Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id A3C6A200C4D for ; Wed, 5 Apr 2017 17:01:17 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id A2570160BA8; Wed, 5 Apr 2017 15:01:17 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id C2B39160BA3 for ; Wed, 5 Apr 2017 17:01:16 +0200 (CEST) Received: (qmail 20694 invoked by uid 500); 5 Apr 2017 15:01:15 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 20481 invoked by uid 99); 5 Apr 2017 15:01:15 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Apr 2017 15:01:15 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id B9661C6746 for ; Wed, 5 Apr 2017 15:01:14 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.88 X-Spam-Level: * X-Spam-Status: No, score=1.88 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id FPPQiBygi8NV for ; Wed, 5 Apr 2017 15:01:09 +0000 (UTC) Received: from mail-oi0-f50.google.com (mail-oi0-f50.google.com [209.85.218.50]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 7FF925FE44 for ; Wed, 5 Apr 2017 15:00:59 +0000 (UTC) Received: by mail-oi0-f50.google.com with SMTP id d2so18373446oig.1 for ; Wed, 05 Apr 2017 08:00:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Jd7GJq8sLFOpDGmioNiQkZKd88pT5S1NKRikY1Entqc=; b=Ypb3tFUdEabZmE7OWhBljlH6LeBVugdGWRopoaplGkYna/Ww59peWbGzcxH1lwov2g Gx7hkfXdl6EC9lBdXoEiEWcx6oxsjpuvWbf2+mb0fNe+pc+QbFmVCCmzHkH78UXMn5YC /ZmEK0prjZgZTLpr2hDLvRYhpxlzUIr/dKG9P4a+b0A3Pa53Kg+3ZSAF1bTNIEFzeTc1 pfojkS8AeXZroj5JPXSDOY1EmH6HlpofjcmywoREHmmTKMnb/ww+WEGNWGcnSRdQWb2E z0cEOwxcbSJRdrrH0uSiN19kPufv2QZUsTw0mQB3jgwhdUGenBJSojdS87Ug453ZcSAE eWng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Jd7GJq8sLFOpDGmioNiQkZKd88pT5S1NKRikY1Entqc=; b=j5Wxf1BM62k0nJFd3NleRSm2T9k/k6JNu2quJeLd+xMz0hJa+c+iZx68jGpwFlsmUj vuUSqxXUp+c/6KfQiLtcFfIpnRMgLxHvmSmrBj7RabTZwTXB2Z4O8oJcYD/eGDoJHRC1 z5CUmjGaUwiDfWT1MTaEP01Q78cMlQTn9kZrkYRlERruPCE0zZHzNNsK5S0F8BkhxGuJ HpYMIshZTlVuV3YkxD3AgWV/g2LBVbTmLPSNpTqk2je8FZYFPNz0CY5epUyufJOALNm4 Dq3rjN2hRFnEqekyiC+yYjb9PYDEpHuJalW9/vLfciURlxGDg1yLb3yb5CJOcW17HwWJ tUrA== X-Gm-Message-State: AFeK/H0/IbdpYmxdUQ8Ojo9frexabzUPhzUEzhHgxk6PenBsAlDHmP4yJiFO+lbANcm6nOxPRyUlAENxDONKUQ== X-Received: by 10.157.54.171 with SMTP id h40mr16772413otc.90.1491404457823; Wed, 05 Apr 2017 08:00:57 -0700 (PDT) MIME-Version: 1.0 Received: by 10.157.26.120 with HTTP; Wed, 5 Apr 2017 08:00:57 -0700 (PDT) In-Reply-To: References: From: Lyallex Date: Wed, 5 Apr 2017 16:00:57 +0100 Message-ID: Subject: Re: renewing an ssl certificate To: Martin Gainty Cc: Tomcat Users List Content-Type: multipart/alternative; boundary=001a11c15a56ecd801054c6ca899 archived-at: Wed, 05 Apr 2017 15:01:17 -0000 --001a11c15a56ecd801054c6ca899 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Drat ... missed the list Martin Thank you for your comprehensive reply ... actually all I was asking was 'is it possible to use an existing keystore (and therefor an existing private key)' to install a new certification chain' In the end I created a brand new keystore, generated a new private key and CSR, submitted the CSR to Comodo then installed the new chain when it arrived. Then I simply switched the server (../conf/server.xml) to look at the new keystore and it just worked. Result. Ii was under the impression the certs were 'installed' in the keystore but I don't think this is right so now I have to figure out where they are as I'd like to remove the old ones. Every time I mess about with this SSL/TLS stuff I age several years :-) Thanks again On 4 April 2017 at 22:21, Martin Gainty wrote: > I dont know who from the list said you could replace a valid SSL > Certificate (that has since expired) > > with a self-signed but they are wrong > > > you are MUCH better off by purchasing a valid Thawte/Verisign Certificate > with public keys signed by a Certificate Authority