tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: SSL/Verisign Confusion
Date Tue, 09 Sep 2003 04:10:04 GMT

"Dave Wood" <dave@woodtopia.org> wrote in message
news:EBEBKKMEAECJFOHFOLHLEEOPCIAA.dave@woodtopia.org...
> I believe a Verisign certificate alone is $600 for a year.  You can get
> certificates much cheaper, but there are issues with some older broswers
not
> recognizing the CA (so your users would get a message stating that the
> certificate may not be legit).
>
> openssl is not an alternative to VeriSign.  openssl is software, Verisign
is
> a company that provides certificates (though apparently, you can use
openssl
> to create certificates yourself if you don't care at all about them being
> legit (for an intranet, for example?)).  There are (much) cheapers
> alternatives to VeriSign.  Check out freessl.com, for example (not free,
but
> $35.00 isn't bad).

Agreed.  VeriSign can charge what they do because all browsers (including at
least Sun's implementation of JSSE) ship with VeriSign's CA cert as trusted.
I just use my openssl CA for development boxes or small departmental servers
(where I can tell everyone that will ever use it how to trust my CA cert).

>
> Also, see http://www.whichssl.org for more good info on the subject.
>
> -dave
>
> -----Original Message-----
> From: Adam Hardy [mailto:ahardy.struts@cyberspaceroad.com]
> Sent: Sunday, September 07, 2003 3:43 AM
> To: Tomcat Users List
> Subject: Re: SSL/Verisign Confusion
>
>
> Hi Dave,
> how much does it cost at Verisign, and how long is it valid for? And is
> this 'openssl' you mentioned a free alternative?
>
> Adam
>
> On 09/06/2003 03:21 PM Dave Wood wrote:
> > FINALLY!
> >
> > I still don't know what I did wrong in the first place, but after
starting
> > over with VeriSign, all is well now.  I thought I'd share the (simple!)
> > steps I took to get SSL running using keytool/tomcat in case anyone else
> > might find this useful:
> >
> > # keytool -genkey -alias tomcat -keyalg RSA
> > [enter a password and all necessary information, then just <enter> at
next
> > password prompt]
> > # cp ~/.keystore ~/.keystore-backup
> > # keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
> > [enter same password]
> > [give contents of certreq.csr to VeriSign and wait for response...]
> > [NOTE: when asked to select my server software, I chose "apache" since
> they
> > didn't have Tomcat in their list...I don't know if this matters, but it
> > worked]
> > # keytool -import -trustcacerts -file intermediate.crt -alias root
> > [enter same password]
> > [NOTE: intermediate.crt is the file found here:
> > http://www.verisign.com/support/install/intermediate.html]
> > # keytool -import trustcacerts -file public.crt -alias tomcat
> > [enter same password]
> > [where public.crt is the certificate sent from VeriSign after they
> complete
> > their approval process]
> > [finally, edit ...tomcat/conf/server.xml and enable the SSL connector
> > section, adding keystorePass="[password]"
> > as an attribute to the Factory tag]
> >
> > Hope this helps.
> >
> > Thanks to all who provided suggestions along the way.
> >
> > Dave
> >
> > -----Original Message-----
> > From: Dave Wood [mailto:dave@woodtopia.org]
> > Sent: Friday, September 05, 2003 11:40 AM
> > To: Tomcat Users List
> > Subject: RE: SSL/Verisign Confusion
> >
> >
> > Well, after all this, I just discovered that VeriSign will basically let
> you
> > start over if it's within 30 days (which it is).  So, for now, I'm going
> > down this path.  Just talked to someone at V/S who said it would take
just
> a
> > couple hours.
> >
> > Oh, and I made a BACKUP of my new keystore file this time that now
> contains
> > a single "keyEntry" with the alias "tomcat".  I try to avoid being
stupid
> in
> > the same way more than once! :)
> >
> > As for the programmatic approach, FWIW, I started down that path as
well,
> > but somehow I had no private key entry in the keystore (best I can
tell).
> > Still not sure how I got in that messed up state.
> >
> > Thanks,
> > Dave
> >
> > -----Original Message-----
> > From: Christopher Williams [mailto:ccwilliams3@ntlworld.com]
> > Sent: Friday, September 05, 2003 9:43 AM
> > To: Tomcat Users List
> > Subject: Re: SSL/Verisign Confusion
> >
> >
> > Have you thought of manipulating the keystore programmatically?  Here's
> what
> > you'd do:
> >
> > 1. Open your existing keystore
> > 2. Find the entry with your private key and (presumably) a temporary
> > self-signed certificate.
> > 3. Open the certificate you got from Versign.
> > 4. Change the certificate in your key entry to your Verisign
certificate.
> > 5. Save and close the keystore.
> >
> > OpenSSL doesn't understand most of the Java keystore formats, although
it
> > can manipulate PKCS#12 files which Keytool can handle.  If you download
> the
> > BouncyCastle crypto provider, then you can use keytool to write PKCS#12
> > files as well.
> >
> > Also, if the person who originally posted the question doesn't feel up
to
> > monkeying around with the Keystore classes, I have some code that I can
> > adapt to stick your Verisign certificate in your keystore.  Get in touch
> > with me personally and I'll see what I can do.
> >
> > ----- Original Message -----
> > From: "Jay Garala" <jay@electrosoft-inc.com>
> > To: "'Tomcat Users List'" <tomcat-user@jakarta.apache.org>
> > Sent: Friday, September 05, 2003 3:36 PM
> > Subject: RE: SSL/Verisign Confusion
> >
> >
> > NOTE: You cannot export private key from keystore.
