tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ognjen Blagojevic <>
Subject Re: Secure Tomcat With SSL
Date Mon, 28 Oct 2013 20:41:50 GMT

On 28.10.2013 18:23, Leo Donahue - OETX wrote:
>> I've been having some trouble lately converting keys and certs from OpenSSL
>> format into Java's JKS format. I follow all of the magical incantations I can find
>> online to convert key+cert into a Java keystore but I get no love. Is there a
>> decent guide anywhere for how to do this?
>  From my book of spells.
> Used this to configure SSL in Apache httpd for subversion edge.
> openssl pkcs12 -export -in C:/server.crt -inkey C:/server.key -name svnedge -out C:/server.p12
> keytool -importkeystore -srckeystore C:/server.p12 -srcstoretype PKCS12 -destkeystore

During TLS handshake, server may respond with complete certificate chain 
(server certificate with all intermediate certificates) or with 
incomplete certificate chain (e.g. server certificate, without any/some 
intermediate certificates). Most servers, around 88% of them, deliver 
full certificate chain, according to research mentioned here [1].

Complete certificate chain is being recognized as valid by every client 
that implements TLS (assuming that root CA certificate is in the client 
keystore). Incomplete certificate chain may be recognized as valid by 
some TLS clients (e.g. Internet Explorer), using information from 
X.509v3 extension called Authority Information Access (AIA), or using 
previously validated certificate chains. Some clients will not recognize 
incomplete certificate chain as valid (e.g. openssl or Apache 
HTTPCommons Client). Even the same client may sometimes recognize 
incomplete certificate chains as valid and sometimes as invalid, thanks 
to caching of intermediate certificates. Therefore, it is best practice 
always to deliver complete certificate chain to the client.

Having root CA certificate in the chain is unnecessary, as it wastes 
your bandwidth during TLS handshake (your client already have root CA 
certificate in its own keystore).

Assuming that intermediate certificates (intermediates.pem), server 
certificate (server.pem) and private key (server.key) are all in PEM 
format, you need to add option -certfile to command Leo provided:

openssl pkcs12 -export -out keystore.p12 -name myserver -in server.pem 
-inkey server.key -certfile intermediates.pem

Verify that the contents of the p12 keystore with:

openssl pkcs12 -in keystore.p12 -nokeys

You should verify that the certificate chain is complete (up to, but 
without root CA certificate).

Now, you may use that keystore for BIO and NIO connectors:

keystoreFile="keystore.p12" keyAlias="myserver" keystoreType="pkcs12"

Or you may convert it to JKS keystore as Leo suggests.



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message