tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Fetyko <>
Subject Re: SSL problem
Date Wed, 09 Apr 2003 13:13:27 GMT
Thank you,

this is one of the "save a hard copy forever" emails that saved me a lot of time and my life
among other things.


Thanks to both Giulia and Keith.


On Mon, 7 Apr 2003 08:32:45 -0700 (PDT)
Giulia Hill <> wrote:

> Following the Keith Brady's directions - his email included at the end - I
> was able to use my old certificate and keys.
> Here in a nutshell the two pieces I changed, see Keith's mail for more
> details.
> server.xml
>     <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
>         [...]
>       <Factor
>            className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
>                clientAuth="false" keystoreType="PKCS12"
>                keystoreFile="/opt/catalina/keystore/keystore.p12" 
>                keystorePass="myPasswd" protocol="TLS" />
>     </Connector>
> % openssl pkcs12 -export -inkey -in  \
> -descert -name tomcat -out keystore.p12 
> Giulia
> ---------- Forwarded message ----------
> Date: Fri, 04 Apr 2003 19:51:08 +0100
> From: Keith Brady <>
> To:
> Subject: [tomcat-user] Re:  SSL problem
> [sorry for replying off list but I have only just subscribed and only 
> have the web record of the discussion]
> You will have read Daniel Hallmark's suggestions on the list. He is 
> basically correct in saying that you can't use an existing cert with a 
> new keypair since the certificate is proof of the validity of the public 
> key in the certificate itself (and so of data signed with the associated 
> private key).
> However you almost certainly have the old key lying around if you are 
> still using your apache install. What you want to do is combine the key 
> and existing cert into a format that tomcat can understand.
> The way to do this is to use the openssl pkcs12 tool to create a new 
> PKCS12 using the existing key and cert. Here is the command.
> "openssl pkcs12 -export -inkey  /etc/httpd/conf/ssl.key/server.key -in 
> /etc/httpd/conf/ssl.crt/server.crt -descert -name 'JoesServer' -out 
> keystore.p12"
> This will prompt twice for the new passphrase to use.
> Note that I assume your key is PEM-encoded, unencrypted in the usual 
> place for apache keys. I also assume that your server cert is in the 
> usual place. The '-descert' option provides better protection on the 
> integrity of the keystore and isn;t really necessary in this case (but 
> is good practice). '-name' is used to provide a handy alias for the 
> keys. Note that the keystore format is "PKCS12".
> I find the keytool application to be amazingly useless for real 
> manipulation of keys etc. Generally it is worth rolling your own java to 
> do what you want. Of course, because of the many layers of indirection 
> used in JCE et al it is quite fiddly to actually load an unencrypted key 
> into a keystore.
> cheers,
> Keith
> --
> Keith Brady
> Senior Technologist
> Newbay Software

Jan Fetyko
Phase 2 Development
4100 Perimeter Center, #310
Oklahoma City
OK 73112

(p) 405.917.3777
(p) direct line: 405.917.3779
"Oklahoma City's fastest growing web development company"

Today's "fortune":

October.  This is one of the peculiarly dangerous months to speculate in stocks in.  The others
are July, January, September, April, November, May, March, June, December, August, and February.
 		-- Mark Twain, 'Pudd'nhead Wilson's Calendar' 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message