tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Pease <ape...@articulatesoftware.com>
Subject Re: installing certificates
Date Thu, 12 Oct 2017 00:48:14 GMT
Hi Chris and all,
   I was able to get my system running based on the instructions at 
https://community.letsencrypt.org/t/configuring-lets-encrypt-with-tomcat-6-x-and-7-x/32416

.  I clarified them a little and put
them into the context of installing my open source project at
https://github.com/ontologyportal/sigmakee/blob/master/Security.txt

all the best,
Adam


On 10/09/2017 03:13 PM, Adam Pease wrote:
> Hi Chris,
>    Many thanks for the quick response!  There's a lot of new terminology 
> (to me) to all this and it's quite confusing I'm afraid.
> 
>    I tried Let's Encrypt just now but since I'm running Tomcat sites 
> either I'm not doing it right, or it doesn't know how to verify domains 
> when they don't answer on port 80.  So I get "The server could not 
> connect to the client to verify the domain :: Timeout"
>    Following the process at "gethttpsforfree.com" resulted in two long 
> hex keys: one titled "Signed Certificate" and one titled "Intermediate 
> Certificate".  I'm not sure what a "server certificate" is.  Is that a 
> public/private key pair that I generated at the beginning of this 
> process with
> 
> openssl genrsa 4096 > account.key
> 
> or what I did at the beginning of the tomcat instructions
> 
> $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
> 
> But that generates a .keystore file which is already a parameter to the 
> failing command.
> 
> I really appreciate your help.
> 
> all the best,
> Adam
> 
> On 10/09/2017 02:00 PM, Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Adam,
>>
>> On 10/9/17 4:24 PM, Adam Pease wrote:
>>> Hi, I'm running Tomcat 8.5.23 on an AWS Ubuntu Linux 16.04 LTS
>>> installation.  I'm trying to follow the instructions at
>>> https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html to get
>>> HTTPS running under tomcat.
>>
>> Version mismatch. You want this guide:
>> https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html
>>
>>> My site runs with a self-signed certificate.  Now I'm trying to
>>> install a proper certificate from > https://gethttpsforfree.com/
>> Try Let's Encrypt. I know nothing about "gethttpsforfree.com", but
>> I've personally done Let's Encrypt.
>>
>>> After the rather lengthy process to generate the "Signed
>>> Certificate" and "Intermediate Certificate" it appears I'm ready to
>>> follow the instructions under the heading "Importing the
>>> Certificate".
>>
>> BTW, LE is a single command to get a signed certificate.
>>
>>> My first question is whether there is a difference between the
>>> certificates mentioned in
>>>
>>> - "import a so called Chain Certificate or Root Certificate into
>>> your keystore"
>>>
>>> and
>>>
>>> - "After that you can proceed with importing your Certificate."
>>
>> You have a "server certificate" -- that's yours, and represents you.
>> There is (usually) another certificate, called the "chain" or
>> "intermediate" certificate, which represents the Certificate Authority
>> who signed your certificate.
>>
>> When your server performs a TLS handshake with the client, it needs to
>> present a "certificate chain" which includes your server certificate
>> (the "leaf") and any certificates required to link the server cert to
>> a root certificate which is stored within the client and already
