# tomcat-users mailing list archives

##### Site index · List index
Message view
Top
From "Scott Purcell" <purce...@charter.net>
Subject Re: SSL InvalidKeystore Format?
Date Sat, 03 Dec 2005 19:39:39 GMT
```Do you think Verisign should be able to supply me with a openSSL
make any logical sense. I will email Verisign and see what they say.

Thanks,
Scott

PS, did you have Nates earlier email you described below? If so could you
email me it?

Thanks

----- Original Message -----
From: "Dhaval Patel" <dhaval04@yahoo.com>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Saturday, December 03, 2005 1:13 PM
Subject: Re: SSL InvalidKeystore Format?

> Scott,
>
>    You might have to use OpenSSL instead of keytool. OpenSSL is
recommended in production
> environment. Also if you want to use APR+SSL, you might have to use
OpenSSL (I am not sure about
> it). So you have to generate key using openssl and then supplied key to
Verisign. If you have
> time, read my and Nate's previous messages. Nate's message explains a lot
> and encoding.
>
>    I am not quite sure wheter this key+certificate will work with APR+SSL
since they were
> generated using keytool. But you can try.
>
>    Let us know if it works or not.
>
> Regards,
> D
>
> --- Scott Purcell <purcell5@charter.net> wrote:
>
> > Just found this in my email mess: Thanks for responding:
> > Here is what I supplied to verisign for my certificate:
> >
> > 1) Prepared the Keystore:
> > keytool -genkey -keystore myKeystore -alias keystoreAlias
> >
> > 2) Generated a CSR
> > a)  keytool -genkey -alias keystoreAlias -keyalg RSA -keystore
myKeystore
> > b) keytool -certreq -keyalg RSA -alias keystoreAlias -file
> > certreq.csr -keystore myKeystore
> >
> > .... so it looks like I used keytool, and not openssl.
> >
> > Then they send me back a
> > cert.cer file in my email:
> >
> > #######
> > 2) I was not able to download it from anywhere, as it came in my email:
> >
> > 3) I was able to get the SSL running in a ssl format using the supplied
> > from fatofthelan.com article pid=12
> > and currently have a generic certificate running.
> >
> >
> > Thanks,
> > Scott
> >
> >
> >
> >
> >
> >
> > ----- Original Message -----
> > From: "Nate Rock" <nrock@infinitecampus.com>
> > To: "Tomcat Users List" <users@tomcat.apache.org>
> > Sent: Friday, December 02, 2005 8:50 AM
> > Subject: RE: SSL InvalidKeystore Format?
> >
> >
> > Dhaval your explincation was excellent! I think with a bit more
information
> > about how exactly Scott got his certificate from verisign, I think we
can
> > help him out a bit more.
> >
> > 1. What did you use to create your Certificate Request (csr) to
verisign?
> >
> > -IIS
> > -java keytool
> > -openssl
> >
> > 2. after you received your signed certificate back from verisign, what
> >
> > -PKCS7  - signed cert only - DER binary encoding
> > -PEM   - signed cert only
> >
> > 3. After you got the signed certificate what format is your keystore?
> >
> > -PKCS12 - pub/priv keys + signed certificate
> >       -JKS  - pub/priv keys + signed certificate (sun specific format
> > -PEM  - single file with both PEM encoded (RSA formatted, non
encrypted!)
> > private key   concatinated on to the PEM encoded signed cert
> > -PEM  - two files
> >   1. one contain the PEM encoded (RSA formattd, non-encrypted private
key -
> > server.key
> >   2. one containing the PEM encoded signed cert
> >
> > The native ARP connector only supports the last two file formats, so if
you
> > have a PKCS12 refer to my previous posting expliaining how to split a
PKCS12
> > file into multiple PEM Encoded files.
> >
> > Just for the record, I belive you can go back to verisign and download
your
> > signed certificate in multiple formats...
> >
> > I am also in the process of parsing out a signed by verisign certificate
to
> > see if it's even possible. We may be stuck using self signed
certificates
> > for now because the APR connector doesn't support he following
attributes
> > yet:
> >
> > SSLCACertificateFile
> > SSLCACertificatePath
> >
> > These attributes are supported allowing you to specify which CA's you
accept
> > outside of the "default" ones (who's location I am still trying to
> > trackdown).
