tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kernel freak <kernelfr...@gmail.com>
Subject Re: Deploying .ca-bundle file & .crt file as SSL certificates
Date Wed, 26 Nov 2014 17:00:53 GMT
On Wed, Nov 26, 2014 at 5:33 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> To whom it may concern,
>
> On 11/26/14 9:03 AM, Kernel freak wrote:
> > After arguing with the admins for all this time, I finally have the
> > few files ready. I have the following files :
> >
> > keystore.p12
>
> That should contain your key. Can you confirm that with a 'keytool -list'?
>
> > server.crt
>
> Is this the certificate that was signed by the CA?
>
Yes, this is certificated signed by CA, but its a servercertificate, the
domain certificate is below.

>
> > ssl-cert-snakeoil.key
>
> Uh, oh. That looks like one of OpenSSL's built-in CAs that are used
> for documentation and instructional purposes. I hope this isn't being
> used for anything at all.
>
> > domainname.com.ca-bundle
>
> This should be the bundle of certificates for your domain, which may
> include intermediate certificates. Are you using your own internal CA
> or something?
>
> > domainname.com.crt
>
> Which certificate is this?
>
This is the SSL certificate which has to be deployed.

>
> > domainname.com.csr
>
> Is this the CSR that you generated yourself?
>
No, this is also provided by hosting guys

>
> > domainname.com.key
>


> Weird. Okay, I would expect domainname.com.key to have the key that
> was used to generate domainname.com.csr, and that domainname.com.crt
> is a signed version of that CSR. That should be all you need... I'm
> not sure what all the other stuff is.
>
> > vsftpd.pem.
>
> What is this?
>
> > I did the following as Christoph said:
> >
> > root@domainname:/etc/ssl/private# openssl pkcs12 -export -in
> > server.crt -inkey ssl-cert-snakeoil.key -certfile
> > domainname.com.crt -out keystore.p12 -chain  (pressed enter here)
> > unable to load certificates  // This is the error.
>
> I think you might want to do this:
>
> $ openssl pkcs12 -export -in domainname.com.crt \
>                       -inkey domainname.com.key \
>                    -certfile domainname.com.ca-bundle \
>                         -out keystore.p21 -chain
>
> $ keytool -importkeystore -srckeystore keystore.p12 \
>           -srcstoretype pkcs12 \
>           -destkeystore keystore.jks
>
> You are supposed to be able to use PKCS12 keystores directly with
> Tomcat, but IIRC it's a pain and a bit more finicky than with just a
> "normal" JKS-format keystore.
>
> > If i just plain import the .crt file like this :
> >
> > keytool -import -alias tomcat -file domainname.com.crt -keystore
> > /root/.keystore
>
> A couple of things:
>
> 1. Don't run as root. Not for anything. Not even to run keytool.
> 2. Don't store your keystore under /root/.keystore, or you'll (likely)
> have to run Tomcat as root. You can put your keystore anywhere you
> want and point Tomcat to it explicitly.
> 3. If you import a certificate into a keystore and there is nothing
> else in it (the keystore), then you can't perform a handshake because
> the key is required for secure communication.
>
> > Then firefox gives me this error :
> >
> > An error occurred during a connection to domainname.com:8443.
> > Cannot communicate securely with peer: no common encryption
> > algorithm(s). (Error code: ssl_error_no_cypher_overlap)
> >
> > The page you are trying to view cannot be shown because the
> > authenticity of the received data could not be verified. Please
> > contact the website owners to inform them of this problem.
>
> The no_cipher_overlap error is likely to be incorrect... the real
> problem is that the server can't decrypt the client's handshake
> because the key is unavailable.
>
> I think you might need to get some help with this from someone else at
> your organization... someone who is a bit more versed in PKI and
> configuring TLS for web servers.
>

I have told you what key is for what, can you give me the updated commands
please, unfortunately there is no one here who knows this.

