tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <mgai...@hotmail.com>
Subject RE: Secure Tomcat With SSL
Date Tue, 29 Oct 2013 00:55:21 GMT
For over a year I've been looking for a tool to show the RFC 822 name and the PEM

 

Thanks craig!
Martin 

  



> Date: Mon, 28 Oct 2013 16:43:53 -0400
> Subject: Re: Secure Tomcat With SSL
> From: craig.taylor@drivedominion.com
> To: users@tomcat.apache.org
> 
> This tool has saved me a few times over:
> http://sourceforge.net/projects/portecle/
> 
> 
> On Mon, Oct 28, 2013 at 4:41 PM, Ognjen Blagojevic <
> ognjen.d.blagojevic@gmail.com> wrote:
> 
> > Chris,
> > Leo,
> >
> > On 28.10.2013 18:23, Leo Donahue - OETX wrote:
> >
> >> I've been having some trouble lately converting keys and certs from
> >>> OpenSSL
> >>> format into Java's JKS format. I follow all of the magical incantations
> >>> I can find
> >>> online to convert key+cert into a Java keystore but I get no love. Is
> >>> there a
> >>> decent guide anywhere for how to do this?
> >>>
> >>
> >> From my book of spells.
> >>
> >> Used this to configure SSL in Apache httpd for subversion edge.
> >>
> >> openssl pkcs12 -export -in C:/server.crt -inkey C:/server.key -name
> >> svnedge -out C:/server.p12
> >>
> >> keytool -importkeystore -srckeystore C:/server.p12 -srcstoretype PKCS12
> >> -destkeystore C:/svnedge.jks
> >>
> >
> > During TLS handshake, server may respond with complete certificate chain
> > (server certificate with all intermediate certificates) or with incomplete
> > certificate chain (e.g. server certificate, without any/some intermediate
> > certificates). Most servers, around 88% of them, deliver full certificate
> > chain, according to research mentioned here [1].
> >
> > Complete certificate chain is being recognized as valid by every client
> > that implements TLS (assuming that root CA certificate is in the client
> > keystore). Incomplete certificate chain may be recognized as valid by some
> > TLS clients (e.g. Internet Explorer), using information from X.509v3
> > extension called Authority Information Access (AIA), or using previously
> > validated certificate chains. Some clients will not recognize incomplete
> > certificate chain as valid (e.g. openssl or Apache HTTPCommons Client).
> > Even the same client may sometimes recognize incomplete certificate chains
> > as valid and sometimes as invalid, thanks to caching of intermediate
> > certificates. Therefore, it is best practice always to deliver complete
> > certificate chain to the client.
> >
> > Having root CA certificate in the chain is unnecessary, as it wastes your
> > bandwidth during TLS handshake (your client already have root CA
> > certificate in its own keystore).
> >
> > Assuming that intermediate certificates (intermediates.pem), server
> > certificate (server.pem) and private key (server.key) are all in PEM
> > format, you need to add option -certfile to command Leo provided:
> >
> > openssl pkcs12 -export -out keystore.p12 -name myserver -in server.pem
> > -inkey server.key -certfile intermediates.pem
> >
> >
> > Verify that the contents of the p12 keystore with:
> >
> > openssl pkcs12 -in keystore.p12 -nokeys
> >
> > You should verify that the certificate chain is complete (up to, but
> > without root CA certificate).
> >
> > Now, you may use that keystore for BIO and NIO connectors:
> >
> > keystoreFile="keystore.p12" keyAlias="myserver" keystoreType="pkcs12"
> >
> > Or you may convert it to JKS keystore as Leo suggests.
> >
> > -Ognjen
> >
> > [1] https://bugzilla.mozilla.org/**show_bug.cgi?id=399324#c72<https://bugzilla.mozilla.org/show_bug.cgi?id=399324#c72>
> >
> > ------------------------------**------------------------------**---------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<users-unsubscribe@tomcat.apache.org>
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message