> >
> >    -rOcK
> >
> > -----Original Message-----
> > From: Dhaval Patel [mailto:dhaval04@yahoo.com]
> > Sent: Thursday, December 01, 2005 8:48 PM
> > To: Tomcat Users List
> > Subject: Re: SSL InvalidKeystore Format?
> >
> > Hi Scott,
> >
> >   Good to hear that it works. Thank also go to Remy and Nate Rock.
> >
> >   You have purchased SSL. In this purchase process, did you submit
> > Certificate Request (csr) to Verisign? As far as I know the process of
> > getting signed SSL certificate is first you have to generate certificate
> > request (csr), then you have to submit this csr to Verisign or Thawte,
then
> > they will give you actual signed certificate (.crt) and then you have to
use
> > that crt in this process.
> >
> >   Based upon my knowledge,to incorporate Verisign certificate, steps are
as
> > follows:
> > (Derived from http://www.fatofthelan.com/articles/articles.php?pid=12 )
> > (1) openssl req -new -out server.csr (This will generate csr and private
> > key. Make sure you feel the values correctly on openssl command
prompt. )
> > (2) openssl rsa -in privkey.pem -out server.key (This removes the
passphrase
> > from the private key.
> > Also delete generated .rnd file)
> > (3) Here there are two (either or) possibilities:
> >
> >    (a) save the key and submit this csr to Verisign. They will sign it
and
> > give you the final certificate (.crt format may be). You may also need
to
> > give them key. (this is paid option but mostly used in production
> > environment)
> >    (b) create self-signed certificate.
> > openssl x509 -in server.csr -out server.crt -req -signkey
server.key -days
> > 365
> >    (this is free but it can be used in production environment. You dont
need
> > to perform this step if you have certificate from Versign)
> >
> >   Is the self signed certificate good? Yes and may be no.
> >
> >   Yes. It is nearly same as Verisign certificate and if you use it, the
SSL
> > will be enabled as it is going to be enabled using Verisign. The only
> > problem you will face, is when you open the website in any browser it
will
> > complain about authenticity of the certificate. Browser can not verify
it
> > and so it will ask user if he/she wants to proceed further or not. The
> > communication is still SSL enabled and secure. This method is more
preferred
> > in testing environment. I have seen many web projects using it in
production
> > environment also.
> >
> >   May be no. Again if you have good professional website, it is almost
> > standard now that you use signed certificate from Verisign or Thawte.
For
> > example, if you do any online shopping from amazon or any store, you
will
> > visit the SSL page and they dont display any warning or anything.
> >
> >   So the choice is in your hand. There is no harm involved in any of the
> > above method.
> >
> >   Again all of above explanation is based upon my reading. I would like
> > users to comment about it so that I also can update myself and you have
> > correct and better answer.
> >
> >   Hope it helps you understanding SSL a bit further.
> >
> > Regards,
> > D
> >
> > --- Scott Purcell <purcell5@charter.net> wrote:
> >
> > > Hard to believe ... but Dhaval the below steps actually worked, and my
> > > site appears to have SSL. Thank you so much. But of course this draws
> > > me to another question.
> > >
> > > I had just purchased a "Verisign" certificate and do not know how to
> > > handle this? Can I just call the Verisign certificate when doing this:
> > > openssl x509 -in server.csr -out server.crt -req -signkey server.key
> > > -days
> > > 365 and using the one verisign gave me here?
> > >
> > > Also, is this a good certificate? Do I need the Verisign one?
> > >
> > > As you may be able to tell, I am very confused and could use a little
> > > explanation if possible.
> > >
> > > Thanks much
> > > Scott
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Dhaval Patel" <dhaval04@yahoo.com>
> > > To: "Tomcat Users List" <users@tomcat.apache.org>
> > > Sent: Thursday, December 01, 2005 2:08 PM
> > > Subject: RE: SSL InvalidKeystore Format?
> > >
> > >
> > > > Hi,
> > > >
> > > >   I should have mention that I am running tomcat as a standalone
> > > > server. I
> > > mentioned the link
> > > > (http://www.fatofthelan.com/articles/articles.php?pid=12) as a
> > > > reference
> > > to generate self-signed
> > > > certificate with OpenSSL on windows. Even though it is very nice
> > > > article
> > > about how to setup SSL
> > > > with Apache. I only applied part-3 (Generate a test certificate)
> > > > from that
> > > article to my
> > > > Tomcat+SSL procedure.
