tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Hallmark <...@hiwaay.net>
Subject Re: SSL problem
Date Thu, 03 Apr 2003 20:02:16 GMT
It sounds to me like you are trying to generate a ney key pair with
keytool and then use your existing certificate with that key pair.
Based on my understanding of the certificate process, that won't work.

Here is a very simplified view of what happens when you create a cert.

1. You (or your webserver) generate a public/private key pair.
2. You create a "certificate request" for a particular domain name
   using the keys you generated in step 1.  This certificate contains
   the public key info.
3. You send the cert request off to a CA (like Verisign or Thawte)
   and they "sign" your certificate request using _their_ key.  At
   this point the CA is stating that you are who your cert says you
   are.
4. You then import the CA-signed certificate into your keystore (or
   webserver).  Clients (browsers, etc.) will accept your certificate
   because they accept the root CA who signed your certificate.

So if you generate a new keypair, the new pair won't have _squat_ to
do with the pair that was used when your had your first certificate
created.

My understanding is that in order to re-use your existing certs, you
will need to be able to create a java keystore from your existing
private key and signed certificate.  The cert you can export and then
re-import into a java keystore created via keytool, but I don't think
(could be wrong) keytool allows you to import a keypair from an
external source.  You might could write some java code to do this but
it would be beyond me.

Two options... explain to verisign your situation and see if they will
re-issue the cert for a new key-pair.  Or if you do have to buy a new
cert you might be able to get better prices from another CA.  We are
using Thawte certificates with our tomcat SSL keystores.

Daniel




On 3 April 2003, Giulia Hill wrote:

> Jan,
> 
> No, I haven't got anywhere yet with this. I have taken a look at the
> suggested pkcs12 http://www.openssl.org/docs/apps/pkcs12.html but that
> hasn't broght me that much further.
> 
> I'll let you know if I find a solution, and, please, do likewise - surely
> I wouldn't to buy a new certificate.
> 
> Giulia
> 
> =Are you getting somewhere with this issue ? I have the same problem ( I
> =need to use 
> =the certificate that was previously on Apache ) and I'm at the dead end
> =s
> =of now, 
> =hoping for a response from this list. Yes or No would do also, but no
> =response yet. :((
> 
> =Jf
> 
> 
> On Tue, 1 Apr 2003, Giulia Hill wrote:
> 
> > 
> > Following the How-to, I have almost successfully activated SSL on tomcat
> > 4.1. The problem I'm having is that I can't load the Verisign certificate,
> > a certificate which I already have and that I'm using with Apache.
> > 
> > this is what I have done
> > 
> > % keytool -genkey -alias tomcat -keyalg RSA -keystore ./.keystore
> > and entered the values of CN etc. as they appear also on the certificate
> > 
> > I have downloaded the verisign.crt from the site indicated on the docs
> > % keytool -import -alias root -keystore ./.keystore -trustcacerts -file ver
> isign.crt
> > 
> > However if I use my certificate as it is, I get the error
> > % keytool -import -alias tomcat -keystore ./.keystore  -trustcacerts -file 
> sunsite2.crt
> > java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.at
> > sun.security.util.DerInputStream.getLength(DerInputStream.java:513)
> > 
> > I thougth it could be that the certificate was not in X509 format, so I
> > have done the conversion as
> > % /opt/openssl-0.9.6b/apps/openssl x509 -outform DER -in sunsite2.crt -out 
>  sunsite2.X509.crt
> > 
> > But, when I try to load it into the keystore I get the error:
> > % keytool -import -alias tomcat -keystore ./.keystore  -trustcacerts -file 
> sunsite2.X509crt
> > keytool error: java.lang.Exception: Public keys in reply and keystore don't
>  match
> > 
> > What am I doing wrong? Generating a new certificate is not an option since
> > we have already paid for the current one, so I need to be able to use what
> > I already have
> > 
> > Thank for your suggestions,
> > 
> > Giulia
> > 
> 
> ----------------------------
> Giulia Hill
>   Programmer/Analyst
>   Library Systems Office
>   University of California at Berkeley
>   386 Doe Annex
>   Berkeley, CA 94720
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message