tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Using a P7B certificate file
Date Wed, 11 Sep 2013 12:22:13 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

James,

On 9/10/13 6:50 PM, James H. H. Lampert wrote:
> On 9/10/13 2:19 PM, Christopher Schultz wrote:
>> "P7B" is otherwise known as a PKCS#7 file and usually contains a 
>> certificate. Does the file contain *only* a certificate, or does
>> it also contain the key that was used to generate the CSR? If you
>> have the cert but not the key, you won't be able to use it for
>> serving HTTPS.
>> 
>> Let's start with what you've actually got. You said you have a
>> file. What's in the file?
> 
> Well, from what little I'd read, "A P7B file only contains
> certificates and chain certificates, not the private key." (from 
> <https://www.sslshopper.com/ssl-converter.html>)
> 
> Is there a way it *can* contain the private key as well?
> 
> At any rate, it contains the typical unintelligible block of
> characters between "BEGIN PKCS7" and "END PKCS7" marks, 98 lines of
> 64 characters and a 99th line of 4 characters, approximately 6kb. I
> did a bit of futzing around with it, found I could use "keychain
> access" on my Mac to import it into an empty "keychain" file for
> inspection, and I found that it it appears to contain a root
> certificate, an intermediate certificate, and the signed SSL
> certificate. Looking at it with the corresponding utility on my
> WinDoze box gives the same result. Unless you know of something
> else that can inspect a P7B file, I'm guessing that it's just a
> reply to a CSR, waiting to be installed in the originating
> keystore.

You could use OpenSSL to inspect it, but I suspect it would give you
the same result.

Okay, great: you have a chain of certificates and could, with a bit of
effort, convert that into a Java keystore or a PEM-encoded file for
use with OpenSSL (and httpd, tcnative, etc.).

Without the private key, though, you aren't going to get very far. Go
back to the client and tell them that you need that, too.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSMGB1AAoJEBzwKT+lPKRY3V4QALfCpfIut8j3+CMLlYxe2l+d
q9M884k+CaBST5FBCUpGF0sdtBinoPnq9JINDQihBBg1WIJ7kji8CEi5/78ePqmv
7aZcPqZDt2/32+QWX+WNKRJy0IawLJl89DnB2DnnJdb4GaSzrJXPhUwBCzA61wXc
eRjRmKrx8oQTRYDKHp2eaY4HrYFn6tmiU3a6mZKO6NF7bLWyk8vPbEpCO9WXM+fd
SqxwlWqr6JKLyiEmswxhZsHQN7u7Pppr+wMvmRVmnNRRgYzRUT9NKvobd6XyaWau
T4dFlkSMWZqnUctH8L4vmoPm/TBzM6bwqDCSnRg1QCeMvfLeribo2AWzsMXgtvlN
iNdzp9pwKXWhowKcWN+pZxMwUXgkusZEDth0JnA59tZaufWYTMucv2sW7+890kJ6
ZyCOKhfAF7U4gJNuJXy1cFOHpVhsLGFwM/dnOSqzuA7lvf8Duc5jY2Hm7BA69lRT
HwiSyunw2IARcp0nWbEiVKdF1WU2+bzevhk896S2qwWmXwATMc6gy38EnL/TRSpw
QXyXCrglCTl2yt1pbE45+1Zb3CVC8RWsvaSGsFRzPxotTcOEZGwLjv4FtvHOHn4o
1+EP+6oanG43OEKKm6+PHQ1BnDCnko3dKEeSftrHVeW6N3/sLMpjKa/JsKXL8CpZ
mnUDjvnZ3ZLbBuvOncpl
=mDnw
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message