which will be recognis= ed by > ALL browsers > > > Mucking around with create-your-own self-signed certs will lead you to > justifiable grief and aggravation > > First step is to create a CSR for X509 (named)certs embedded in pfx > > https://en.wikipedia.org/wiki/X.509 > X.509 - Wikipedia > en.wikipedia.org > In cryptography, X.509 is a standard that defines the format of public ke= y > certificates. X.509 certificates are used in many Internet protocols, > including TLS/SSL ... > > the pfx will contain Asymmetric private/public keys: > > https://www.ciphercloud.com/blog/cloud-information- > protection-symmetric-vs-asymmetric-encryption/ > > > Symmetric vs. Asymmetric Encryption | CipherCloud > > www.ciphercloud.com > One of the basic questions in considering encryption is to understand the > differences between symmetric and asymmetric encryption methods, and wher= e > to apply each ... > > first step is to send the CSR to your CA provider Verisign or Thawte > > https://knowledge.symantec.com/support/ssl-certificates- > support/index?page=3Dcontent&actp=3DCROSSLINK&id=3DINFO227 > Certificate Signing Request (CSR) Generation Instructions ... > > knowledge.symantec.com > To generate a CSR, you will need to create a key pair for your server. > These two items are a digital certificate key pair and cannot be separate= d. > > > > yes you can create self-signed certs but CHROME stops transmission when > they do not recognise certifying authority > https://www.ibm.com/support/knowledgecenter/SSCP65_5.0.0/ > com.ibm.rational.rrdi.admin.doc/topics/t_browser_ss_cert.html > Configuring a browser to work with self-signed certificates > > www.ibm.com > When self-signed certificates are installed on the server, configure > Internet Explorer or Mozilla Firefox to work with these self-signed > certificates. > > > Let me know if you need further assistance > > Martin > ______________________________________________ > > _____ _ _____ _ _____ ___ _ = _____ _ _ _ |_ _| |_ ___ | _= |___ ___ ___| |_ ___ | __|___| _| |_ _ _ _ ___ ___ ___ | __|___ = _ _ ___ _| |___| |_|_|___ ___ | | | | -_| | | . | .'| _| | -_|= |__ | . | _| _| | | | .'| _| -_| | __| . | | | | . | .'| _| | = . | | |_| |_|_|___| |__|__| _|__,|___|_|_|___| |_____|___|_| |_| |__= ___|__,|_| |___| |__| |___|___|_|_|___|__,|_| |_|___|_|_| = |_| > > > > > ------------------------------ > *From:* Lyallex > *Sent:* Tuesday, April 4, 2017 3:11 PM > *To:* Tomcat Users List > *Subject:* renewing an ssl certificate > > Tomcatters > > After some sterling support from this list a while ago which included > a code change I have been successfully running > Apache Tomcat 7.0.70 stand alone (no httpd front end) with SSL/TLS for > a year now without problems, it just works, it never falls over > and it has withstood some concerted attacks by all sorts of > scallywags. Impressive. > > It is now time to renew my ssl certificate and I'm getting a bit jumpy. > > I managed to get everything working first time around following the docs = at > http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html# > General_Tips_on_Running_SSL > Apache Tomcat 7 (7.0.76) - SSL/TLS Configuration HOW-TO > > tomcat.apache.org > Certificates: In order to implement SSL, a web server must have an > associated Certificate for each external interface (IP address) that > accepts secure connections. > > > > According to my service provider (comodo) I have to submit a new > certificate signing request which (I think) means creating a self > signed certificate. > Will this mess up me existing cert, it still has 10 days to go? > > Is the process the same as installing first time or are there some > gotchas I need to be aware of > > Thanks, nervously > Lyallex > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > --001a11c15a56ecd801054c6ca899--