>
> - -chris
>
> > On Tue, Nov 25, 2014 at 10:24 PM, Christopher Schultz <
> > chris@christopherschultz.net> wrote:
> >
> > To whom it may concern,
> >
> > On 11/25/14 3:32 AM, Kernel freak wrote:
> >>>> I don't have the server.key and server.crt. I have root
> >>>> access to server, I can generate my own if necessary. I only
> >>>> have .crt and .ca-bundle file. Can you tell me what to do.
> >>>> Thank you very much for your help.
> >
> > If you don't have the server's key but you have the server's
> > certificate, then you must start all over again because the key is
> > half of a paired key.
> >
> > Did you generate the CSR yourself? With what key did you generate
> > that CSR? If someone else generated the CSR, go ask them where the
> > key is that they used.
> >
> > If you have lost the key then you must redo the whole process,
> > starting with generating a new key and CSR, then get the CSR
> > signed. Then, import the signed certificate back into the same
> > keystore. Then, configure Tomcat to use that keystore.
> >
> > The instructions on the Tomcat users' guide are fairly
> > straightforward even if they don't explain the intricacies of
> > public key infrastructure -- that's outside the scope of the users'
> > guide.
> >
> > Thanks, -chris
> >
> >>>> On Mon, Nov 24, 2014 at 7:48 PM, Christopher Schultz <
> >>>> chris@christopherschultz.net> wrote:
> >>>>
> >>>> Niranjan,
> >>>>
> >>>> On 11/24/14 10:51 AM, Niranjan Babu Bommu wrote:
> >>>>>>> I think you have create a keystore from the cert,
> >>>>>>> please follow these instruction and ket me know.
> >>>>>>>
> >>>>>>> Create store with temporary key inside:
> >>>>>>>
> >>>>>>> keytool -genkey -alias <alias name> -keystore
> >>>>>>> yourkeystore.jks -storepass Hello1 Then delete
> >>>>>>> existing entry:
> >>>>>>>
> >>>>>>> keytool -delete -alias temp -keystore yourkeystore.jks
> >>>>>>> -storepass Hello1 Now you've got empty store. You can
> >>>>>>> check that it's empty:
> >>>>>>>
> >>>>>>> keytool -list -keystore yourkeystore.jks -storepass
> >>>>>>> Hello1 Then import your certificate to the store:
> >>>>>>>
> >>>>>>> keytool -import -alias <alias name>  -file
> >>>>>>> cert_file.crt -keypass
> >>>> keypass
> >>>>>>> -keystore yourkeystore.jks -storepass Hello1
> >>>>
> >>>> Nope: the existing key *and* cert need to be imported
> >>>> simultaneously into the keystore. If the OP already has a
> >>>> cert, he's already got a key, too.
> >>>>
> >>>> The problem is that you probably started with OpenSSL to
> >>>> generate your keys and stuff. Here is the proper procedure to
> >>>> import your key, certificate, and CA bundle into a Java
> >>>> keystore.
> >>>>
> >>>> You'll need these files:
> >>>>
> >>>> server.key (this is your server's secret key) server.crt
> >>>> (this is your server's certificate, signed by the CA) ca.crt
> >>>> (this is your CA's certificate)
> >>>>
> >>>> Here is the incantation:
> >>>>
> >>>> $ openssl pkcs12 -export -in server.crt -inkey server.key \
> >>>> -certfile ca.crt -out keystore.p12 -chain
> >>>>
> >>>> $ $JAVA_HOME/bin/keytool -importkeystore -srckeystore
> >>>> keystore.p12 \ -srcstoretype pkcs12 \ -destkeystore
> >>>> keystore.jks
> >>>>
> >>>> Now, use keystore.jks in Tomcat's server.xml.
> >>>>
> >>>> If you already had created your key and cert request using
> >>>> Java's 'keytool', then you can instead just import the signed
> >>>> certificate into your keystore:
> >>>>
> >>>> $ $JAVA_HOME/bin/keytool -importcert -file server.crt \
> >>>> -keystore keystore.jks \ -alias [alias]
> >>>>
> >>>> If you used an alias to create the certificate signing
> >>>> request (CSR), then use the same alias in the above command.
> >>>>
> >>>> -chris
> >>>>>
> >>>>> ---------------------------------------------------------------------
> >>>>>
> >>>>>
> >
> >>>>>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>> For additional commands, e-mail:
> >>>>> users-help@tomcat.apache.org
> >>>>>
> >>>>>
> >>>>
> >>
> >> ---------------------------------------------------------------------
> >>
> >>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUdgDwAAoJEBzwKT+lPKRYcy8QALp3Yf9mDWAZa6DvbG9bRUD9
> ADUGDlAip0uroCgKtQ/8kqP36ExF1YNmOj6JN1Tii0KUBByB7P+NNzBNTsYb1JaY
> iLog7tpPRCj50AoJ8+RWPvHPmgwBT8wr+wHESPaqgARMhX53vMxv9oJmyvxvcXNU
> bybs4rdud2bSneo3e6trrKGY2Eq3LFE6cJs21VPrbQVhoZYhlOghEuCXjBg4CgAU
> Ss2ZZJxchNA0ugwK0iKonoQ8j2eg0Vvu7xGrBqMwpmHw5CXS+3YCuoKwIVPovW03
> 6nrTygYzPAUuRlixBGAUIYOvkT7IyM3LoFkY0cBnczuzoldtjCOP+V3u8QhqvsZS
> M7K7ahxchFjlLk61HGo7EnnLxeiBaTvNpCHRg2HGtTiuiNv1t9Qw0QYxVurOgD+E
> X7lzq+lMCNOGC8WYVnRoMEKd2ze8aVABUnFDmCxH4ocf6t8NUOgBsNkKFsyX1ln3
> JfVtxPaAhok/7/ob0/+FWlx9JZSz7BeccaFAxzAKf4xIqY7IlER9lc8cTH/2alZP
> D9+tZ3VLB0UE711zOrGw2DmtxdHfeCxbab5Vr8kF6VMlEeTDYYGF9vt0MN+K4SCa
> 5GMM6NH43Hegi5N6ZyrIxH2uX78QEkHkTFsnhlLrcwLucJtEqFg02IRSUnQDYf41
> /yek4SHkomHSa4qInIEf
> =1/Mr
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message