tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel M Garland <daniel.garl...@titanemail.com>
Subject Re: OpenSSL + APR + Tomcat 5.5.2 Help
Date Wed, 28 Nov 2007 16:58:04 GMT
OK so I tried it with the attributes set and now I get

java.lang.Exception: Error setting private key (error:0B080074:x509 
certificate routines:X509_check_private_key:key values mismatch)

Which I take to mean that my server key is not the same as the 
certificate key. Where did I go wrong?

SSLEngine="on" SSLCertificateFile="/home/tomcat5/ssl/myverisign.crt" 
SSLCertificateKeyFile="/home/tomcat5/ssl/ca/ca.key"

Did I send the wrong thing to verisign?
Dan

Daniel M Garland wrote:
> Hi folks,
> 
> Again I call on your expert assistance:
> 
> I have a tomcat 5.5.2 server running on a Debian Etch linux box. Its 
> configured to use APR 1.1.3 and I want to get SSL going. I've 
> successfully managed this using JSSE but not OpenSSL. I installed 
> openssl using apt, as well as the APR libraries. Tomcat was installed 
> with the binaries from Apache.
> 
> I ran the following commands (with help from http://marc.info):
> 
> - Create private key and certificate request for my own certificate 
> authority
> openssl req -new -newkey rsa:1024 -nodes -out ssl/ca/ca.csr -keyout
> ssl/ca/ca.key
> 
> - Self-sign
> openssl x509 -trustout -signkey ssl/ca/ca.key -days 365 -req -in
> ssl/ca/ca.csr -out ssl/ca/ca.pem
> 
> -Import into Java's security thingy
> keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file 
> ssl/ca/ca.pem -alias tomcat
> 
> -Created a file CA's serial numbers?
> echo "02" > ssl/ca/ca.srl
> 
> -Created a keystore
> keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -keystore
> ~/.keystore -storetype JKS
> 
> -Create a certficate request for the server
> keytool -certreq -keyalg RSA -alias tomcat -file ssl/certreq.csr 
> -keystore .keystore
> 
> (This certificate got sent off to verisign, but in the meantime I 
> thought I'd try signing myself off to see SSL working)
> 
> openssl x509 -CA ssl/ca/ca.pem -CAkey ssl/ca/ca.key -CAserial 
> ssl/ca/ca.srl -req -in ssl/certreq.csr  -out ssl/selfcert.crt -days 365
> 
> - Import my self-cert into the keystore
> keytool -import -alias tomcat  -keystore .keystore -trustcacerts -file 
> ssl/selfcert.crt
> 
> Then I had this in server.xml
> <Connector port="8443" maxHttpHeaderSize="8192"
>                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>                enableLookups="false" disableUploadTimeout="true"
>                acceptCount="100" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS" 
> keystoreFile="/home/tomcat5/.keystore" keystorePass="password" />
> 
> The docs said that it would pickup .keystore in the user's home 
> directory but I thought I'd set it explicitly.
> 
> When I restart tomcat I see in the log:
> 28-Nov-2007 14:59:26 org.apache.coyote.http11.Http11AprProtocol init
> INFO: Initializing Coyote HTTP/1.1 on http-8443
> 
> And no errors alluding to SSL anywhere else.
> 
> When I try to access
> 
> https://myserver:8443
> 
> firefox tells me that the connection was interrupted, following a 
> lengthy pause.
> 
> keytool -list shows 1 entry.
> 
> Since I'm a bit of a newbie to SSL, and there is nothing in the log, I 
> am stuck as for what to do next. I gather that since I use APR I might 
> need other settings in my server.conf, but the documentation is vauge on 
> whether I need both the keystore attributes and the openssl stuff, or 
> just the ssl stuff, or what. If I were to add the SSLEngine, 
> SSLCertificateFile, SSLCertificateKeyFile attributes, what values would 
> I feed them based on the previous steps?
> 
> Does anyone have any good howtos for the openssl side of things (the 
> first line of the official docs is a caveat that the howto applies to 
> JSSE only!)
> 
> Thanks in advance
> 
> Dan Garland
> 
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> ______________________________________________________________________
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> ______________________________________________________________________
> 

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message