tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Using a P7B certificate file
Date Fri, 13 Sep 2013 21:33:56 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

James,

On 9/13/13 5:29 PM, James H. H. Lampert wrote:
> On 9/11/13 5:22 AM, Christopher Schultz wrote:
>> Okay, great: you have a chain of certificates and could, with a
>> bit of effort, convert that into a Java keystore or a PEM-encoded
>> file for use with OpenSSL (and httpd, tcnative, etc.).
>> 
>> Without the private key, though, you aren't going to get very
>> far. Go back to the client and tell them that you need that,
>> too.
> 
> FINALLY!
> 
> (And this is why we discourage our customers from building their
> own keystores: there's enough chance of screwing it up if I do it,
> and I've done it a few times; unless the customer has a Tomcat
> expert on staff, they're going to be as lost as I was the first
> time.)

Well, one could argue that the server key really is the key to the
kingdom, so exercising a certain amount of caution about sharing it
around is appropriate in general. It sounds like this wasn't a
security consideration, though, but basic incompetence on their part.

> We got the customer to send us the originating keystore (on the
> second try!), and the non-default password for it, and I managed to
> marry it to the signed certificate in the P7B file, and get it
> installed (screwing up the syntax of server.xml, the first time I
> tried to adjust it from our choice of keystore name and alias to
> their choices and their non-default password), and finally managed
> to get it to come up.
> 
> Thanks, Mr. Schultz, et al. You were more helpful than you might
> realize.

Uh.. sure! I suspect I just confirmed something that you already knew:
you didn't have everything you needed to do the job you were asked to do.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSM4TEAAoJEBzwKT+lPKRYjG0QAKfXB9F9VjpKZJkCmrnbaq3w
EVtvlDPtiA5fEgOETgAXbrMhyb78SFvBg2rGVvjpZ9uGLebahI7tjQgRX1pAWDfA
1V4BmSX86kx49TWEYi11rsC+KzxGbVZBidj8C0iVIdW7msNfPdW6PXpO8u4T9v86
CQkY2TxVQ91pNadWOddzgnWuEfXmgFHhsYinLiyOMQVGKTAGckTeV3BLH06YkTM3
wZVe231zDluQXm1NtPXS0ReCiugGOIeKvptnxWL2VnnXj0reh8FieniW2+zZ+7F6
k15Xu53Gc2Mu3N1DH80JM2kkMygJBAxDVPXrKcvuZ+JUL9kuwBMcOCQf+TrnZrIk
R+9qK1SY5tGR4cNZpM2O6A2v9ixrOrNYBGpYfB3RrqV7XQPrtCZbvoaL8Ai+6TKN
Jpqyu9STxsbMLaxo/9uDKwo1SCINW99vOG0eKFXrfC1+S2HJdhTot/SvzTqrN660
mP0TOgS5XPjJeCgt54LYRsMcIllSHIteFU1YyPpVPJbGkYQSB20j5p2wLOljpk4X
oPyV+XcxzT/AyAKQGQ1lFiw8NmkIMUvS6xzbYDeQU2RojJWQaSR23eMPYG6XyRGN
nLe74doyrtArcRQiiWskkltJiTCgl+Ow+H7lEurql2OogVI7iTg4WGo7VmXIecF5
D/zOFGVBzTw1Brzs7Xex
=n+rP
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message