tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mikhail Kruk <mes...@cs.brandeis.edu>
Subject Re: SSL configuration question
Date Fri, 01 Apr 2005 13:45:27 GMT
> I thought the two are not related my key is stored in the java keystore. I
> did everything with keytool, part of java.
> 
> Tomcat only needs the password and name.
> 
> The SSL certificate is not generated for or by tomcat.

Getting a valid certificate is a four step process.
1) Generate private key (keytool -genkey)
	this puts a private key into your keystore. It's secret, hide it.
2) Generate certificate request (keytool -certreq)
	creates a file which contains information about you (common name, 
	city, state etc) and the public key which corresponds to private 
	key from step 1 
3) submit the request from step 2 to the authority (Thawte, Verisign...)
4) get signed certificate from the authority and import it into the 
keystore (keytool -import)

For step 4 to work correctly the keystore must contain the private key 
from step 1.  You can't generate private key in a Apache and then import 
corresponding certificate into Tomcat -- you must first move the private 
key from Apache to Tomcat.

> 
> ----- Original Message ----- 
> From: "Mikhail Kruk" <meshko@cs.brandeis.edu>
> To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> Sent: Thursday, March 31, 2005 11:42 PM
> Subject: RE: SSL configuration question
> 
> 
> > > The certificate I imported was not self-signed (or should not be).  It
> is
> > > what I received back from Entrust after submitting a CSR. It was already
> in
> > > use on Apache before I decided not to use Apache anymore.  It worked
> before
> > > on Apache. I shut down apache and was intending to use the cert on only
> > > Tomcat.
> >
> > You can't easily import the certificate that was generated for Apache into
> > Tomcat -- you need to have the prvite key part in your keystore and your
> > private key is in your Apache.  There must be a way to get the key from
> > Apache and move it to Tomcat, but I'm not sure what it is.
> > This might help:
> > http://kb.thawte.com/thawte/thawte/esupport.asp?id=vs24694
> >
> > >
> > >
> > > Thanks,
> > > -Mark
> > >
> > >
> > > -----Original Message-----
> > > From: Sasisekar S Sundaram [mailto:sekarmdu@louisiana.edu]
> > > Sent: Thursday, March 31, 2005 2:43 PM
> > > To: Tomcat Users List
> > > Subject: Re: SSL configuration question
> > >
> > > It shows both "issued to" and "issue by" because it is a self signed
> > > certificate. when you get you certificate authorized by some one like
> > > verisign, and then import that certificate into your keystore, you'll
> get
> > > "issued by" as that certifying authority's name.
> > > ----- Original Message -----
> > > From: "Faine, Mark" <Mark.R.Faine@msfc.nasa.gov>
> > > To: "'Tomcat Users List'" <tomcat-user@jakarta.apache.org>
> > > Sent: Thursday, March 31, 2005 1:13 PM
> > > Subject: RE: SSL configuration question
> > >
> > >
> > > > Thanks, I tried that before and got a permission error, but it works
> now.
> > > >
> > > > -Mark
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Hein Behrens [mailto:info@curvaciones.com]
> > > > Sent: Thursday, March 31, 2005 12:41 PM
> > > > To: Tomcat Users List
> > > > Subject: Re: SSL configuration question
> > > >
> > > > Answer to number 2 is edit your server.xml change 8443 to 443 in the
> ssl
> > > > section also check that the the normal port redirects to 443.
> > > >
> > > > Where you see 8443 change to 443.
> > > >
> > > > 2 changes in your server.xml.
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Faine, Mark" <Mark.R.Faine@msfc.nasa.gov>
> > > > To: <tomcat-user@jakarta.apache.org>
> > > > Sent: Thursday, March 31, 2005 7:44 PM
> > > > Subject: SSL configuration question
> > > >
> > > >
> > > > > Solaris 8, Tomcat 5.0.28
> > > > >
> > > > > I've configured my tomcat installation with my SSL key from Entrust
> and
> > > it
> > > > > is working (sort of).
> > > > >
> > > > > 1.  It is not correctly configured.  It shows my organization as
> both
> > > > > "issued to" and "issue by" when I view the certificate information.
> > > Could
> > > > > someone explain what I have done wrong and how to correct it.
> > > > >
> > > > > 2.  It must be run on port 8443 because I need to run it as a user
> other
> > > > > than root.  How can I bypass this limitation and run it on the
> standard
> > > > 443
> > > > > port?
> > > > >
> > > > > Thanks,
> > > > > -Mark
> > > > >
> > > >
> > ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > > > >
> > > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message