssl.crt/server.crt -descert -name 'JoesServer' -out 
> keystore.p12"
> 
> This will prompt twice for the new passphrase to use.
> 
> Note that I assume your key is PEM-encoded, unencrypted in the usual 
> place for apache keys. I also assume that your server cert is in the 
> usual place. The '-descert' option provides better protection on the 
> integrity of the keystore and isn;t really necessary in this case (but 
> is good practice). '-name' is used to provide a handy alias for the 
> keys. Note that the keystore format is "PKCS12".
> 
> I find the keytool application to be amazingly useless for real 
> manipulation of keys etc. Generally it is worth rolling your own java to 
> do what you want. Of course, because of the many layers of indirection 
> used in JCE et al it is quite fiddly to actually load an unencrypted key 
> into a keystore.
> 
> cheers,
> 
> Keith
> 
> --
> Keith Brady
> Senior Technologist
> Newbay Software
> 


Jan Fetyko
ScriptFighter
Phase 2 Development
4100 Perimeter Center, #310
Oklahoma City
OK 73112

email: janof@phase2online.com
(p) 405.917.3777
(p) direct line: 405.917.3779
(url) http://www.phase2online.com
"Oklahoma City's fastest growing web development company"

Today's "fortune":

October.  This is one of the peculiarly dangerous months to speculate in stocks in.  The others are July, January, September, April, November, May, March, June, December, August, and February.  		-- Mark Twain, 'Pudd'nhead Wilson's Calendar' 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org