> > > >
> > > >   One thing that I found intersting on that article is part-4
> > > > (Configuring
> > > Apache and mod_ssl). In
> > > > this part, if you look at changes in httpd.conf, as mentioned below,
> > > >
> > > > SSLEngine oï¿½ï¿½ï¿½n
> > > > SSLCertificateFile conf/ssl/server.cert SSLCertificateKeyFile
> > > > conf/ssl/server.key
> > > >
> > > >   which is the same parameter that Remy has suggested. If I have
> > > > found
> > > > be able to solve the issue. But again since I figured it out, I like
> > > > it
> > > now.
> > > >
> > > > Regards.
> > > > D
> > > >
> > > >
> > > >
> > > > --- Scott Purcell <spurcell@vertisinc.com> wrote:
> > > >
> > > > > Hello Dhaval,
> > > > >
> > > > > I was reading the article below, and it looks you you are not
> > > > > running
> > > Tomcat as standalone? Are
> > > > > you running Apache behind the scenes?
> > > > >
> > > > > I was just curious.
> > > > >
> > > > > Scott
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Dhaval Patel [mailto:dhaval04@yahoo.com]
> > > > > Sent: Thursday, December 01, 2005 8:49 AM
> > > > > To: Tomcat Users List
> > > > > Subject: Re: SSL InvalidKeystore Format?
> > > > >
> > > > >
> > > > > Hi Scott,
> > > > >
> > > > >   I am not tomcat expert as well as I can not help you about the
> > > > > error
> > > you are getting.
> > > > >   After Remy's last message on SSL with APR, I finally got my
> > > > > windows xp
> > > + tomcat 5.5.12 + APR +
> > > > > SSL working. Following are the steps that I have followed:
> > > > >
> > > > > (1) Install Tomcat 5.5.12 and make sure it is working.
> > > > > (2) Download APR component (openssl.exe and tcnative-1.dll) and
> > > > > put it
> > > in %TOMCAT_HOME%\bin.
> > > > > (http://tomcat.heanet.ie/native/1.1.0/binaries/win32/)
> > > > > (3) I generated server.key and server.cert following guide at
> > > > > http://www.fatofthelan.com/articles/articles.php?pid=12 .I have
> > > > > put them
> > > in %TOMCAT_HOME%\bin
> > > > > only.
> > > > > (Make sure you follow the guide. I had trouble setting openssl.exe
> > > > > on
> > > windows xp. The answer is
> > > > > on
> > > > > place
> > > it in some folder and
> > > > > make
> > > > > a new environment OPENSSL_CONF pointing to that file. Trust me
> > > > > that link
> > > is very good.)
> > > > > (4) Change the server.xml in following way:
> > > > >     <Connector port="443" maxHttpHeaderSize="8192"
> > > > >                enableLookups="false" disableUploadTimeout="true"
> > > > >    scheme="https" secure="true"
> > > > >                SSLEngine="on"
> > > > >                SSLCertificateFile="C:\Tomcat5.5\bin\server.crt"
> > > > >                SSLCertificateKeyFile="C:\Tomcat5.5\bin\server.key"
> > > > > />
> > > > > (5) Restart the tomcat and SSL is enabled.
> > > > >
> > > > >    I dont know if you have did the same way and you have issues.
> > > > > If you
> > > want to try, you can
> > > > > follow the above steps on some other windows xp machine. It worked
> > > > > for
> > > me so it should work for
> > > > > you. If you start from scratch, it may take about 30-40 mins to
> > > > > setup
> > > above things.
> > > > >
> > > > >    Let me know how it goes.
> > > > >
> > > > > Regards,
> > > > > D
> > > > >
> > > > > --- Scott Purcell <spurcell@vertisinc.com> wrote:
> > > > >
> > > > > > Well, after wasting much time trying to get the SSL running
on
> > > > > > 5.5.12,
> > > on XP, and finding out
> > > > > > about the bad tcnative-1.dll, I thought I was out of the woods
> > > > > > on my
> > > SSL configuration. But it
> > > > > > appears I have one last issue (hopefully) Since I renamed the
> > > > > > tcnative-1.dll, I am getting logs in regards to my
> > > SSL (I was not getting
> > > > > > those prior, see earlier posts) and I am receiving this error:
I
> > > believe I have a good
> > > > > keystore,
> > > > > > because my public key from Verisign was happy with it, but for
> > > > > > some
> > > reason, Tomcat is stikll
> > > > > not
> > > > > > happy with it.
