tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig Taylor <>
Subject Re: Secure Tomcat With SSL
Date Mon, 28 Oct 2013 20:43:53 GMT
This tool has saved me a few times over:

On Mon, Oct 28, 2013 at 4:41 PM, Ognjen Blagojevic <> wrote:

> Chris,
> Leo,
> On 28.10.2013 18:23, Leo Donahue - OETX wrote:
>> I've been having some trouble lately converting keys and certs from
>>> OpenSSL
>>> format into Java's JKS format. I follow all of the magical incantations
>>> I can find
>>> online to convert key+cert into a Java keystore but I get no love. Is
>>> there a
>>> decent guide anywhere for how to do this?
>>  From my book of spells.
>> Used this to configure SSL in Apache httpd for subversion edge.
>> openssl pkcs12 -export -in C:/server.crt -inkey C:/server.key -name
>> svnedge -out C:/server.p12
>> keytool -importkeystore -srckeystore C:/server.p12 -srcstoretype PKCS12
>> -destkeystore C:/svnedge.jks
> During TLS handshake, server may respond with complete certificate chain
> (server certificate with all intermediate certificates) or with incomplete
> certificate chain (e.g. server certificate, without any/some intermediate
> certificates). Most servers, around 88% of them, deliver full certificate
> chain, according to research mentioned here [1].
> Complete certificate chain is being recognized as valid by every client
> that implements TLS (assuming that root CA certificate is in the client
> keystore). Incomplete certificate chain may be recognized as valid by some
> TLS clients (e.g. Internet Explorer), using information from X.509v3
> extension called Authority Information Access (AIA), or using previously
> validated certificate chains. Some clients will not recognize incomplete
> certificate chain as valid (e.g. openssl or Apache HTTPCommons Client).
> Even the same client may sometimes recognize incomplete certificate chains
> as valid and sometimes as invalid, thanks to caching of intermediate
> certificates. Therefore, it is best practice always to deliver complete
> certificate chain to the client.
> Having root CA certificate in the chain is unnecessary, as it wastes your
> bandwidth during TLS handshake (your client already have root CA
> certificate in its own keystore).
> Assuming that intermediate certificates (intermediates.pem), server
> certificate (server.pem) and private key (server.key) are all in PEM
> format, you need to add option -certfile to command Leo provided:
> openssl pkcs12 -export -out keystore.p12 -name myserver -in server.pem
> -inkey server.key -certfile intermediates.pem
> Verify that the contents of the p12 keystore with:
> openssl pkcs12 -in keystore.p12 -nokeys
> You should verify that the certificate chain is complete (up to, but
> without root CA certificate).
> Now, you may use that keystore for BIO and NIO connectors:
> keystoreFile="keystore.p12" keyAlias="myserver" keystoreType="pkcs12"
> Or you may convert it to JKS keystore as Leo suggests.
> -Ognjen
> [1]**show_bug.cgi?id=399324#c72<>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**<>
> For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message