tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: need help: how to Tomcat self signed cert?
Date Thu, 20 Sep 2012 22:08:30 GMT
Which HTTP connector are you using?


"J.V." <> wrote:

>I am generating a self signed cert using open SSL with the following 
>openssl req -x509 -notes -days 365 -newkey rsa:2048 -keyout 
>privateKey.key -out ca.crt
>I accept all the defaults when prompted except for 'Common Name' and 
>enter my IP address there.
>This generates :  ca.crt
>It then export this to a ca.p12 with:
>  $openssl pkcs12 -export -in ca.crt -inkey privateKey.key -out ca.p12
>I then copy this file to $TOMCAT_HOME/conf/a.keystore
>Then I run this command
>$open ssl pkcs12 -in ca.p12 -out ca.pem -clcerts -nokeys -nodes
>and copy this to $TOMCAT_HOME/conf/ca.pem
>Before doing this, I remove some junk at the top of the file before 
>I then modify my server.xml and open port 8443 and point to the 
>a.keystore file.
>This seems to work OK.
>However when I generate a.keystore and ca.pem using BouncyCastle, the 
>certs do not seem to work but I have all the same settings. When 
>generating in pure Java, I am required to install the JCE to generate 
>the keys.  I am not sure why openssl does not require some download or 
>license to generate the RSA keys and why it lets me generate with a key
>size of 2048 without some sort of extension (openssl must have some 
>export controls correct)?
>My first question is:
>1) Why does the first method (using openssl) work?  Would I not need to
>apply JCE to my local jdk/jre when running Tomcat for the certs to
>2) What is wrong with generating the keys in Java?
>I am essentially following this:
>Except there is no keystore to initially load so I skipped that part.
>any help on generating a self signed cert in Java that would mirror the
>openssl generation would be greatly appreciated.
>To unsubscribe, e-mail:
>For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message