tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <ahardy.str...@cyberspaceroad.com>
Subject Re: SSL/Verisign Confusion
Date Sun, 07 Sep 2003 09:43:19 GMT
Hi Dave,
how much does it cost at Verisign, and how long is it valid for? And is 
this 'openssl' you mentioned a free alternative?

Adam

On 09/06/2003 03:21 PM Dave Wood wrote:
> FINALLY!
> 
> I still don't know what I did wrong in the first place, but after starting
> over with VeriSign, all is well now.  I thought I'd share the (simple!)
> steps I took to get SSL running using keytool/tomcat in case anyone else
> might find this useful:
> 
> # keytool -genkey -alias tomcat -keyalg RSA
> [enter a password and all necessary information, then just <enter> at next
> password prompt]
> # cp ~/.keystore ~/.keystore-backup
> # keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
> [enter same password]
> [give contents of certreq.csr to VeriSign and wait for response...]
> [NOTE: when asked to select my server software, I chose "apache" since they
> didn't have Tomcat in their list...I don't know if this matters, but it
> worked]
> # keytool -import -trustcacerts -file intermediate.crt -alias root
> [enter same password]
> [NOTE: intermediate.crt is the file found here:
> http://www.verisign.com/support/install/intermediate.html]
> # keytool -import trustcacerts -file public.crt -alias tomcat
> [enter same password]
> [where public.crt is the certificate sent from VeriSign after they complete
> their approval process]
> [finally, edit ...tomcat/conf/server.xml and enable the SSL connector
> section, adding keystorePass="[password]"
> as an attribute to the Factory tag]
> 
> Hope this helps.
> 
> Thanks to all who provided suggestions along the way.
> 
> Dave
> 
> -----Original Message-----
> From: Dave Wood [mailto:dave@woodtopia.org]
> Sent: Friday, September 05, 2003 11:40 AM
> To: Tomcat Users List
> Subject: RE: SSL/Verisign Confusion
> 
> 
> Well, after all this, I just discovered that VeriSign will basically let you
> start over if it's within 30 days (which it is).  So, for now, I'm going
> down this path.  Just talked to someone at V/S who said it would take just a
> couple hours.
> 
> Oh, and I made a BACKUP of my new keystore file this time that now contains
> a single "keyEntry" with the alias "tomcat".  I try to avoid being stupid in
> the same way more than once! :)
> 
> As for the programmatic approach, FWIW, I started down that path as well,
> but somehow I had no private key entry in the keystore (best I can tell).
> Still not sure how I got in that messed up state.
> 
> Thanks,
> Dave
> 
> -----Original Message-----
> From: Christopher Williams [mailto:ccwilliams3@ntlworld.com]
> Sent: Friday, September 05, 2003 9:43 AM
> To: Tomcat Users List
> Subject: Re: SSL/Verisign Confusion
> 
> 
> Have you thought of manipulating the keystore programmatically?  Here's what
> you'd do:
> 
> 1. Open your existing keystore
> 2. Find the entry with your private key and (presumably) a temporary
> self-signed certificate.
> 3. Open the certificate you got from Versign.
> 4. Change the certificate in your key entry to your Verisign certificate.
> 5. Save and close the keystore.
> 
> OpenSSL doesn't understand most of the Java keystore formats, although it
> can manipulate PKCS#12 files which Keytool can handle.  If you download the
> BouncyCastle crypto provider, then you can use keytool to write PKCS#12
> files as well.
> 
> Also, if the person who originally posted the question doesn't feel up to
> monkeying around with the Keystore classes, I have some code that I can
> adapt to stick your Verisign certificate in your keystore.  Get in touch
> with me personally and I'll see what I can do.
> 
> ----- Original Message -----
> From: "Jay Garala" <jay@electrosoft-inc.com>
> To: "'Tomcat Users List'" <tomcat-user@jakarta.apache.org>
> Sent: Friday, September 05, 2003 3:36 PM
> Subject: RE: SSL/Verisign Confusion
> 
> 
> NOTE: You cannot export private key from keystore.
> 
> -----Original Message-----
> From: Dave Wood [mailto:dave@woodtopia.org]
> Sent: Friday, September 05, 2003 10:32 AM
> To: Tomcat Users List
> Subject: RE: SSL/Verisign Confusion
> 
> Thanks.  With the exception of the openssl doc, I've been over these quite a
> bit.  The result is the problem I've mentioned where keytool says it can't
> import my certificate because the alias already exists.
> 
> After some help I got last night, I think the question boils down to this:
> 
