tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lyallex <lyal...@gmail.com>
Subject Re: renewing an ssl certificate
Date Wed, 05 Apr 2017 15:00:57 GMT
Drat ... missed the list

Martin

Thank you for your comprehensive reply ...
actually all I was asking was 'is it possible to use an existing keystore
(and therefor an existing private key)' to install a new certification
chain'

In the end I created a brand new keystore, generated a new private key and
CSR, submitted the CSR to Comodo then installed the new chain when it
arrived. Then I simply switched the server (../conf/server.xml) to look at
the new keystore and it just worked. Result.

Ii was under the impression the certs were 'installed' in the keystore but
I don't think this is right so now I have to figure out where they are as
I'd like to remove the old ones. Every time I mess about with this SSL/TLS
stuff I age several years :-)

Thanks again

On 4 April 2017 at 22:21, Martin Gainty <mgainty@hotmail.com> wrote:

> I dont know who from the list said you could replace a valid SSL
> Certificate (that has since expired)
>
> with a self-signed but they are wrong
>
>
> you are MUCH better off by purchasing a valid Thawte/Verisign Certificate
> with public keys signed by a Certificate Authority which will be recognised by
> ALL browsers
>
>
> Mucking around with create-your-own self-signed certs will lead you to
> justifiable grief and aggravation
>
> First step is to create a CSR for X509 (named)certs embedded in pfx
>
> https://en.wikipedia.org/wiki/X.509
> X.509 - Wikipedia <https://en.wikipedia.org/wiki/X.509>
> en.wikipedia.org
> In cryptography, X.509 is a standard that defines the format of public key
> certificates. X.509 certificates are used in many Internet protocols,
> including TLS/SSL ...
>
> the pfx  will contain Asymmetric private/public keys:
>
> https://www.ciphercloud.com/blog/cloud-information-
> protection-symmetric-vs-asymmetric-encryption/
>
> <https://www.ciphercloud.com/blog/cloud-information-protection-symmetric-vs-asymmetric-encryption/>
> Symmetric vs. Asymmetric Encryption | CipherCloud
> <https://www.ciphercloud.com/blog/cloud-information-protection-symmetric-vs-asymmetric-encryption/>
> www.ciphercloud.com
> One of the basic questions in considering encryption is to understand the
> differences between symmetric and asymmetric encryption methods, and where
> to apply each ...
>
> first step is to send the CSR to your CA provider Verisign or Thawte
>
> https://knowledge.symantec.com/support/ssl-certificates-
> support/index?page=content&actp=CROSSLINK&id=INFO227
> Certificate Signing Request (CSR) Generation Instructions ...
> <https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=INFO227>
> knowledge.symantec.com
> To generate a CSR, you will need to create a key pair for your server.
> These two items are a digital certificate key pair and cannot be separated.
>
>
>
> yes you can create self-signed certs but CHROME stops transmission when
> they do not recognise certifying authority
> https://www.ibm.com/support/knowledgecenter/SSCP65_5.0.0/
> com.ibm.rational.rrdi.admin.doc/topics/t_browser_ss_cert.html
> Configuring a browser to work with self-signed certificates
> <https://www.ibm.com/support/knowledgecenter/SSCP65_5.0.0/com.ibm.rational.rrdi.admin.doc/topics/t_browser_ss_cert.html>
> www.ibm.com
> When self-signed certificates are installed on the server, configure
> Internet Explorer or Mozilla Firefox to work with these self-signed
> certificates.
>
>
> Let me know if you need further assistance
>
> Martin
> ______________________________________________
>
>  _____ _          _____             _          _____     ___ _                      
 _____               _     _   _          |_   _| |_ ___   |  _  |___ ___ ___| |_ ___   |
  __|___|  _| |_ _ _ _ ___ ___ ___   |   __|___ _ _ ___ _| |___| |_|_|___ ___    | | |   |
-_|  |     | . | .'|  _|   | -_|  |__   | . |  _|  _| | | | .'|  _| -_|  |   __| . | | | 
 | . | .'|  _| | . |   |   |_| |_|_|___|  |__|__|  _|__,|___|_|_|___|  |_____|___|_| |_| |_____|__,|_|
|___|  |__|  |___|___|_|_|___|__,|_| |_|___|_|_|                        |_|
>
>
>
>
> ------------------------------
> *From:* Lyallex <lyallex@gmail.com>
> *Sent:* Tuesday, April 4, 2017 3:11 PM
> *To:* Tomcat Users List
> *Subject:* renewing an ssl certificate
>
> Tomcatters
>
> After some sterling support from this list a while ago which included
> a code change I have been successfully running
> Apache Tomcat 7.0.70 stand alone (no httpd front end) with SSL/TLS for
> a year now without problems, it just works, it never falls over
> and it has withstood some concerted attacks by all sorts of
> scallywags. Impressive.
>
> It is now time to renew my ssl certificate and I'm getting a bit jumpy.
>
> I managed to get everything working first time around following the docs at
> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#
> General_Tips_on_Running_SSL
> Apache Tomcat 7 (7.0.76) - SSL/TLS Configuration HOW-TO
> <http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#General_Tips_on_Running_SSL>
> tomcat.apache.org
> Certificates: In order to implement SSL, a web server must have an
> associated Certificate for each external interface (IP address) that
> accepts secure connections.
>
>
>
> According to my service provider (comodo) I have to submit a new
> certificate signing request which (I think) means creating a self
> signed certificate.
> Will this mess up me existing cert, it still has 10 days to go?
>
> Is the process the same as installing first time or are there some
> gotchas I need to be aware of
>
> Thanks, nervously
> Lyallex
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message