tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dennis Dai>
Subject Re: tomcat problems with SSL / PKCS12
Date Wed, 22 Sep 2004 00:08:55 GMT
Ok here's the deal with openssl. I'm using OpenSSL 0.9.7d and J2SE 
1.4.2_05. Assuming:

* server.key - your certificate's private key
* server.crt - your certificate
* inter.crt - the intermediate CA that signed your certificate
* root.crt - the root CA that signed the intermediate CA

First, concatenate the CA certs, make sure the intermediate CA goes first:

$ cat inter.crt root.crt > chain.crt

Next, export the pkcs12 file:

$ openssl pkcs12 -export -chain -inkey server.key -in server.crt\
   -name "server" -CAfile chain.crt -out server.p12

When prompt for export password, enter something and don't leave it empty.

Now, use keytool to verify:

$ keytool -list -v -storetype pkcs12 -keystore server.p12

Enter the export password for the keystore password. Then you should see 
a line like this from the output:

Certificate chain length: 3

Then you're done!



On 9/21/2004 4:37 PM, Dennis Dai wrote:

> Hi Kallen,
> I was able to export a p12 cert with complete chain half a year ago, but 
> I couldn't reproduce it now. However, I found this:
> Maybe you can try it out while I continue playing with openssl ...
> Dennis
> On 9/21/2004 3:29 PM, wrote:
>> hi. i'm having difficulty getting tomcat to work with SSL. i'm hoping to
>> succeed with this, and not end up using apache+SSL in front of tomcat,
>> tho i can. also, i have done much googling, and have tried many of the
>> suggestions, to no avail.
>> i'll limit my problem description to my attempts with using pkcs12, not
>> JKS. the players: linux, tomcat-5.0.27, IBMJava2-141, cert SSL generated
>> with openssl.
>> i generated the CSR for my site with openssl, and got the server cert
>> from verisign. fwiw, the Issuer line from the cert:
>>    Issuer: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign Interna
>>    tional Server CA - Class 3, Ref.
>>    LIABILITY LTD .(c)97 VeriSign
>> do i need to include the verisign intermediate cert with this?
>> ( i'm not
>> sure, but i'm assuming i do.
>> then i performed the next step "import an existing certificate signed by
>> your own CA into a PKCS12 keystore using OpenSSL":
>> $ openssl pkcs12 -inkey server.key -in server.crt -certfile \
>>    intermediateCA.crt -export -out certs.p12
>> i do notice tomcat docs say include the "-chain". when i appended
>> "-chain" to the above openssl command, i got the error "Error unable to
>> get local issuer certificate getting chain." so i chose to go without it
>> and try the subsequently generated certs.p12 file. (could lacking
>> "-chain" be my problem?)
>> next i put certs.p12 in tomcat's homedir. here is the relavent
>> server.xml snippet:
>>      <Connector port="443"
>>  		maxThreads="150" minSpareThreads="25"
>>  		maxSpareThreads="75" enableLookups="false"
>>  		disableUploadTimeout="true" acceptCount="100"
>>  		debug="0" scheme="https" secure="true"
>>  		clientAuth="false" keystoreFile="/home/tomcat/certs.p12"
>>  		keystoreType="PKCS12" algorithm="IbmX509" sslProtocol="SSL"/>
>> when i crank up catalina, i get this error:
>> SEVERE: Error initializing endpoint
>> Unable to verify MAC.
>>          at Source)
>>  		at
>>  		at
>> any helps out there? fwiw, i've seen tips out there on converting the
>> pkcs12 format into JKS. i'm hoping not to go that route.
>> thanks in advance,
>> kallen

Dennis Dai

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message