tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: JKS certificate for Tomcat client authentication
Date Fri, 23 Feb 2018 20:52:35 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Igor,

On 2/23/18 4:45 AM, Igor Cicimov wrote:
> Hi all,
> 
> I have the following setup in the tomcat default file on
> Ubunntu-14.04:
> 
> JAVA_OPTS="$JAVA_OPTS 
> -Djavax.net.ssl.keyStore=/opt/encompass/keystore/keystore.jks" 
> JAVA_OPTS="$JAVA_OPTS 
> -Djavax.net.ssl.trustStore=/opt/encompass/keystore/truststore.jks"
> 
> The keystore.jks holds dozen of SSL keys our app uses to
> authenticate to various web services. One of these certificates
> expired and I used openssl to create new private key (key.pem) and
> CSR, that the other side signed and sent back (cert.pem). Then I
> concatenated the certificate and the private key into single file:
> 
> $ cat cert.pem key.pem > cert2.pem
> 
> and imported the file into the existing keystore using keytool:
> 
> $ keytool -delete -alias client-cert -keystore keystore.jks
> -storepass xxxx $ keytool -import -alias client-cert -file
> cert2.pem -keystore keystore.jks -storepass xxxx
> 
> The signing root CA and the intermediate certificate already exist
> in the truststore.jks keystore.
> 
> Does this procedure sound sane? Is there a better (or maybe proper)
> way of doing it?

Are you just sanity-checking your process for importing certs into a
JKS bundle?

Does the process result in the items you expected to be in the keystore?

I'd personally be very paranoid if the JKS file was the only place all
of those key/cert pairs were stored, because of my (bad) experience
using JKS keystores in the past. Thankfully, Oracle is finally
deprecating them and making the default keystore type PKCS12 in the
future. JKS (and it's surprisingly extant cousin, JSEKS) never should
have existed.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqQfxMACgkQHPApP6U8
pFgyEA/9E8xItsOkifnpYSqvxfiFsJzLbEQRU7TiIAqqwl3rD0uhDkulnUHtO0h7
mk9bekd7YuWFu3JSm8ht2HklyDbTkEJyRJLHcQupLXE3mj427neeTT2p1oOJxwwu
nuMJ9NQw2Nofas3TlyyvkkIfZddk/Afuq7D4JuXgnKU6DPc2I9YB0RxsMnPmVCn9
ApiGWakOnxeLapAGHdYXg+e1qDOmuYn0VLkr3hkrS07cPuzRTKjmCVBrI8locpUx
MOBYtdEF8rKmEWvTzJI0EM43FEGQaamKaYxBo4LLT0esaE1sM9D8tU/ckgsmTWWN
6pjO4JI0d/yXmeMuTtdspvdoXiLDtJz/krHFI/wPILO8ABMWToAMNSxZJI/s8c4T
CImCz6YJ+K+lLi3638Pz7cQ8V6KXgHaOsj7aaB4jqWyF/Z1heZUg+8xJYX2xo3cn
11br7rXWX5cFPJr7QeS/nZU194/SdGxe2XvpVgCnb6cXVgLd9UKPO/8htp6PmBya
t7RAEE25o/I0ew/ankjRxqz3iwcVWjRZF+r83gisaj3ZltJ+pJx9PPsc9Kd+gc0f
c/iscO/Bt9Jyb/lcJzR1lZ0EMU70RLhLrtGFPYd99Lp5ONsgnYgG3+7NdE5Jw01p
MMy5zTlN8Mm5/xQjopECn3Bfl385UH6dbtLlK/sPZaVElwhySxM=
=F4jp
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message