tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kernel freak <kernelfr...@gmail.com>
Subject Re: Deploying .ca-bundle file & .crt file as SSL certificates
Date Tue, 25 Nov 2014 08:32:21 GMT
Hello Christopher,

I don't have the server.key and server.crt. I have root access to server, I
can generate my own if necessary. I only have .crt and .ca-bundle file. Can
you tell me what to do. Thank you very much for your help.

On Mon, Nov 24, 2014 at 7:48 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Niranjan,
>
> On 11/24/14 10:51 AM, Niranjan Babu Bommu wrote:
> > I think you have create a keystore from the cert, please follow
> > these instruction and ket me know.
> >
> > Create store with temporary key inside:
> >
> > keytool -genkey -alias <alias name> -keystore yourkeystore.jks
> > -storepass Hello1 Then delete existing entry:
> >
> > keytool -delete -alias temp -keystore yourkeystore.jks -storepass
> > Hello1 Now you've got empty store. You can check that it's empty:
> >
> > keytool -list -keystore yourkeystore.jks -storepass Hello1 Then
> > import your certificate to the store:
> >
> > keytool -import -alias <alias name>  -file cert_file.crt -keypass
> keypass
> > -keystore yourkeystore.jks -storepass Hello1
>
> Nope: the existing key *and* cert need to be imported simultaneously
> into the keystore. If the OP already has a cert, he's already got a
> key, too.
>
> The problem is that you probably started with OpenSSL to generate your
> keys and stuff. Here is the proper procedure to import your key,
> certificate, and CA bundle into a Java keystore.
>
> You'll need these files:
>
> server.key (this is your server's secret key)
> server.crt (this is your server's certificate, signed by the CA)
> ca.crt (this is your CA's certificate)
>
> Here is the incantation:
>
> $ openssl pkcs12 -export -in server.crt -inkey server.key \
>    -certfile ca.crt -out keystore.p12 -chain
>
> $ $JAVA_HOME/bin/keytool -importkeystore -srckeystore keystore.p12 \
>                          -srcstoretype pkcs12 \
>                          -destkeystore keystore.jks
>
> Now, use keystore.jks in Tomcat's server.xml.
>
> If you already had created your key and cert request using Java's
> 'keytool', then you can instead just import the signed certificate
> into your keystore:
>
> $ $JAVA_HOME/bin/keytool -importcert -file server.crt \
>                          -keystore keystore.jks \
>                          -alias [alias]
>
> If you used an alias to create the certificate signing request (CSR),
> then use the same alias in the above command.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUc32WAAoJEBzwKT+lPKRYn5UP/RynvOjSw2UlMn4wwPlvWIQC
> EiyfUjHaSK3YSCniGK9yiDuwEshXjAE88aEFptmnhcgZnJpJ1o0ybbdw5xZLk+Vv
> 68XDqnuD1klYsmufnDKETKTEpQk4aMke8jHUdbLtx4/TtK0aKZirEKzmDrXFlBDI
> YvEdlBvhH494Q/fvm0ARBdV1I8nwSt33DQ8WPcAMNVdgJzla7BcgAqupkBiMCpD4
> 49BDOyDZmiulFzL0Co6d2bEx/yWHECx1Zu/gfH6NXjeJ/UgZNkn9aABS8RsO+sa5
> Oq/AJvXTgcKGUUQpBPOVcmhOrjgG9jYyMd9TfYZHllNQDqbBL7MgpkmXiSEGusAg
> zvsfiksWEhDj4xremuQHVstCV4FZYqyLKjfBbiYABfZ50mOoYgF4J+sN97/CVo8F
> pp29hiDN7YnqPCJzlWFi0DRPOFjJX2CFXyzoxkDvx/5gXhn8ZoPwU7i6gGxmcMg1
> 52xPXjEPBbf/q+MbwxUfRRBvNTzXB+b3hU5aN5HHpflqxodasNod+kW7VWnZZZI/
> aCq5kKdXX7VQFfsEtWJnPYDe2yCj/KHzLCDAJMJA8iLpMUrN1Xb8jEOOe0vq5h60
> vFUiFMrEyWOv7BPVszsnDx1EO8tDpDZS766/AigtYxGJzAF0DS8wNX9awCGYknxB
> zSoDIu3mfw1r3546epjF
> =IeMh
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message