tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig Taylor <craig.tay...@drivedominion.com>
Subject Re: Secure Tomcat With SSL
Date Mon, 28 Oct 2013 20:43:53 GMT
This tool has saved me a few times over:
http://sourceforge.net/projects/portecle/


On Mon, Oct 28, 2013 at 4:41 PM, Ognjen Blagojevic <
ognjen.d.blagojevic@gmail.com> wrote:

> Chris,
> Leo,
>
> On 28.10.2013 18:23, Leo Donahue - OETX wrote:
>
>> I've been having some trouble lately converting keys and certs from
>>> OpenSSL
>>> format into Java's JKS format. I follow all of the magical incantations
>>> I can find
>>> online to convert key+cert into a Java keystore but I get no love. Is
>>> there a
>>> decent guide anywhere for how to do this?
>>>
>>
>>  From my book of spells.
>>
>> Used this to configure SSL in Apache httpd for subversion edge.
>>
>> openssl pkcs12 -export -in C:/server.crt -inkey C:/server.key -name
>> svnedge -out C:/server.p12
>>
>> keytool -importkeystore -srckeystore C:/server.p12 -srcstoretype PKCS12
>> -destkeystore C:/svnedge.jks
>>
>
> During TLS handshake, server may respond with complete certificate chain
> (server certificate with all intermediate certificates) or with incomplete
> certificate chain (e.g. server certificate, without any/some intermediate
> certificates). Most servers, around 88% of them, deliver full certificate
> chain, according to research mentioned here [1].
>
> Complete certificate chain is being recognized as valid by every client
> that implements TLS (assuming that root CA certificate is in the client
> keystore). Incomplete certificate chain may be recognized as valid by some
> TLS clients (e.g. Internet Explorer), using information from X.509v3
> extension called Authority Information Access (AIA), or using previously
> validated certificate chains. Some clients will not recognize incomplete
> certificate chain as valid (e.g. openssl or Apache HTTPCommons Client).
> Even the same client may sometimes recognize incomplete certificate chains
> as valid and sometimes as invalid, thanks to caching of intermediate
> certificates. Therefore, it is best practice always to deliver complete
> certificate chain to the client.
>
> Having root CA certificate in the chain is unnecessary, as it wastes your
> bandwidth during TLS handshake (your client already have root CA
> certificate in its own keystore).
>
> Assuming that intermediate certificates (intermediates.pem), server
> certificate (server.pem) and private key (server.key) are all in PEM
> format, you need to add option -certfile to command Leo provided:
>
> openssl pkcs12 -export -out keystore.p12 -name myserver -in server.pem
> -inkey server.key -certfile intermediates.pem
>
>
> Verify that the contents of the p12 keystore with:
>
> openssl pkcs12 -in keystore.p12 -nokeys
>
> You should verify that the certificate chain is complete (up to, but
> without root CA certificate).
>
> Now, you may use that keystore for BIO and NIO connectors:
>
> keystoreFile="keystore.p12" keyAlias="myserver" keystoreType="pkcs12"
>
> Or you may convert it to JKS keystore as Leo suggests.
>
> -Ognjen
>
> [1] https://bugzilla.mozilla.org/**show_bug.cgi?id=399324#c72<https://bugzilla.mozilla.org/show_bug.cgi?id=399324#c72>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<users-unsubscribe@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message