tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Purcell" <>
Subject Re: converting a certificate for use on Tomcat
Date Wed, 26 May 2004 13:50:24 GMT
Dennis, that worked, thanks a lot:)  I used the .pfx file that I already
had and just appended 3 lines to the end of my SSL connector.

    <!-- Define a SSL Coyote HTTP/1.1 Connector on port 443 -->

    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
               port="443" minProcessors="5" maxProcessors="75"
           acceptCount="100" debug="0" scheme="https" secure="true"
               useURIValidationHack="false" disableUploadTimeout="true">
               clientAuth="false" protocol="TLS"


Dennis Dai said:
> Sorry I was wrong (it's been a while ...). You don't really need to
> import the  pkcs12 format certificate into a keystore, the .pfx you
> generated earlier *is*  the keystore in pkcs12 format.
> Now you only need to configure tomcat to recognize the keystore. See
> for
> details.  Specifically, you will need to add keystoreType="PKCS12"
> attribute in your SSL  Connector among a whole bunch of others.
> On 5/25/2004 1:21 PM, Chris Purcell wrote:
>> I want to make sure we're on the same page here.  I have a certificate
>> that looks like this...
>> blablablabla
>> /WeCY0ZzyRYuHhQYIm3R+A==
>> -----END CERTIFICATE-----
>> I copied it to a plain text file called domain.cert and then ran this
>> command and received this below error...
>> root@surge root# /usr/java/bin/keytool -import -file domain.cert
>> -storetype pkcs12
>> keytool error: DerInputStream.getLength():
>> lengthTag=109, too big.
>> Am I doing this right?
>> Thanks,
>> Chris
>>> I saw your original post but forgot to reply ...
>>> You can use keytool to import the certificate using pkcs12
>>> certificate store  (add a '-storetype pkcs12' to keytool's
>>> arguments), which is supported by tomcat.
>>> Also, if your certificate is signed by an intermediate CA (meaning
>>> more than 2  certs on the chain), you will have to give each cert an
>>> alias name when you  export it from openssl, otherwise the keytool
>>> won't recognize the chain. This  really took me a while to figure out
>>> ...
>>> HTH,
>>> Dennis
>>> On 5/25/2004 12:30 PM, Chris Purcell wrote:
>>>> Thanks for the link Jim, I'm just getting around to this certificate
>>>> now, I got swamped with some extra work that I had to complete
>>>> first. I looked at the link you sent, but there is a small problem,
>>>> I don't know anything about Java:)  What do I do with the source
>>>> code given on the page?  Should I copy it into a text file and run
>>>> it with the java command?  The only programming language I'm
>>>> familiar with is Perl.
>>>> Thanks,
>>>> Chris
>>>>> Hi Chris-
>>>>> I had to do this myself a month ago.
>>>>> You can't use Sun's keytool to import private keys into keystores.
>>>>> You'll need to use something else to load the private key and
>>>>> corresponding cert into a keystore which Tomcat can then read.
>>>>> See the program and notes at
>>>>> - it
>>>>>   will explain how to use openssl to convert an existing private
>>>>> key
>>>>> and
>>>>> cert into a format that can then be loaded (using source code they
>>>>> provide) into a Java JKS keystore.
>>>>> Let me know if you need more details.
>>>>> -Jim
>>>>> Chris Purcell wrote:
>>>>>> I have an Apache server with an SSL certificate installed from a
>>>>>> CA. Its just a plain text certificate that looks like this..
>>>>>> -----BEGIN CERTIFICATE-----
>>>>>> blablablba
>>>>>> /WeCY0ZzyRYuHhQYIm3R+A==
>>>>>> -----END CERTIFICATE-----
>>>>>> I want to move this certificate to a new server that only runs
>>>>>> Tomcat in standalone mode.   I tried to convert it like this
>>>>>> (below) but am getting an error...
>>>>>> root@surge cert# openssl pkcs12 -export -inkey host-privkey.pem
>>>>>> -in server.cert -out
>>>>>> root@surge cert# /usr/java/bin/keytool -import -file
>>>>>> Enter keystore password: changeit
>>>>>> keytool error: java.lang.Exception: Input not an X.509 certificate
>>>>>> Am I doing something wrong here?
>>>>>> Thanks,
>>>>>> Chris
> --------------------------------------------------------------------- To
> unsubscribe, e-mail: For
> additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message