tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nate Rock" <nr...@infinitecampus.com>
Subject RE: SSL InvalidKeystore Format?
Date Fri, 02 Dec 2005 14:50:18 GMT
Dhaval your explincation was excellent! I think with a bit more information about how exactly
Scott got his certificate from verisign, I think we can help him out a bit more.

1. What did you use to create your Certificate Request (csr) to verisign? 

	-IIS
	-java keytool
	-openssl

2. after you received your signed certificate back from verisign, what format did you download
it in? 

	-PKCS7  - signed cert only - DER binary encoding
	-PEM	  - signed cert only

3. After you got the signed certificate what format is your keystore?

	-PKCS12 - pub/priv keys + signed certificate
      -JKS  - pub/priv keys + signed certificate (sun specific format
	-PEM  - single file with both PEM encoded (RSA formatted, non encrypted!) private key 		
  concatinated on to the PEM encoded signed cert
	-PEM  - two files
		  1. one contain the PEM encoded (RSA formattd, non-encrypted private key - server.key
		  2. one containing the PEM encoded signed cert

The native ARP connector only supports the last two file formats, so if you have a PKCS12
refer to my previous posting expliaining how to split a PKCS12 file into multiple PEM Encoded
files.

Just for the record, I belive you can go back to verisign and download your signed certificate
in multiple formats... 
 
I am also in the process of parsing out a signed by verisign certificate to see if it's even
possible. We may be stuck using self signed certificates for now because the APR connector
doesn't support he following attributes yet:

SSLCACertificateFile
SSLCACertificatePath 

These attributes are supported allowing you to specify which CA's you accept outside of the
"default" ones (who's location I am still trying to trackdown).

   -rOcK

-----Original Message-----
From: Dhaval Patel [mailto:dhaval04@yahoo.com] 
Sent: Thursday, December 01, 2005 8:48 PM
To: Tomcat Users List
Subject: Re: SSL InvalidKeystore Format?

Hi Scott,

  Good to hear that it works. Thank also go to Remy and Nate Rock. 

  You have purchased SSL. In this purchase process, did you submit Certificate Request (csr)
to Verisign? As far as I know the process of getting signed SSL certificate is first you have
to generate certificate request (csr), then you have to submit this csr to Verisign or Thawte,
then they will give you actual signed certificate (.crt) and then you have to use that crt
in this process.

  Based upon my knowledge,to incorporate Verisign certificate, steps are as follows:
(Derived from http://www.fatofthelan.com/articles/articles.php?pid=12 )
(1) openssl req -new -out server.csr (This will generate csr and private key. Make sure you
feel the values correctly on openssl command prompt. )
(2) openssl rsa -in privkey.pem -out server.key (This removes the passphrase from the private
key.
Also delete generated .rnd file)
(3) Here there are two (either or) possibilities: 

   (a) save the key and submit this csr to Verisign. They will sign it and give you the final
certificate (.crt format may be). You may also need to give them key. (this is paid option
but mostly used in production environment)
   (b) create self-signed certificate.
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
   (this is free but it can be used in production environment. You dont need to perform this
step if you have certificate from Versign)

  Is the self signed certificate good? Yes and may be no.

  Yes. It is nearly same as Verisign certificate and if you use it, the SSL will be enabled
as it is going to be enabled using Verisign. The only problem you will face, is when you open
the website in any browser it will complain about authenticity of the certificate. Browser
can not verify it and so it will ask user if he/she wants to proceed further or not. The communication
is still SSL enabled and secure. This method is more preferred in testing environment. I have
seen many web projects using it in production environment also.

  May be no. Again if you have good professional website, it is almost standard now that you
use signed certificate from Verisign or Thawte. For example, if you do any online shopping
from amazon or any store, you will visit the SSL page and they dont display any warning or
anything. 

  So the choice is in your hand. There is no harm involved in any of the above method.

  Again all of above explanation is based upon my reading. I would like users to comment about
it so that I also can update myself and you have correct and better answer.

  Hope it helps you understanding SSL a bit further.