>> trusted (e.g. VeriSign, DigiCert, etc.). So your server needs to have
>> multiple certificates available to send, and only one "belongs" to you.
>>
>>> I was able to execute the command:
>>>
>>> keytool -import -alias root -keystore <your_keystore_filename>
>>> -trustcacerts -file <filename_of_the_chain_certificate>
>>>
>>> using a single file that has the "Signed Certificate" and
>>> "Intermediate Certificate" from gethttpsforfree.  But then I get an
>>> error from the next command
>>>
>>> ~$ keytool -import -alias tomcat -keystore .keystore -file
>>> chained.pem Enter keystore password: keytool error:
>>> java.lang.Exception: Certificate reply does not contain public key
>>> for <tomcat>
>>
>> Which file is which? Looks like you imported the chain twice.
>>
>>> When I run
>>>
>>> ~$ keytool -list -v
>>>
>>> I see (in part)
>>>
>>> Alias name: tomcat Creation date: Oct 9, 2017 Entry type:
>>> PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner:
>>> CN=Adam Pease
>>>
>>> I'm very new to certificates.  Could someone point me in the right
>>> direction?
>>
>> Java keystores are a nightmare... it's not your fault. ;)
>>
>> It looks like you didn't successfully import the CA's
>> root/intermediate certificate. Can you reply with some more specifics?
>> What files do you have from the CA, what keystore(s) do you have, and
>> what are the exact commands you are running? You've left-out some
>> important details from your post above.
>>
>> Here's what I have in my "Java Keystore Cheat Cheet":
>>
>> Create your server key and self-signed cert:
>>> $ keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 4096
>>> -alias ${HOSTNAME} -keystore ${HOSTNAME}.jks
>>
>> Now, export your CSR:
>>
>>> $ keytool -certreq -sigalg SHA256withRSA -keystore ${HOSTNAME}.jks
>>>
>> Use that CSR to get your cert signed.
>>
>> Now, import the signed cert back into your keystore, starting with the
>> root and/or intermediate cert and finishing with your server's cert:
>>
>>> $ keytool -import -alias [Authority.CA] -trustcacerts -file
>>> [authority's CA cert] -keystore ${HOSTNAME}.jks
>>
>> (^^^^^ if necessary)
>>
>>> $ keytool -import -alias [Authority.intermediate] -trustcacerts
>>> -file [authority's intermediate cert] -keystore ${HOSTNAME}.jks $
>>> keytool -import -alias ${HOSTNAME} -file ${HOSTNAME}.crt -keystore
>>> ${HOSTNAME}.jks
>>
>> Hope that helps,
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb41sdHGNocmlzQGNo
>> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjanw//ZLdT9HeenslFlWAz
>> 6Bn76MPvXVnBAQ2NqK0ufp26p70KpOpYb+3+4OxxVIvZBo7DAFwS3Q6EY/bntij7
>> eyH8m/7GH3ZwIiNrwyFpRbIVQh9Jft5Q+Cmf9ARvUespfJZ0MjxvPKXfxGvt6IAI
>> ojyexYNlQ4P2kL2I1CCcYwQtwu838nFlZOHIw+11BlPl2Opm5GLcXVgVUtIoNS4n
>> JfgS7818t45mUeH1kPfTYwGaI/3KNRJS2OFp0A7dSr3qamR9Xpve0mYG2G4XH9BI
>> PGbGgXKQhaAAsw4rMtuOxp1ukxsfRW3VQItrTTg5F0juR2BkTZOsxzJMlJrKcvrG
>> 3p+BmH9rTEUE6EctyLOu0b20DzeM5FHtBGxNOSuPBuQpFq28Nzgvjm5QQPosyEZG
>> uESgDOpsJ/qVLgBZeEd3HlLJGF2UQQryW5gAWhUVn3gk3/IEyrmhfWipqw1IBhgP
>> uJ6g8rowShwIOz/9b7ZLwPlyl0r+diTtMXf8qT5+DpsS7SMHSJ47/Kcba2wQxoON
>> TQnerLohHKJcKg140liZvpYI7bh63nendNsUdMTOKcyAKLhIw0deDkeHDTx/DCks
>> 0QJAkW2SvjeIBeRN/3+xrsvYD/XvKr/xCuUGIdsHCDotrFsF+lk7SwecFhU+8I+W
>> RoezW/Qt6SSgu5iyyfuioT/na64=
>> =3ECo
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
> 

-- 
-------------------
Adam Pease
http://www.ontologyportal.org
http://www.adampease.org
@apease_ontology on Twitter

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message