tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mikhail Kruk <mes...@cs.brandeis.edu>
Subject RE: SSL configuration question
Date Fri, 01 Apr 2005 15:29:03 GMT
> Could you elaborate a bit more on how to move the private key from Apache to
> Tomcat?  

As I said: I never did it myself, but the following link seems relevant:
http://kb.thawte.com/thawte/thawte/esupport.asp?id=vs24694

> You would think if I have a cert from a CA then I should be able to
> import it into any server that uses SSL.  I already have the cert all the
> other parts are only things that allowed me to obtain the cert.

The cert from CA only contains the public key signed by the CA's private 
key.  Showing public key to someone who connects to your web server is 
cool and everything, but it's not enough to establish a secure 
communication: you need to give your web server the secret key for that.
http://www.ourshop.com/resources/ssl.html

> Thanks,
> -Mark 
> 
> -----Original Message-----
> From: Mikhail Kruk [mailto:meshko@cs.brandeis.edu] 
> Sent: Friday, April 01, 2005 7:45 AM
> To: Tomcat Users List; Hein Behrens
> Subject: Re: SSL configuration question
> 
> > I thought the two are not related my key is stored in the java 
> > keystore. I did everything with keytool, part of java.
> > 
> > Tomcat only needs the password and name.
> > 
> > The SSL certificate is not generated for or by tomcat.
> 
> Getting a valid certificate is a four step process.
> 1) Generate private key (keytool -genkey)
> 	this puts a private key into your keystore. It's secret, hide it.
> 2) Generate certificate request (keytool -certreq)
> 	creates a file which contains information about you (common name, 
> 	city, state etc) and the public key which corresponds to private 
> 	key from step 1
> 3) submit the request from step 2 to the authority (Thawte, Verisign...)
> 4) get signed certificate from the authority and import it into the keystore
> (keytool -import)
> 
> For step 4 to work correctly the keystore must contain the private key from
> step 1.  You can't generate private key in a Apache and then import
> corresponding certificate into Tomcat -- you must first move the private key
> from Apache to Tomcat.
> 
> > 
> > ----- Original Message ----- 
> > From: "Mikhail Kruk" <meshko@cs.brandeis.edu>
> > To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> > Sent: Thursday, March 31, 2005 11:42 PM
> > Subject: RE: SSL configuration question
> > 
> > 
> > > > The certificate I imported was not self-signed (or should not be).  It
> > is
> > > > what I received back from Entrust after submitting a CSR. It was
> already
> > in
> > > > use on Apache before I decided not to use Apache anymore.  It worked
> > before
> > > > on Apache. I shut down apache and was intending to use the cert on
> only
> > > > Tomcat.
> > >
> > > You can't easily import the certificate that was generated for Apache
> into
> > > Tomcat -- you need to have the prvite key part in your keystore and your
> > > private key is in your Apache.  There must be a way to get the key from
> > > Apache and move it to Tomcat, but I'm not sure what it is.
> > > This might help:
> > > http://kb.thawte.com/thawte/thawte/esupport.asp?id=vs24694
> > >
> > > >
> > > >
> > > > Thanks,
> > > > -Mark
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Sasisekar S Sundaram [mailto:sekarmdu@louisiana.edu]
> > > > Sent: Thursday, March 31, 2005 2:43 PM
> > > > To: Tomcat Users List
> > > > Subject: Re: SSL configuration question
> > > >
> > > > It shows both "issued to" and "issue by" because it is a self signed
> > > > certificate. when you get you certificate authorized by some one like
> > > > verisign, and then import that certificate into your keystore, you'll
> > get
> > > > "issued by" as that certifying authority's name.
> > > > ----- Original Message -----
> > > > From: "Faine, Mark" <Mark.R.Faine@msfc.nasa.gov>
> > > > To: "'Tomcat Users List'" <tomcat-user@jakarta.apache.org>
> > > > Sent: Thursday, March 31, 2005 1:13 PM
> > > > Subject: RE: SSL configuration question
> > > >
> > > >
> > > > > Thanks, I tried that before and got a permission error, but it works
> > now.
> > > > >
> > > > > -Mark
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Hein Behrens [mailto:info@curvaciones.com]
> > > > > Sent: Thursday, March 31, 2005 12:41 PM
> > > > > To: Tomcat Users List
> > > > > Subject: Re: SSL configuration question
> > > > >
> > > > > Answer to number 2 is edit your server.xml change 8443 to 443 in
the
> > ssl
> > > > > section also check that the the normal port redirects to 443.
> > > > >
> > > > > Where you see 8443 change to 443.
> > > > >
> > > > > 2 changes in your server.xml.
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Faine, Mark" <Mark.R.Faine@msfc.nasa.gov>
> > > > > To: <tomcat-user@jakarta.apache.org>
> > > > > Sent: Thursday, March 31, 2005 7:44 PM
> > > > > Subject: SSL configuration question
> > > > >
> > > > >
> > > > > > Solaris 8, Tomcat 5.0.28
> > > > > >
> > > > > > I've configured my tomcat installation with my SSL key from
> Entrust
> > and
> > > > it
> > > > > > is working (sort of).
> > > > > >
> > > > > > 1.  It is not correctly configured.  It shows my organization
as
> > both
> > > > > > "issued to" and "issue by" when I view the certificate
> information.
> > > > Could
> > > > > > someone explain what I have done wrong and how to correct it.
> > > > > >
> > > > > > 2.  It must be run on port 8443 because I need to run it as
a user
> > other
> > > > > > than root.  How can I bypass this limitation and run it on the
> > standard
> > > > > 443
> > > > > > port?
> > > > > >
> > > > > > Thanks,
> > > > > > -Mark
> > > > > >
> > > > >
> > > ---------------------------------------------------------------------
> > > > > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > > > > For additional commands, e-mail:
> tomcat-user-help@jakarta.apache.org
> > > > > >
> > > > > >
> > > > >
> > > > >
> ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > > > >
> > > > >
> ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > > > >
> > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > > >
> > > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > >
> > >
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > 
> > 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message