tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lee Chin Khiong <le...@cmks.com.sg>
Subject RE: Openssl
Date Fri, 24 May 2002 07:15:09 GMT

IS IT POSSIBLE TO DESCRIBE IN DETAIL WITH EXAMPLE.....
I STILL DON'T GET YOU....


-----Original Message-----
From: KUMAR,PANKAJ (HP-Cupertino,ex1) [mailto:pankaj_kumar@hp.com]
Sent: Friday, May 24, 2002 1:39 AM
To: 'Tomcat Users List'
Subject: RE: Openssl


You can do this in one of the two ways:

A. Use keytool to generate certificate signing request and openssl to sign
it.
   Sub-steps:
   1. Generate key-pair using keytool ( -genkey operation )
   2. Generate Certificate Signing Request or CSR ( -certreq )
   3. Sign CSR with openssl ( ca operation in openssl )
   4. Import openssl CA certificate into keystore specified in step 1.
Remember
	to use a different alias than in step 1.
   5. Import the signed certificate ( generated by step 3 ) into the
keystore.
      Remember to use the same alias as in step 1.
   6. Remove the CA certificate entry from the keystore.

Without step 4, step 5 will fail ( as keytool cannot form a certificate
chain ). Without step 6, there is a possiblity that tomcat might present the
wrong certificate to the client ( as JSSE uses the first certificate it
finds in the keystore, using an order determined by a hash function ).

B. Create a PKCS8 certificate ( or certificate chain ) and import it in a
keystore.
    -- steps left as an exercise.

Note: If you find the steps bit complicated and hard to get right, You are
not alone :). I spent many frustrating hours to get it right. But you get an
idea.
I do have plans to document these but have not been able to find time.

Pankaj Kumar
Web Services Architect
HP Middleware
http://www.pankaj-k.net

> -----Original Message-----
> From: Lee Chin Khiong [mailto:leeck@cmks.com.sg]
> Sent: Wednesday, May 22, 2002 10:21 PM
> To: 'tomcat-user@jakarta.apache.org'
> Subject: Openssl
> 
> 
> Does anyone know how to generate cert using openssl an apply to tomcat
> instead of keytool ?
>  
> 

--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message