tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert J. Sanford, Jr." <rsanf...@trefs.com>
Subject RE: Installing IIS Certificates in Tomcat?
Date Mon, 11 Aug 2003 16:17:23 GMT
Thanks for the info. I got the key exported from IIS in the PKCS12 format
and used OpenSSL to generate a .pem file containing the private key and site
certificate from that (for testing purposes I'm using an internal CA so the
CA certificate was in there as well). The issue that I'm running into now is
that the SDK keytool will not import a private key. Sigh. I was hoping to
avoid using something other than keytool since I have a hard enough time
convincing my production IT staff to get rid of IIS so minimizing the number
of conversion apps is a good thing.

I'll try playing with the keystore type to use the PKCS file directly. If
that fails then I'll have to try the other stuff.

Thanks for the advice.

rjsjr

> > That's great advice but it doesn't answer my
> > basic question of whether or not I can import
> > a certificate that was issued based on a
> > request generated by IIS.
>
> Since I don't use IIS, I don't know the answer.
> However, if you can export the cert in pkcs12
> format (which Windows usually does with the
> "export private key" option), then you should
> be able to use the resulting (either ".p12" or
> ".pfx") file as your keystore.  You need to
> set 'keystoreType="pkcs12"' on the Factory
> element.  Sun's support for pkcs12 is a bit
> limited, so make certain that you only export
> your server's cert, and *not* the signers as
> well.
>
> Since you are using a Verisign cert, this
> should be enough (since the signer is already
> in cacerts).
>
> Alternatively, once you have your ".p12" file,
> you can use OpenSSL or otherwise to split it
> out into a private-key and certificate file.
> You can then use the program at
> http://www.comu.de/docs/tomcat_ssl.htm to
> import them.


Mime
View raw message