tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kernel freak <kernelfr...@gmail.com>
Subject Re: Deploying .ca-bundle file & .crt file as SSL certificates
Date Wed, 26 Nov 2014 14:03:51 GMT
Hello,

After arguing with the admins for all this time, I finally have the few
files ready. I have the following files :

keystore.p12, server.crt, ssl-cert-snakeoil.key, domainname.com.ca-bundle,
domainname.com.crt domainname.com.csr domainname.com.key, vsftpd.pem.

I did the following as Christoph said:

root@domainname:/etc/ssl/private# openssl pkcs12 -export -in server.crt
-inkey ssl-cert-snakeoil.key -certfile domainname.com.crt -out keystore.p12
-chain  (pressed enter here)
unable to load certificates  // This is the error.

If i just plain import the .crt file like this :

keytool -import -alias tomcat -file domainname.com.crt -keystore
/root/.keystore,

Then firefox gives me this error :

An error occurred during a connection to domainname.com:8443. Cannot
communicate securely with peer: no common encryption algorithm(s). (Error
code: ssl_error_no_cypher_overlap)

    The page you are trying to view cannot be shown because the
authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.





On Tue, Nov 25, 2014 at 10:24 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> To whom it may concern,
>
> On 11/25/14 3:32 AM, Kernel freak wrote:
> > I don't have the server.key and server.crt. I have root access to
> > server, I can generate my own if necessary. I only have .crt and
> > .ca-bundle file. Can you tell me what to do. Thank you very much
> > for your help.
>
> If you don't have the server's key but you have the server's
> certificate, then you must start all over again because the key is
> half of a paired key.
>
> Did you generate the CSR yourself? With what key did you generate that
> CSR? If someone else generated the CSR, go ask them where the key is
> that they used.
>
> If you have lost the key then you must redo the whole process,
> starting with generating a new key and CSR, then get the CSR signed.
> Then, import the signed certificate back into the same keystore. Then,
> configure Tomcat to use that keystore.
>
> The instructions on the Tomcat users' guide are fairly straightforward
> even if they don't explain the intricacies of public key
> infrastructure -- that's outside the scope of the users' guide.
>
> Thanks,
> - -chris
>
> > On Mon, Nov 24, 2014 at 7:48 PM, Christopher Schultz <
> > chris@christopherschultz.net> wrote:
> >
> > Niranjan,
> >
> > On 11/24/14 10:51 AM, Niranjan Babu Bommu wrote:
> >>>> I think you have create a keystore from the cert, please
> >>>> follow these instruction and ket me know.
> >>>>
> >>>> Create store with temporary key inside:
> >>>>
> >>>> keytool -genkey -alias <alias name> -keystore
> >>>> yourkeystore.jks -storepass Hello1 Then delete existing
> >>>> entry:
> >>>>
> >>>> keytool -delete -alias temp -keystore yourkeystore.jks
> >>>> -storepass Hello1 Now you've got empty store. You can check
> >>>> that it's empty:
> >>>>
> >>>> keytool -list -keystore yourkeystore.jks -storepass Hello1
> >>>> Then import your certificate to the store:
> >>>>
> >>>> keytool -import -alias <alias name>  -file cert_file.crt
> >>>> -keypass
> > keypass
> >>>> -keystore yourkeystore.jks -storepass Hello1
> >
> > Nope: the existing key *and* cert need to be imported
> > simultaneously into the keystore. If the OP already has a cert,
> > he's already got a key, too.
> >
> > The problem is that you probably started with OpenSSL to generate
> > your keys and stuff. Here is the proper procedure to import your
> > key, certificate, and CA bundle into a Java keystore.
> >
> > You'll need these files:
> >
> > server.key (this is your server's secret key) server.crt (this is
> > your server's certificate, signed by the CA) ca.crt (this is your
> > CA's certificate)
> >
> > Here is the incantation:
> >
> > $ openssl pkcs12 -export -in server.crt -inkey server.key \
> > -certfile ca.crt -out keystore.p12 -chain
> >
> > $ $JAVA_HOME/bin/keytool -importkeystore -srckeystore keystore.p12
> > \ -srcstoretype pkcs12 \ -destkeystore keystore.jks
> >
> > Now, use keystore.jks in Tomcat's server.xml.
> >
> > If you already had created your key and cert request using Java's
> > 'keytool', then you can instead just import the signed certificate
> > into your keystore:
> >
> > $ $JAVA_HOME/bin/keytool -importcert -file server.crt \ -keystore
> > keystore.jks \ -alias [alias]
> >
> > If you used an alias to create the certificate signing request
> > (CSR), then use the same alias in the above command.
> >
> > -chris
> >>
> >> ---------------------------------------------------------------------
> >>
> >>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUdPOpAAoJEBzwKT+lPKRYVikP/jrxPiejAjwm9B9T4nGDASyZ
> BeweTPhXLd1Fg8e95r8K6xBFfZy921Ax+NimRLqTUfU2cCen9YsHB2Xdp0a6xiw4
> oC8+e2JlyZhGFhJY2TsgYRpRoqIhhJeluSUpukUYZz73Pq10LHUnetDhsEHwJEtE
> uz2ekNcXH1Vr+Fy4k+O+PpFJnl8N5QprjO6PX/WlflrFihFa7bC7l+8FqF4QQ7U1
> gw0nKt/0VcYOPepyDfV6VKGD7gBurNmlqrx9GxkYss0YVKghyCDFllNuX9tSw7j7
> 3PcQu/cmEc6u7CePAY4VCXpMSPNO9Ggn+AnLZxj6FWL09fuUfb3bL/I0kufn4xqE
> qeEs/Kb9p8PaGCXOofF9nOsoz1krV5ttS3ei8Ayjt84MgXgge3q3n//ZC/s6EMMd
> /zPlPbI3azTi658+R9sCL/jJwRbxzjnpMj/q/ae1jDawkZHYndijiWt6BSVMrfuo
> awCDxrzissptgKrgokyeQocHWSyGWpEuYEIRDoS6KzgRQ40iCbaCOYTlJg11yS0Z
> 0ItdSYURh4b4nPtlwFzvTZ8pzxnO3dDod16NVEScIjEIMAGLFrCpfy+xF3/e+Hof
> QXFDzE4XX5WtGIJdSN0g8mRlf3KymkJ+Z4ZnamUprD9NDC7vwCw1nhyBJLGkTHF4
> +KKT8HNKTnW71IzKhPai
> =WH38
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message