tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J.V." <>
Subject need help: how to Tomcat self signed cert?
Date Thu, 20 Sep 2012 19:28:52 GMT
I am generating a self signed cert using open SSL with the following 

openssl req -x509 -notes -days 365 -newkey rsa:2048 -keyout 
privateKey.key -out ca.crt

I accept all the defaults when prompted except for 'Common Name' and 
enter my IP address there.

This generates :  ca.crt

It then export this to a ca.p12 with:
  $openssl pkcs12 -export -in ca.crt -inkey privateKey.key -out ca.p12

I then copy this file to $TOMCAT_HOME/conf/a.keystore

Then I run this command
$open ssl pkcs12 -in ca.p12 -out ca.pem -clcerts -nokeys -nodes

and copy this to $TOMCAT_HOME/conf/ca.pem

Before doing this, I remove some junk at the top of the file before 

I then modify my server.xml and open port 8443 and point to the 
a.keystore file.

This seems to work OK.

However when I generate a.keystore and ca.pem using BouncyCastle, the 
certs do not seem to work but I have all the same settings. When 
generating in pure Java, I am required to install the JCE to generate 
the keys.  I am not sure why openssl does not require some download or 
license to generate the RSA keys and why it lets me generate with a key 
size of 2048 without some sort of extension (openssl must have some 
export controls correct)?

My first question is:

1) Why does the first method (using openssl) work?  Would I not need to 
apply JCE to my local jdk/jre when running Tomcat for the certs to work?

2) What is wrong with generating the keys in Java?
I am essentially following this:

Except there is no keystore to initially load so I skipped that part.

any help on generating a self signed cert in Java that would mirror the 
openssl generation would be greatly appreciated.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message