tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dennis Dai ...@ddai.net>
Subject Re: tomcat problems with SSL / PKCS12
Date Wed, 22 Sep 2004 00:08:55 GMT
Ok here's the deal with openssl. I'm using OpenSSL 0.9.7d and J2SE 
1.4.2_05. Assuming:

* server.key - your certificate's private key
* server.crt - your certificate
* inter.crt - the intermediate CA that signed your certificate
* root.crt - the root CA that signed the intermediate CA

First, concatenate the CA certs, make sure the intermediate CA goes first:

$ cat inter.crt root.crt > chain.crt

Next, export the pkcs12 file:

$ openssl pkcs12 -export -chain -inkey server.key -in server.crt\
   -name "server" -CAfile chain.crt -out server.p12

When prompt for export password, enter something and don't leave it empty.

Now, use keytool to verify:

$ keytool -list -v -storetype pkcs12 -keystore server.p12

Enter the export password for the keystore password. Then you should see 
a line like this from the output:

....
Certificate chain length: 3
....

Then you're done!

HTH,

Dennis

On 9/21/2004 4:37 PM, Dennis Dai wrote:

> Hi Kallen,
> 
> I was able to export a p12 cert with complete chain half a year ago, but 
> I couldn't reproduce it now. However, I found this:
> 
>    http://sense.bigbrother.net/archives/00000275.html
> 
> Maybe you can try it out while I continue playing with openssl ...
> 
> Dennis
> 
> On 9/21/2004 3:29 PM, kallen@shopping.com wrote:
>> hi. i'm having difficulty getting tomcat to work with SSL. i'm hoping to
>> succeed with this, and not end up using apache+SSL in front of tomcat,
>> tho i can. also, i have done much googling, and have tried many of the
>> suggestions, to no avail.
>> 
>> i'll limit my problem description to my attempts with using pkcs12, not
>> JKS. the players: linux, tomcat-5.0.27, IBMJava2-141, cert SSL generated
>> with openssl.
>> 
>> i generated the CSR for my site with openssl, and got the server cert
>> from verisign. fwiw, the Issuer line from the cert:
>> 
>>    Issuer: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign Interna
>>    tional Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref.
>>    LIABILITY LTD .(c)97 VeriSign
>> 
>> do i need to include the verisign intermediate cert with this?
>> (http://www.verisign.com/support/install/intermediate.html) i'm not
>> sure, but i'm assuming i do.
>> 
>> then i performed the next step "import an existing certificate signed by
>> your own CA into a PKCS12 keystore using OpenSSL":
>> 
>> $ openssl pkcs12 -inkey server.key -in server.crt -certfile \
>>    intermediateCA.crt -export -out certs.p12
>> 
>> i do notice tomcat docs say include the "-chain". when i appended
>> "-chain" to the above openssl command, i got the error "Error unable to
>> get local issuer certificate getting chain." so i chose to go without it
>> and try the subsequently generated certs.p12 file. (could lacking
>> "-chain" be my problem?)
>> 
>> next i put certs.p12 in tomcat's homedir. here is the relavent
>> server.xml snippet:
>> 
>>      <Connector port="443"
>>  		maxThreads="150" minSpareThreads="25"
>>  		maxSpareThreads="75" enableLookups="false"
>>  		disableUploadTimeout="true" acceptCount="100"
>>  		debug="0" scheme="https" secure="true"
>>  		clientAuth="false" keystoreFile="/home/tomcat/certs.p12"
>>  		keystoreType="PKCS12" algorithm="IbmX509" sslProtocol="SSL"/>
>> 
>> when i crank up catalina, i get this error:
>> 
>> SEVERE: Error initializing endpoint
>> java.io.IOException: Unable to verify MAC.
>>          at com.ibm.crypto.provider.PKCS12KeyStore.engineLoad(Unknown Source)
>>  		at java.security.KeyStore.load(KeyStore.java:695)
>>  		at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:278)
>> 
>> any helps out there? fwiw, i've seen tips out there on converting the
>> pkcs12 format into JKS. i'm hoping not to go that route.
>> 
>> thanks in advance,
>> kallen
> 
> 


-- 
Dennis Dai
ml@ddai.net

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message