> >
> > -----Original Message-----
> > From: Dave Wood [mailto:dave@woodtopia.org]
> > Sent: Friday, September 05, 2003 10:32 AM
> > To: Tomcat Users List
> > Subject: RE: SSL/Verisign Confusion
> >
> > Thanks.  With the exception of the openssl doc, I've been over these
quite
> a
> > bit.  The result is the problem I've mentioned where keytool says it
can't
> > import my certificate because the alias already exists.
> >
> > After some help I got last night, I think the question boils down to
this:
> >
> > * once I have extracted my private key from keytool (haven't done this
> yet),
> > how do I take that key, the VeriSign intermediate certificate and my
> public
> > key certificate and get them to play together.  I'm hoping the openssl
> stuff
> > will take care of this, because keytool doesn't really seem to recognize
> > private keys as things that you can work with directly.
> >
> > Thanks again,
> > Dave
> >
> > -----Original Message-----
> > From: Jay Garala [mailto:jay@electrosoft-inc.com]
> > Sent: Friday, September 05, 2003 7:12 AM
> > To: 'Tomcat Users List'
> > Subject: RE: SSL/Verisign Confusion
> >
> >
> > Try the Java keytool help:
> >  http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html
> >
> > Tomcat how-to:
> >  http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html
> >
> > If you have OpenSSL:
> >  http://forum.java.sun.com/thread.jsp?forum=2&thread=4240
> >
> > Jay
> > -----Original Message-----
> > From: Dave Wood [mailto:dave@woodtopia.org]
> > Sent: Friday, September 05, 2003 1:04 AM
> > To: Tomcat Users List
> > Subject: RE: SSL/Verisign Confusion
> >
> > Thanks Bill.  I think this highlights something I'm really not
> > understanding...
> >
> > Didn't I generate an important "private key" somewhere along the line
that
> I
> > can't just regenerate if I blow away my keystore?  I assumed the
> certificate
> > I got back from verisign would only work if I still had the original
> private
> > key I generated before sending them my request.  Is that wrong?
> >
> > (I'll take a look at the link you sent...at first glance, it looks a
> little
> > hard to follow, but hopefully not).
> >
> > Thanks again.
> >
> > Dave
> >
> > -----Original Message-----
> > From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker
> > Sent: Thursday, September 04, 2003 11:06 PM
> > To: tomcat-user@jakarta.apache.org
> > Subject: Re: SSL/Verisign Confusion
> >
> >
> > Firstly, it looks like you should wipe you keystore and start again.  To
> use
> > a VS cert with Tomcat, the two options I know are:
> > 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm.
> > 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file,
and
> > use that as your keystore (remember to set 'keystoreType="pkcs12"' on
the
> > Factory in server.xml).
> >
> >
> > "Dave Wood" <dave@woodtopia.org> wrote in message
> > news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org...
> >
> >>I'm having a problem getting an SSL certificate from Verisign working
> >>correctly.  I'm going to include everything I can think of that MIGHT be
a
> >>problem.  Unfortunately, there are a couple things I can't quite
remember
> >>for certain.  Here's the situation:
> >>
> >>1. I generated the initial key using an alias other than "tomcat" (we'll
> >>call it "company")
> >>2. I generated the CSR and sent it to verisign.  I still have this file.
> >>3. Verisign changed the company name during the verification process
(from
> >>an acronym to the full spelling of the name)
> >>4. I now have the certificate that they sent back after the validation
> >>process.
> >>5. One thing I can't account for is why when I see this:
> >>
> >>$ keytool -list
> >>
> >>Keystore type: jks
> >>Keystore provider: SUN
> >>
> >>Your keystore contains 4 entries: (...others removed...)
> >>
> >>company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
> >>Certificate fingerprint (MD5):
> >>00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't
really
> >>0's)
> >>
> >>...I think I must have self-signed or something (I was doing a couple of
> >>these things and don't recall exactly), but I'm surprised to see
> >>"trustedCertEntry" here.
> >>
> >>The problem I'm having is this:
> >>
> >>$ keytool -import -trustcacerts -alias company -file public.crt
> >>Enter keystore password: xxx
> >>keytool error: java.lang.Exception: Certificate not imported, alias
> >><company> already exists
> >>
> >>(but I'm thinking it should be REPLACING this entry, so the fact that it
> >>exists shouldn't be a problem???)
> >>
> >>So, I have several questions:
> >>
> >>1. Am I hosed completely because I didn't use "tomcat" as the alias?
> >>2. How does the private key get stored exactly?  I assume that if I
delete
> >>the current entry for the "company" alias, I'll be losing the private
key,
> >>right?
> >>3. Can someone provide steps I should take to get this working given
what
> >
> > I
> >
> >>have said above.
> >>
> >>Thanks so much in advance.  Sorry to be so long-winded.
> >>
> >>-Dave
> >>---
> >>Outgoing mail is certified Virus Free.
> >>Checked by AVG anti-virus system (http://www.grisoft.com).
> >>Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
>
> --
> struts 1.1 + tomcat 4.1.27 + java 1.4.2
> Linux 2.4.20 RH9
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.515 / Virus Database: 313 - Release Date: 9/1/2003
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.515 / Virus Database: 313 - Release Date: 9/1/2003




Mime
View raw message