> * once I have extracted my private key from keytool (haven't done this yet),
> how do I take that key, the VeriSign intermediate certificate and my public
> key certificate and get them to play together.  I'm hoping the openssl stuff
> will take care of this, because keytool doesn't really seem to recognize
> private keys as things that you can work with directly.
> 
> Thanks again,
> Dave
> 
> -----Original Message-----
> From: Jay Garala [mailto:jay@electrosoft-inc.com]
> Sent: Friday, September 05, 2003 7:12 AM
> To: 'Tomcat Users List'
> Subject: RE: SSL/Verisign Confusion
> 
> 
> Try the Java keytool help:
>  http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html
> 
> Tomcat how-to:
>  http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html
> 
> If you have OpenSSL:
>  http://forum.java.sun.com/thread.jsp?forum=2&thread=4240
> 
> Jay
> -----Original Message-----
> From: Dave Wood [mailto:dave@woodtopia.org]
> Sent: Friday, September 05, 2003 1:04 AM
> To: Tomcat Users List
> Subject: RE: SSL/Verisign Confusion
> 
> Thanks Bill.  I think this highlights something I'm really not
> understanding...
> 
> Didn't I generate an important "private key" somewhere along the line that I
> can't just regenerate if I blow away my keystore?  I assumed the certificate
> I got back from verisign would only work if I still had the original private
> key I generated before sending them my request.  Is that wrong?
> 
> (I'll take a look at the link you sent...at first glance, it looks a little
> hard to follow, but hopefully not).
> 
> Thanks again.
> 
> Dave
> 
> -----Original Message-----
> From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker
> Sent: Thursday, September 04, 2003 11:06 PM
> To: tomcat-user@jakarta.apache.org
> Subject: Re: SSL/Verisign Confusion
> 
> 
> Firstly, it looks like you should wipe you keystore and start again.  To use
> a VS cert with Tomcat, the two options I know are:
> 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm.
> 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and
> use that as your keystore (remember to set 'keystoreType="pkcs12"' on the
> Factory in server.xml).
> 
> 
> "Dave Wood" <dave@woodtopia.org> wrote in message
> news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org...
> 
>>I'm having a problem getting an SSL certificate from Verisign working
>>correctly.  I'm going to include everything I can think of that MIGHT be a
>>problem.  Unfortunately, there are a couple things I can't quite remember
>>for certain.  Here's the situation:
>>
>>1. I generated the initial key using an alias other than "tomcat" (we'll
>>call it "company")
>>2. I generated the CSR and sent it to verisign.  I still have this file.
>>3. Verisign changed the company name during the verification process (from
>>an acronym to the full spelling of the name)
>>4. I now have the certificate that they sent back after the validation
>>process.
>>5. One thing I can't account for is why when I see this:
>>
>>$ keytool -list
>>
>>Keystore type: jks
>>Keystore provider: SUN
>>
>>Your keystore contains 4 entries: (...others removed...)
>>
>>company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
>>Certificate fingerprint (MD5):
>>00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really
>>0's)
>>
>>...I think I must have self-signed or something (I was doing a couple of
>>these things and don't recall exactly), but I'm surprised to see
>>"trustedCertEntry" here.
>>
>>The problem I'm having is this:
>>
>>$ keytool -import -trustcacerts -alias company -file public.crt
>>Enter keystore password: xxx
>>keytool error: java.lang.Exception: Certificate not imported, alias
>><company> already exists
>>
>>(but I'm thinking it should be REPLACING this entry, so the fact that it
>>exists shouldn't be a problem???)
>>
>>So, I have several questions:
>>
>>1. Am I hosed completely because I didn't use "tomcat" as the alias?
>>2. How does the private key get stored exactly?  I assume that if I delete
>>the current entry for the "company" alias, I'll be losing the private key,
>>right?
>>3. Can someone provide steps I should take to get this working given what
> 
> I
> 
>>have said above.
>>
>>Thanks so much in advance.  Sorry to be so long-winded.
>>
>>-Dave
>>---
>>Outgoing mail is certified Virus Free.
>>Checked by AVG anti-virus system (http://www.grisoft.com).
>>Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 

-- 
struts 1.1 + tomcat 4.1.27 + java 1.4.2
Linux 2.4.20 RH9


Mime
View raw message