tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: need help: how to Tomcat self signed cert?
Date Thu, 20 Sep 2012 22:08:30 GMT
Which HTTP connector are you using?

Mark

"J.V." <jvsrvcs@gmail.com> wrote:

>I am generating a self signed cert using open SSL with the following 
>commands
>
>openssl req -x509 -notes -days 365 -newkey rsa:2048 -keyout 
>privateKey.key -out ca.crt
>
>I accept all the defaults when prompted except for 'Common Name' and 
>enter my IP address there.
>
>This generates :  ca.crt
>
>It then export this to a ca.p12 with:
>  $openssl pkcs12 -export -in ca.crt -inkey privateKey.key -out ca.p12
>
>I then copy this file to $TOMCAT_HOME/conf/a.keystore
>
>Then I run this command
>$open ssl pkcs12 -in ca.p12 -out ca.pem -clcerts -nokeys -nodes
>
>and copy this to $TOMCAT_HOME/conf/ca.pem
>
>Before doing this, I remove some junk at the top of the file before 
>---BEGIN CERTIFICATE ----
>
>---
>I then modify my server.xml and open port 8443 and point to the 
>a.keystore file.
>
>This seems to work OK.
>
>However when I generate a.keystore and ca.pem using BouncyCastle, the 
>certs do not seem to work but I have all the same settings. When 
>generating in pure Java, I am required to install the JCE to generate 
>the keys.  I am not sure why openssl does not require some download or 
>license to generate the RSA keys and why it lets me generate with a key
>
>size of 2048 without some sort of extension (openssl must have some 
>export controls correct)?
>
>My first question is:
>
>1) Why does the first method (using openssl) work?  Would I not need to
>
>apply JCE to my local jdk/jre when running Tomcat for the certs to
>work?
>
>2) What is wrong with generating the keys in Java?
>I am essentially following this:
>http://blog.thilinamb.com/2010/01/how-to-generate-self-signed.html
>
>Except there is no keystore to initially load so I skipped that part.
>
>any help on generating a self signed cert in Java that would mirror the
>
>openssl generation would be greatly appreciated.
>
>J.V.
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message