> > > > > > Any ideas why this error may occur?
> > > > > > Nov 30, 2005 10:44:53 PM
> > > > > > org.apache.coyote.http11.Http11BaseProtocol
> > > init
> > > > > > INFO: Initializing Coyote HTTP/1.1 on http-80 Nov 30, 2005
> > > > > > 10:44:54 PM org.apache.coyote.http11.Http11BaseProtocol
> > > init
> > > > > > SEVERE: Error initializing endpoint
> > > > > > java.io.IOException: Invalid keystore format at
> > > > > > sun.security.provider.JavaKeyStore.engineLoad(Unknown Source)
at
> > > > > > java.security.KeyStore.load(Unknown Source) at
> > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketF
> > > actory
> > > .java:282)
> > > > > > at
> > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESo
> > > cketFa
> > > ctory.java:256)
> > > > > > at
> > > > > >
> > > > >
> > > >
> > > org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getTrustManagers(J
> > > SSE14S
> > > ocketFactory.java:174)
> > > > > > at
> > > org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketF
> > > actory
> > > .java:109)
> > > > > > at
> > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESoc
> > > ketFac
> > > tory.java:88)
> > > > > > at
> > > org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoin
> > > t.java
> > > :292)
> > > > > > at
> > > org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.ja
> > > va:137
> > > )
> > > > > > at
> > > org.apache.catalina.connector.Connector.initialize(Connector.java:1016
> > > )
> > > > > > at
> > > org.apache.catalina.core.StandardService.initialize(StandardService.ja
> > > va:580
> > > )
> > > > > > at
> > > org.apache.catalina.core.StandardServer.initialize(StandardServer.java
> > > :762)
> > > > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:488)
> > > > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:508)
> > > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > > > > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> > > > > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
> > > > > > Source) at java.lang.reflect.Method.invoke(Unknown Source) at
> > > > > > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:247)
> > > > > > at
> > > > > > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
> > > > > > Nov 30, 2005 10:44:54 PM org.apache.catalina.startup.Catalina
> > > > > > load
> > > > > > SEVERE: Catalina.start
> > > > > > LifecycleException: Protocol handler initialization failed:
> > > java.io.IOException: Invalid
> > > > > > keystore format
> > > > > > at
> > > org.apache.catalina.connector.Connector.initialize(Connector.java:1018
> > > )
> > > > > > at
> > > org.apache.catalina.core.StandardService.initialize(StandardService.ja
> > > va:580
> > > )
> > > > > > at
> > > org.apache.catalina.core.StandardServer.initialize(StandardServer.java
> > > :762)
> > > > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:488)
> > > > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:508)
> > > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > > > > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> > > > > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
> > > > > > Source) at java.lang.reflect.Method.invoke(Unknown Source) at
> > > > > > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:247)
> > > > > > at
> > > > > > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
> > > > > > Nov 30, 2005 10:44:54 PM org.apache.catalina.startup.Catalina
> > > > > > load
> > > > > > INFO: Initialization processed in 1890 ms Nov 30, 2005 10:44:54
> > > > > > PM org.apache.catalina.core.StandardService
> > > start
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > ----------------------------------------------------------------
> > > > > > ----- To unsubscribe, e-mail:
> > > > > > users-unsubscribe@tomcat.apache.org
> > > > > > For additional commands, e-mail: users-help@tomcat.apache.org
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > __________________________________
> > > > > Yahoo! Music Unlimited
> > > > > Access over 1 million songs. Try it free.
> > > > > http://music.yahoo.com/unlimited/
> > > > >
> > > > > ------------------------------------------------------------------
> > > > > --- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > > > For additional commands, e-mail: users-help@tomcat.apache.org
> > > > >
> > > > >
> > > > > ------------------------------------------------------------------
> > > > > --- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > > > For additional commands, e-mail: users-help@tomcat.apache.org
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > __________________________________
> > > > http://www.yahoo.com/r/hs
> > > >
> > > > --------------------------------------------------------------------
> > > > - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > > For additional commands, e-mail: users-help@tomcat.apache.org
> > > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > For additional commands, e-mail: users-help@tomcat.apache.org
> > >
> > >
> >
> >
> >
> > __________________________________________
> > Yahoo! DSL - Something to write home about.
> > Just \$16.99/mo. or less.
> > dsl.yahoo.com
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
>
>
>
> __________________________________
> http://www.yahoo.com/r/hs
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org