Regards,
D

--- Scott Purcell <purcell5@charter.net> wrote:

> Hard to believe ... but Dhaval the below steps actually worked, and my 
> site appears to have SSL. Thank you so much. But of course this draws 
> me to another question.
> 
> I had just purchased a "Verisign" certificate and do not know how to 
> handle this? Can I just call the Verisign certificate when doing this:
> openssl x509 -in server.csr -out server.crt -req -signkey server.key 
> -days
> 365 and using the one verisign gave me here?
> 
> Also, is this a good certificate? Do I need the Verisign one?
> 
> As you may be able to tell, I am very confused and could use a little 
> explanation if possible.
> 
> Thanks much
> Scott
> 
> 
> 
> ----- Original Message -----
> From: "Dhaval Patel" <dhaval04@yahoo.com>
> To: "Tomcat Users List" <users@tomcat.apache.org>
> Sent: Thursday, December 01, 2005 2:08 PM
> Subject: RE: SSL InvalidKeystore Format?
> 
> 
> > Hi,
> >
> >   I should have mention that I am running tomcat as a standalone 
> > server. I
> mentioned the link
> > (http://www.fatofthelan.com/articles/articles.php?pid=12) as a 
> > reference
> to generate self-signed
> > certificate with OpenSSL on windows. Even though it is very nice 
> > article
> about how to setup SSL
> > with Apache. I only applied part-3 (Generate a test certificate) 
> > from that
> article to my
> > Tomcat+SSL procedure.
> >
> >   One thing that I found intersting on that article is part-4 
> > (Configuring
> Apache and mod_ssl). In
> > this part, if you look at changes in httpd.conf, as mentioned below,
> >
> > SSLEngine o���n
> > SSLCertificateFile conf/ssl/server.cert SSLCertificateKeyFile 
> > conf/ssl/server.key
> >
> >   which is the same parameter that Remy has suggested. If I have 
> > found
> this article early, I may
> > be able to solve the issue. But again since I figured it out, I like 
> > it
> now.
> >
> > Regards.
> > D
> >
> >
> >
> > --- Scott Purcell <spurcell@vertisinc.com> wrote:
> >
> > > Hello Dhaval,
> > >
> > > I was reading the article below, and it looks you you are not 
> > > running
> Tomcat as standalone? Are
> > > you running Apache behind the scenes?
> > >
> > > I was just curious.
> > >
> > > Scott
> > >
> > >
> > > -----Original Message-----
> > > From: Dhaval Patel [mailto:dhaval04@yahoo.com]
> > > Sent: Thursday, December 01, 2005 8:49 AM
> > > To: Tomcat Users List
> > > Subject: Re: SSL InvalidKeystore Format?
> > >
> > >
> > > Hi Scott,
> > >
> > >   I am not tomcat expert as well as I can not help you about the 
> > > error
> you are getting.
> > >   After Remy's last message on SSL with APR, I finally got my 
> > > windows xp
> + tomcat 5.5.12 + APR +
> > > SSL working. Following are the steps that I have followed:
> > >
> > > (1) Install Tomcat 5.5.12 and make sure it is working.
> > > (2) Download APR component (openssl.exe and tcnative-1.dll) and 
> > > put it
> in %TOMCAT_HOME%\bin.
> > > (http://tomcat.heanet.ie/native/1.1.0/binaries/win32/)
> > > (3) I generated server.key and server.cert following guide at
> > > http://www.fatofthelan.com/articles/articles.php?pid=12 .I have 
> > > put them
> in %TOMCAT_HOME%\bin
> > > only.
> > > (Make sure you follow the guide. I had trouble setting openssl.exe 
> > > on
> windows xp. The answer is
> > > on
> > > that page only. You have to download openssl.cnf from google and 
> > > place
> it in some folder and
> > > make
> > > a new environment OPENSSL_CONF pointing to that file. Trust me 
> > > that link
> is very good.)
> > > (4) Change the server.xml in following way:
> > >     <Connector port="443" maxHttpHeaderSize="8192"
> > >                maxThreads="150" minSpareThreads="25"
> maxSpareThreads="75"
> > >                enableLookups="false" disableUploadTimeout="true"
> > >    scheme="https" secure="true"
> > >                SSLEngine="on"
> > >                SSLCertificateFile="C:\Tomcat5.5\bin\server.crt"
> > >                SSLCertificateKeyFile="C:\Tomcat5.5\bin\server.key" 
> > > />
> > > (5) Restart the tomcat and SSL is enabled.
> > >
> > >    I dont know if you have did the same way and you have issues. 
> > > If you
> want to try, you can
> > > follow the above steps on some other windows xp machine. It worked 
> > > for
> me so it should work for
> > > you. If you start from scratch, it may take about 30-40 mins to 
> > > setup
> above things.
> > >
> > >    Let me know how it goes.
> > >
> > > Regards,
> > > D
> > >
> > > --- Scott Purcell <spurcell@vertisinc.com> wrote:
> > >
> > > > Well, after wasting much time trying to get the SSL running on 
> > > > 5.5.12,
> on XP, and finding out
> > > > about the bad tcnative-1.dll, I thought I was out of the woods 
> > > > on my
> SSL configuration. But it
> > > > appears I have one last issue (hopefully) Since I renamed the 
> > > > tcnative-1.dll, I am getting logs in regards to my
