tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Wulff <oliver.wu...@zurich.ch>
Subject Antwort: RE: SSL, keystore with ca hierarchy
Date Sat, 24 Jan 2004 20:27:21 GMT




I can't do step 1 and 2 because the certificate and private key has been
created already with openssl.
The file TestServer_APU.pem contains the private key and certificate in the
PEM format.
Should that work either?

Does the cacerts has to be located in %JAVA_HOME%\jre\lib\security\cacerts
or can I place it anywhere else?



                                                                                         
                                             
                      "Mark Thomas"                                                      
                                             
                      <markt@apache.org        An:       "'Tomcat Users List'" <tomcat-user@jakarta.apache.org>
                       
                      >                        Kopie:                                 
                                                
                                               Thema:    RE: SSL, keystore with ca hierarchy
                                          
                      24.01.2004 19:18                                                   
                                             
                      Bitte antworten                                                    
                                             
                      an "Tomcat Users                                                   
                                             
                      List"                                                              
                                             
                                                                                         
                                             
                                                                                         
                                             




I have successfully used a server signed cert with tomcat.

The step by step guide is quite lengthy. I'll give you the edited
highlights and
please follow up if you have any more questions.

1. Create key in .keystore with alias tomcat
2. Generate a signing request and sent to CA
3. Receive signed key (cert) and CA cert
4. Import The root cert into cacerts
5. Import CA cert into cacerts (%JAVA_HOME%\jre\lib\security\cacerts)
6. Import tomcat cert into .keystore, with -trustcacerts option and alias
tomcat

>From your post it looks like you have imported the root cert and the CA
cert
into .keystore rather than the cacerts file.

Mark

> -----Original Message-----
> From: Oliver Wulff [mailto:oliver.wulff@zurich.ch]
> Sent: Saturday, January 24, 2004 2:25 PM
> To: tomcat-user@jakarta.apache.org
> Subject: SSL, keystore with ca hierarchy
>
>
>
>
>
> I've created the following keystore for Tomcat 4.1.18:
> SET KEYSTORE_FILE=.\.keystore
>
> keytool -import -keystore %KEYSTORE_FILE% -storepass icebeer
> -alias root
> -trustcacerts -file CA_Root_APU.pem
> keytool -import -keystore %KEYSTORE_FILE% -storepass icebeer -alias
> server_ca -trustcacerts -file CA_Server_APU.pem
> keytool -import -keystore %KEYSTORE_FILE% -storepass icebeer
> -alias tomcat
> -trustcacerts -file
>
> the root ca is self signed. the tomcat certificate is signed
> by server_ca
> which is issued by the root ca. the password for the keystore and the
> tomcat certificat are identical. Further, I've configured the
> server.xml
> accordingly:
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
>            port="9443" minProcessors="5" maxProcessors="75"
>            enableLookups="true"
>        acceptCount="100" debug="0" scheme="https" secure="true"
>            useURIValidationHack="false" disableUploadTimeout="true">
>   <Factory
> className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
>            clientAuth="false" protocol="TLS"
>            keystoreFile="certs/.keystore"
>            keystorePass="123456"
>            />
> </Connector>
>
> Tomcat starts with no problems:
> 24.01.2004 15:10:41 org.apache.coyote.http11.Http11Protocol start
> INFO: Starting Coyote HTTP/1.1 on port 9080
> 24.01.2004 15:10:41 org.apache.coyote.http11.Http11Protocol start
> INFO: Starting Coyote HTTP/1.1 on port 9443
>
> But I get the error "The Page Cannot Be Displayed" when I try
> to access the
> index.html.
>
> When I create the certificates in the following way it does work:
> keytool -genkey -storepass 123456 -alias tomcat -keyalg RSA -keystore
> .\dummy.keystore
> keytool -rfc -storepass 123456 -export -alias tomcat -keystore
> .\dummy.keystore -file dummy.tomcat.pem
>
> Does Tomcat not support certificates with a ca hierarchy?
>
> -oliver
>
>
>
>
>
>
>
> ******************* BITTE BEACHTEN *******************
> Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet
> möglicherweise vertrauliche oder gesetzlich geschützte Daten oder
> Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
> genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
> irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter
> Ausschluss jeder Reproduktion zu zerstören und die absendende Person
> umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org









******************* BITTE BEACHTEN *******************
Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet
möglicherweise vertrauliche oder gesetzlich geschützte Daten oder
Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter
Ausschluss jeder Reproduktion zu zerstören und die absendende Person
umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe.


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message