You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Peterson, Tommy" <To...@xpandcorp.com> on 2011/07/06 15:38:08 UTC

SSL Certificate formats, requirements for import into existing keystore

I have a keystore for an application that runs on Tomcat. People here introduced a load balancer (LB) into the mix for this same application and therefore I have to use keytool to import the LB's certificate into the existing keystore.

However, the key and the cert are in one file. According to the docs this is not an issue (you can even concatenate them the docs say). So I just ran the keytool command and I continually get an error message: "keytool error: java.lang.Exception: Input not an X.509 certificate"

The IT support folks said that this is the cert that was given to them by the hosting company and that it can be installed successfully on Apache.

There is some "junk" ("bag attributes")n the file that I don't' understand. I am used to just seeing "-----BEGIN CERTIFICATE----- "----END CERTIFICATE----- "" ""-----BEGIN RSA PRIVATE KEY----- "-----END RSA PRIVATE KEY----- "

Any suggestions?

Thanks.


________________________________
This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received this e-mail in error and delete this e-mail from your system. E-mail transmissions cannot be guaranteed secure, error-free and information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. The sender therefore does not accept liability for errors or omissions in the contents of this message which may arise as result of transmission. If verification is required please request hard-copy version.

RE: SSL Certificate formats, requirements for import into existing keystore

Posted by "Peterson, Tommy" <To...@xpandcorp.com>.
Thanks, Felix.

Yesterday after the Holiday weekend we downloaded the certificates (which were pfx) and I used openssl to convert them and keytool to import them. All seems to work ok now.

-----Original Message-----
From: Felix Schumacher [mailto:felix.schumacher@internetallee.de]
Sent: Thursday, July 07, 2011 1:46 AM
To: Tomcat Users List; users@tomcat.apache.org
Subject: Re: SSL Certificate formats, requirements for import into existing keystore



"Peterson, Tommy" <To...@xpandcorp.com> schrieb:

I have a keystore for an application that runs on Tomcat. People here introduced a load balancer (LB) into the mix for this same application and therefore I have to use keytool to import the LB's certificate into the existing keystore.

However, the key and the cert are in one file. According to the docs this is not an issue (you can even concatenate them the docs say). So I just ran the keytool command and I continually get an error message: "keytool error: java.lang.Exception: Input not an X.509 certificate"

The IT support folks said that this is the cert that was given to them by the hosting company and that it can be installed successfully on Apache.

There is some "junk" ("bag attributes")n the file that I don't' understand. I am used to just seeing "-----BEGIN CERTIFICATE----- "----END CERTIFICATE----- "" ""-----BEGIN RSA PRIVATE KEY----- "-----END RSA PRIVATE KEY----- "

Any suggestions?

Thanks.


_____________________________________________

This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received this e-mail in error and delete this e-mail from your system. E-mail transmissions cannot be guaranteed secure, error-free and information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. The sender therefore does not accept liability for errors or omissions in the contents of this message which may arise as result of transmission. If verification is required please request hard-copy version.


Hi Tommy,

Your file could be a pkcs12 file. Have you tried to use "keytool -importkeystore ..."?

Keytool -help should give you the needed parameters.

You need a recent java6 version for this to work.

Regards
Felix

This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
 Please notify the sender immediately by e-mail if you have received this e-mail in error and delete this e-mail from your system. E-mail transmissions cannot be guaranteed secure, error-free and information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. The sender therefore does not accept liability for errors or omissions in the contents of this message which may arise as result of transmission. If verification is required please request hard-copy version.

Re: SSL Certificate formats, requirements for import into existing keystore

Posted by Felix Schumacher <fe...@internetallee.de>.

"Peterson, Tommy" <To...@xpandcorp.com> schrieb:

I have a keystore for an application that runs on Tomcat. People here introduced a load balancer (LB) into the mix for this same application and therefore I have to use keytool to import the LB's certificate into the existing keystore.

However, the key and the cert are in one file. According to the docs this is not an issue (you can even concatenate them the docs say). So I just ran the keytool command and I continually get an error message: "keytool error: java.lang.Exception: Input not an X.509 certificate"

The IT support folks said that this is the cert that was given to them by the hosting company and that it can be installed successfully on Apache.

There is some "junk" ("bag attributes")n the file that I don't' understand. I am used to just seeing "-----BEGIN CERTIFICATE----- "----END CERTIFICATE----- "" ""-----BEGIN RSA PRIVATE KEY----- "-----END RSA PRIVATE KEY----- "

Any suggestions?

Thanks.


_____________________________________________

This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received this e-mail in error and delete this e-mail from your system. E-mail transmissions cannot be guaranteed secure, error-free and information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. The sender therefore does not accept liability for errors or omissions in the contents of this message which may arise as result of transmission. If verification is required please request hard-copy version.


Hi Tommy,

Your file could be a pkcs12 file. Have you tried to use "keytool -importkeystore ..."?

Keytool -help should give you the needed parameters.

You need a recent java6 version for this to work.

Regards
Felix

Re: SSL Certificate formats, requirements for import into existing keystore

Posted by Felix Schumacher <fe...@internetallee.de>.
Hi Marvin,

Marvin Addison <ma...@gmail.com> schrieb:

>> There is some "junk" ("bag attributes")n the file that I don't'
>understand. I am used to just seeing "-----BEGIN CERTIFICATE-----
>"----END CERTIFICATE----- "" ""-----BEGIN RSA PRIVATE KEY-----
>"-----END RSA PRIVATE KEY----- "
>
>As far as I know, keytool can only import certificates in PKCS8
>format.  The "junk" you mentioned may indicate the key is in SSLeay
>format.  You can use OpenSSL to convert from one format to another.
>That said, I'm not aware of _any_ method to import a keypair into a
>keystore using keytool; the private key is inaccessible (with respect
>to import and export) by design.
I think that restriction is gone. At least my sun jdk 6u12 keytool can import complete pkcs12 files into my Java keystores without a problem. Export works, too.
And u12 is really old now.

Regards
 Felix
>
>You should probably determine whether you actually need the private
>key before proceeding.  Sounds like you're doing SSL offloading, but
>that shouldn't necessarily require using the same keypair on both the
>LB and endpoint.
>
>M
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: SSL Certificate formats, requirements for import into existing keystore

Posted by Marvin Addison <ma...@gmail.com>.
> There is some "junk" ("bag attributes")n the file that I don't' understand. I am used to just seeing "-----BEGIN CERTIFICATE----- "----END CERTIFICATE----- "" ""-----BEGIN RSA PRIVATE KEY----- "-----END RSA PRIVATE KEY----- "

As far as I know, keytool can only import certificates in PKCS8
format.  The "junk" you mentioned may indicate the key is in SSLeay
format.  You can use OpenSSL to convert from one format to another.
That said, I'm not aware of _any_ method to import a keypair into a
keystore using keytool; the private key is inaccessible (with respect
to import and export) by design.

You should probably determine whether you actually need the private
key before proceeding.  Sounds like you're doing SSL offloading, but
that shouldn't necessarily require using the same keypair on both the
LB and endpoint.

M

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org