Return-Path: 
 <users-return-236773-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id CE4CED891
	for <apmail-tomcat-users-archive@www.apache.org>;
 Thu, 20 Sep 2012 19:29:28 +0000 (UTC)
Received: (qmail 188 invoked by uid 500); 20 Sep 2012 19:29:25 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 126 invoked by uid 500); 20 Sep 2012 19:29:25 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 115 invoked by uid 99); 20 Sep 2012 19:29:25 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 20 Sep 2012 19:29:25 +0000
X-ASF-Spam-Status: No, hits=-0.2 required=5.0
	tests=FROM_LOCAL_NOVOWEL,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of jvsrvcs@gmail.com designates
 209.85.219.45 as permitted sender)
Received: from [209.85.219.45] (HELO mail-oa0-f45.google.com) (209.85.219.45)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 20 Sep 2012 19:29:19 +0000
Received: by oagn12 with SMTP id n12so3301366oag.18
        for <users@tomcat.apache.org>; Thu, 20 Sep 2012 12:28:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:subject
         :content-type:content-transfer-encoding;
        bh=5DAVapAvRn0/udLZN6XT01Wn5fYlGXrvOjGEZM+xITg=;
        b=KF7kRZ1XcUlgdr1RTSw9Jv9Cyo13JDwdzplD3C5NCTnDDmQ3GT1mchWRQvG0MwF6/d
         HE9o1Wqqdy+SNsz7HGMZRqew6QkAoJ3g0Mb9LAcV5SWPgtW5b4bfXP35cFAYdkGYQExU
         SsQ0xfhBMUFSM9IjanPoVdzz3b0njR5/Ekjw0kYUpd1Iqrg9/aCgptZs+ykdzkTXEyPj
         y7RxwdaFy+FYSMgyeRoYSl3CSR3PqO1gJZONrcVYrcvTBuonzWW8OP682laUu7FKJoXb
         jCU3RYwGAFXWuHHBRT+szw4q1pJGW0LhVZU2MQpEWN8N+WAICON3cIcXo7uroTlu9JD+
         KaQA==
Received: by 10.182.15.36 with SMTP id u4mr1832921obc.12.1348169338458;
        Thu, 20 Sep 2012 12:28:58 -0700 (PDT)
Received: from [192.168.1.11] ([50.8.92.54])
        by mx.google.com with ESMTPS id y10sm4702675oed.12.2012.09.20.12.28.56
        (version=SSLv3 cipher=OTHER);
        Thu, 20 Sep 2012 12:28:57 -0700 (PDT)
Message-ID: <505B6E74.9050502@gmail.com>
Date: Thu, 20 Sep 2012 13:28:52 -0600
From: "J.V." <jvsrvcs@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 5.1;
 rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: users@tomcat.apache.org
Subject: need help: how to Tomcat self signed cert?
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org

I am generating a self signed cert using open SSL with the following 
commands

openssl req -x509 -notes -days 365 -newkey rsa:2048 -keyout 
privateKey.key -out ca.crt

I accept all the defaults when prompted except for 'Common Name' and 
enter my IP address there.

This generates :  ca.crt

It then export this to a ca.p12 with:
  $openssl pkcs12 -export -in ca.crt -inkey privateKey.key -out ca.p12

I then copy this file to $TOMCAT_HOME/conf/a.keystore

Then I run this command
$open ssl pkcs12 -in ca.p12 -out ca.pem -clcerts -nokeys -nodes

and copy this to $TOMCAT_HOME/conf/ca.pem

Before doing this, I remove some junk at the top of the file before 
---BEGIN CERTIFICATE ----

---
I then modify my server.xml and open port 8443 and point to the 
a.keystore file.

This seems to work OK.

However when I generate a.keystore and ca.pem using BouncyCastle, the 
certs do not seem to work but I have all the same settings. When 
generating in pure Java, I am required to install the JCE to generate 
the keys.  I am not sure why openssl does not require some download or 
license to generate the RSA keys and why it lets me generate with a key 
size of 2048 without some sort of extension (openssl must have some 
export controls correct)?

My first question is:

1) Why does the first method (using openssl) work?  Would I not need to 
apply JCE to my local jdk/jre when running Tomcat for the certs to work?

2) What is wrong with generating the keys in Java?
I am essentially following this:
http://blog.thilinamb.com/2010/01/how-to-generate-self-signed.html

Except there is no keystore to initially load so I skipped that part.

any help on generating a self signed cert in Java that would mirror the 
openssl generation would be greatly appreciated.

J.V.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org