> SSL (I was not getting
> > > > those prior, see earlier posts) and I am receiving this error: I
> believe I have a good
> > > keystore,
> > > > because my public key from Verisign was happy with it, but for 
> > > > some
> reason, Tomcat is stikll
> > > not
> > > > happy with it.
> > > > Any ideas why this error may occur?
> > > > Nov 30, 2005 10:44:53 PM 
> > > > org.apache.coyote.http11.Http11BaseProtocol
> init
> > > > INFO: Initializing Coyote HTTP/1.1 on http-80 Nov 30, 2005 
> > > > 10:44:54 PM org.apache.coyote.http11.Http11BaseProtocol
> init
> > > > SEVERE: Error initializing endpoint
> > > > java.io.IOException: Invalid keystore format at 
> > > > sun.security.provider.JavaKeyStore.engineLoad(Unknown Source) at 
> > > > java.security.KeyStore.load(Unknown Source) at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketF
> actory
> .java:282)
> > > > at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESo
> cketFa
> ctory.java:256)
> > > > at
> > > >
> > >
> >
> org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getTrustManagers(J
> SSE14S
> ocketFactory.java:174)
> > > > at
> org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketF
> actory
> .java:109)
> > > > at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESoc
> ketFac
> tory.java:88)
> > > > at
> org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoin
> t.java
> :292)
> > > > at
> org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.ja
> va:137
> )
> > > > at
> org.apache.catalina.connector.Connector.initialize(Connector.java:1016
> )
> > > > at
> org.apache.catalina.core.StandardService.initialize(StandardService.ja
> va:580
> )
> > > > at
> org.apache.catalina.core.StandardServer.initialize(StandardServer.java
> :762)
> > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:488)
> > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:508)
> > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
> > > > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) 
> > > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown 
> > > > Source) at java.lang.reflect.Method.invoke(Unknown Source) at 
> > > > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:247)
> > > > at 
> > > > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
> > > > Nov 30, 2005 10:44:54 PM org.apache.catalina.startup.Catalina 
> > > > load
> > > > SEVERE: Catalina.start
> > > > LifecycleException: Protocol handler initialization failed:
> java.io.IOException: Invalid
> > > > keystore format
> > > > at
> org.apache.catalina.connector.Connector.initialize(Connector.java:1018
> )
> > > > at
> org.apache.catalina.core.StandardService.initialize(StandardService.ja
> va:580
> )
> > > > at
> org.apache.catalina.core.StandardServer.initialize(StandardServer.java
> :762)
> > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:488)
> > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:508)
> > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
> > > > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) 
> > > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown 
> > > > Source) at java.lang.reflect.Method.invoke(Unknown Source) at 
> > > > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:247)
> > > > at 
> > > > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
> > > > Nov 30, 2005 10:44:54 PM org.apache.catalina.startup.Catalina 
> > > > load
> > > > INFO: Initialization processed in 1890 ms Nov 30, 2005 10:44:54 
> > > > PM org.apache.catalina.core.StandardService
> start
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > ----------------------------------------------------------------
> > > > ----- To unsubscribe, e-mail: 
> > > > users-unsubscribe@tomcat.apache.org
> > > > For additional commands, e-mail: users-help@tomcat.apache.org
> > > >
> > > >
> > >
> > >
> > >
> > >
> > > __________________________________
> > > Yahoo! Music Unlimited
> > > Access over 1 million songs. Try it free.
> > > http://music.yahoo.com/unlimited/
> > >
> > > ------------------------------------------------------------------
> > > --- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > For additional commands, e-mail: users-help@tomcat.apache.org
> > >
> > >
> > > ------------------------------------------------------------------
> > > --- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > For additional commands, e-mail: users-help@tomcat.apache.org
> > >
> > >
> >
> >
> >
> >
> >
> > __________________________________
> > Start your day with Yahoo! - Make it your home page!
> > http://www.yahoo.com/r/hs
> >
> > --------------------------------------------------------------------
> > - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


		
__________________________________________
Yahoo! DSL - Something to write home about. 
Just $16.99/mo. or less. 
dsl.yahoo.com 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message