tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Carl Olivier" <carl.oliv...@unysen.co.uk>
Subject RE: SSL InvalidKeystore Format?
Date Mon, 05 Dec 2005 16:14:56 GMT
Hi.

Ok, well what I think I will do is clean up my utility classes into a useful
utility class (with main and command line switches etc) to do all the
in/out/conversions as I use them.  I will then mail that source to the list
and hopefully it would assist everyone!

Will try to get that out this week!

Regards,

Carl

-----Original Message-----
From: Nate Rock [mailto:nrock@infinitecampus.com] 
Sent: 05 December 2005 16:10
To: Tomcat Users List; carl.olivier@unysen.co.uk
Subject: RE: SSL InvalidKeystore Format?

Sweet Carl that would be awesome! I have other stuff to do as well, but I
will take a look at your post from yesterday with code to see if I can't
glean any sort of extra inspiration from it since it didn't mention PKCS12
formats I just kind of glanced over it =(

All our certs are currently in PKCS12(PFX) format and having to re-request
them all using OpenSSL would be a PITA ;) I remember back when looking at
our PKI code that it was anoying to try and get the private key exported and
in the correct (RSA) format that apache expects out of a PKCS12 file using
java.

If we could build a utility based off your current code that could take an
existing keystore (JKS/PKCS12) that could extract it into PEM (RSA) encoded
private key/signed certificate that apache/tomcat(APR) could use and maybe
do the reverse, take both pem encoded files and build a keystore
(JKS/PKCS12) file, I think it would help a lot of people out when trying to
get the APR/SSL thing configured. The confusing part is that when you export
a private key in PEM format using java, the default format is PKCS8 which
from what I understand, the APR doesn't know what to do with because it's
expecting PEM (RSA) encoding.

With the utility, we could say that if your certificates were made using
java keystores, to get them to work with the APR, run this java command to
split them into PEM (RSA) encode private key/signed certificate.  If your
certificates were made using OpenSSL and you want to use them with the
tomcat connector, run this other simple command using your PEM (RSA) encoded
private key/signed certificate to get a keystore.

I think we already do this using some set of OpenSSL commands(openssl
pkcs12, and openssl rsa) as well, but I havn't gotten my verisign cert yet
this morning so I can try it out and get back to everyone.  Although I don't
like to re-invent the wheel, being able to convert between
keystore/PEM(RSA) encoded private key/certificates with a simple java app
might be better than forcing peeps to learn how to install/configure OpenSSL
on their respective platforms.

   -rOcK

-----Original Message-----
From: Carl Olivier [mailto:carl.olivier@unysen.co.uk]
Sent: Monday, December 05, 2005 7:41 AM
To: 'Tomcat Users List'
Subject: RE: SSL InvalidKeystore Format?

Hi Nate.

I am not sure if this is relevant, but think it is - the private keys, CSRs
and certificates I am using with tomcat (as per my email from yesterday --
although I have not posted my mechanism for exporting PFX and PEM
certificates -with Private Keys etc) have been used as is imported into IIS,
Apache, etc with no problems.  I will post my export function (as well as
the import functions for PFX and PEM with private keys attached) later (or
tomorrow) - just a little busy right now.

I have a large number of actual certificates (purchased from a number of CAs
including verisign) in production use.

Anyway - will post my other steps/functions etc as soon as I have a moment!

Regards,

Carl

-----Original Message-----
From: Nate Rock [mailto:nrock@infinitecampus.com]
Sent: 05 December 2005 05:11
To: Tomcat Users List; carl.olivier@unysen.co.uk
Subject: RE: SSL InvalidKeystore Format?

I think the issue Scott is getting caught up on is the same issue I have
been having for the last week:

Using APR + SSL with anything but a self signed certificate isn't clearly
defined as of yet.

Scott, my recommendation to you at this point is to uninstall tomcat, and
then reinstall it making sure to NOT check the "native" checkbox when given
installation options. This will install tomcat without the APR connector and
the steps listed on Verisign (and on the tomcat site) using java keytores
will work fine.

I know Carl and Dhaval have been giving awesome information about how to
generate csrs/keystores etc. but none of us (including me) has a rock solid
example using an actual verisign certificate that they have set up and have
running right now in production using APR. (Remy?) I think that using
OpenSSL for generating the private key/csr will end up being the "way it's
done" because of the difference between RSA and PKCS8 private key encodings.
(OpenSSL vs java keystore default encodings)

If any of you have actually used a verisign (NOT a self signed OpenSSL
certificate from
http://www.fatofthelan.com/articles/articles.php?pid=12.) with APR+SSL
please post the exact steps you used from generating the primary key/csr
file down to the connector you used. We would also like to know exactly what
encoding the primary key/cert is in because as I found out this week, PEM is
different if you are using OpenSSL vs JSSE. =P

I will be getting a verisign certificate early this week to try out some
things I discovered over the weekend involving some un-documented APR params
that are part of mod_ssl that may be the missing link (SSLCACertificateFile
attribute ;).

I think part of the issue with APR + verisign certificates is the location
for the trusted CA certificates. How does one point the APR connector so
that it trusts the verisign root CA cert(s) (the APR doesn't use the cacerts
java keystore... Where is it getting it's list of trusted CAs?) The mod_ssl
doc points to the attribute SSLCACertificateFile for giving it a list of
trusted CAs.

http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslcacertificatefile

But it's not listed on the APR page under the SSL section. After checking
out the source code, it looks like this attribute is "supported" just not
documented so I decided to try it out using my self signed certificate as
the CA certificate.

Using my self-signed server.crt, I copied it and renamed it to ca.crt (it
can be it's own ca, since it's self signed ;)

    <Connector port="443" 
	maxHttpHeaderSize="8192"
	maxThreads="150" 
	minSpareThreads="25" 
	maxSpareThreads="75"
	enableLookups="false" 
	disableUploadTimeout="true"
	scheme="https" 
	secure="true"
	SSLEngine="on"
	SSLCertificateFile="${catalina.base}/bin/server.crt"
	SSLCertificateKeyFile="${catalina.base}/bin/server.key"
	SSLCACertificateFile="${catalina.base}/bin/ca.crt"
	SSLVerifyClient="require"
	/>

No errors were thrown and I was indeed prompted for a client certificate. I
can experiment with this a bit more later on this week but for now I am
recommending to our company to hold off on the APR connector under windows
until the APR+SSL thing is ironed out a bit more.

Guess I get to go uninstall/re-install tomcat(without the APR connector) on
our test server bright and early tommorrow morning. Thanks to Carl, Dhaval
and Remey for all their input this week... I know I have learned a lot and
have hopefully thrown out some something informative. I know we can get it
figured out, I just have a few other projects I put off towards the end of
last week that need to get done before wed but I will still try to monitor
the SSL threads.

   -rOcK



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message