tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Purcell" <li...@cjp.us>
Subject Re: converting a certificate for use on Tomcat
Date Wed, 26 May 2004 13:50:24 GMT
Dennis, that worked, thanks a lot:)  I used the .pfx file that I already
had and just appended 3 lines to the end of my SSL connector.

    <!-- Define a SSL Coyote HTTP/1.1 Connector on port 443 -->

    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
               port="443" minProcessors="5" maxProcessors="75"
               enableLookups="true"
           acceptCount="100" debug="0" scheme="https" secure="true"
               useURIValidationHack="false" disableUploadTimeout="true">
      <Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
               clientAuth="false" protocol="TLS"
               keystoreType="PKCS12"
               keystoreFile="/root/host.foo.org.pfx"
               keystorePass="mypassword"/>
    </Connector>


Chris

Dennis Dai said:
> Sorry I was wrong (it's been a while ...). You don't really need to
> import the  pkcs12 format certificate into a keystore, the .pfx you
> generated earlier *is*  the keystore in pkcs12 format.
>
> Now you only need to configure tomcat to recognize the keystore. See
> http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html for
> details.  Specifically, you will need to add keystoreType="PKCS12"
> attribute in your SSL  Connector among a whole bunch of others.
>
> On 5/25/2004 1:21 PM, Chris Purcell wrote:
>
>> I want to make sure we're on the same page here.  I have a certificate
>> that looks like this...
>>
>> -----BEGIN CERTIFICATE-----
>> MIID/DCCAuSgAwIBAgIEAIXW1jANBgkqhkiG9w0BAQQFADCBozELMAkGA1UEBhMC
>> blablablabla
>> /WeCY0ZzyRYuHhQYIm3R+A==
>> -----END CERTIFICATE-----
>>
>> I copied it to a plain text file called domain.cert and then ran this
>> command and received this below error...
>>
>> root@surge root# /usr/java/bin/keytool -import -file domain.cert
>> -storetype pkcs12
>> keytool error: java.io.IOException: DerInputStream.getLength():
>> lengthTag=109, too big.
>>
>> Am I doing this right?
>>
>> Thanks,
>> Chris
>>
>>
>>> I saw your original post but forgot to reply ...
>>>
>>> You can use keytool to import the certificate using pkcs12
>>> certificate store  (add a '-storetype pkcs12' to keytool's
>>> arguments), which is supported by tomcat.
>>>
>>> Also, if your certificate is signed by an intermediate CA (meaning
>>> more than 2  certs on the chain), you will have to give each cert an
>>> alias name when you  export it from openssl, otherwise the keytool
>>> won't recognize the chain. This  really took me a while to figure out
>>> ...
>>>
>>> HTH,
>>>
>>> Dennis
>>>
>>> On 5/25/2004 12:30 PM, Chris Purcell wrote:
>>>> Thanks for the link Jim, I'm just getting around to this certificate
>>>> now, I got swamped with some extra work that I had to complete
>>>> first. I looked at the link you sent, but there is a small problem,
>>>> I don't know anything about Java:)  What do I do with the source
>>>> code given on the page?  Should I copy it into a text file and run
>>>> it with the java command?  The only programming language I'm
>>>> familiar with is Perl.
>>>>
>>>> Thanks,
>>>> Chris
>>>>
>>>>
>>>>
>>>>> Hi Chris-
>>>>>
>>>>> I had to do this myself a month ago.
>>>>>
>>>>> You can't use Sun's keytool to import private keys into keystores.
>>>>> You'll need to use something else to load the private key and
>>>>> corresponding cert into a keystore which Tomcat can then read.
>>>>>
>>>>> See the program and notes at http://www.comu.de/docs/tomcat_ssl.htm
>>>>> - it
>>>>>
>>>>>   will explain how to use openssl to convert an existing private
>>>>> key
>>>>> and
>>>>>
>>>>> cert into a format that can then be loaded (using source code they
>>>>> provide) into a Java JKS keystore.
>>>>>
>>>>> Let me know if you need more details.
>>>>>
>>>>> -Jim
>>>>>
>>>>> Chris Purcell wrote:
>>>>>
>>>>>> I have an Apache server with an SSL certificate installed from a
>>>>>> CA. Its just a plain text certificate that looks like this..
>>>>>>
>>>>>> -----BEGIN CERTIFICATE-----
>>>>>> MIID/DCCAuSgAwIBAgIEAIXW1jANBgkqhkiG9w0BAQQFADCBozELMAkGA1UEBhMC
>>>>>> blablablba
>>>>>> /WeCY0ZzyRYuHhQYIm3R+A==
>>>>>> -----END CERTIFICATE-----
>>>>>>
>>>>>> I want to move this certificate to a new server that only runs
>>>>>> Tomcat in standalone mode.   I tried to convert it like this
>>>>>> (below) but am getting an error...
>>>>>>
>>>>>> root@surge cert# openssl pkcs12 -export -inkey host-privkey.pem
>>>>>> -in server.cert -out host.foo.org.pfx
>>>>>> root@surge cert# /usr/java/bin/keytool -import -file
>>>>>> host.foo.org.pfx Enter keystore password: changeit
>>>>>> keytool error: java.lang.Exception: Input not an X.509 certificate
>>>>>>
>>>>>> Am I doing something wrong here?
>>>>>>
>>>>>> Thanks,
>>>>>> Chris
>>>>>>
>
>
> --------------------------------------------------------------------- To
> unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For
> additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message