Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
MIME-Version: 1.0
In-Reply-To: <d094c63f-f787-3218-0da2-ce67bcb6dc5d@articulatesoftware.com>
References: <29135684-3a4b-02b0-be69-13abff9fab0d@articulatesoftware.com>
 <1060823b-5d1b-d104-92e1-602224083f3d@christopherschultz.net> <d094c63f-f787-3218-0da2-ce67bcb6dc5d@articulatesoftware.com>
From: "Alex O'Ree" <alexoree@apache.org>
Date: Mon, 9 Oct 2017 19:41:37 -0400
Message-ID: <CALLT8kj-ZoDsdTjW3B+c7SSXYZccGdp1cqRbiDskiVxXxekPsg@mail.gmail.com>
Subject: Re: installing certificates
To: Tomcat Users List <users@tomcat.apache.org>
Content-Type: text/plain; charset="UTF-8"
archived-at: Mon, 09 Oct 2017 23:41:43 -0000

Graphical keystore tool - http://keystore-explorer.org/

It may make things easier

On Mon, Oct 9, 2017 at 6:13 PM, Adam Pease
<apease@articulatesoftware.com> wrote:
> Hi Chris,
>   Many thanks for the quick response!  There's a lot of new terminology (to
> me) to all this and it's quite confusing I'm afraid.
>
>   I tried Let's Encrypt just now but since I'm running Tomcat sites either
> I'm not doing it right, or it doesn't know how to verify domains when they
> don't answer on port 80.  So I get "The server could not connect to the
> client to verify the domain :: Timeout"
>   Following the process at "gethttpsforfree.com" resulted in two long hex
> keys: one titled "Signed Certificate" and one titled "Intermediate
> Certificate".  I'm not sure what a "server certificate" is.  Is that a
> public/private key pair that I generated at the beginning of this process
> with
>
> openssl genrsa 4096 > account.key
>
> or what I did at the beginning of the tomcat instructions
>
> $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
>
> But that generates a .keystore file which is already a parameter to the
> failing command.
>
> I really appreciate your help.
>
> all the best,
> Adam
>
>
> On 10/09/2017 02:00 PM, Christopher Schultz wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Adam,
>>
>> On 10/9/17 4:24 PM, Adam Pease wrote:
>>>
>>> Hi, I'm running Tomcat 8.5.23 on an AWS Ubuntu Linux 16.04 LTS
>>> installation.  I'm trying to follow the instructions at
>>> https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html to get
>>> HTTPS running under tomcat.
>>
>>
>> Version mismatch. You want this guide:
>> https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html
>>
>>> My site runs with a self-signed certificate.  Now I'm trying to
>>> install a proper certificate from > https://gethttpsforfree.com/
>>
>> Try Let's Encrypt. I know nothing about "gethttpsforfree.com", but
>> I've personally done Let's Encrypt.
>>
>>> After the rather lengthy process to generate the "Signed
>>> Certificate" and "Intermediate Certificate" it appears I'm ready to
>>> follow the instructions under the heading "Importing the
>>> Certificate".
>>
>>
>> BTW, LE is a single command to get a signed certificate.
>>
>>> My first question is whether there is a difference between the
>>> certificates mentioned in
>>>
>>> - "import a so called Chain Certificate or Root Certificate into
>>> your keystore"
>>>
>>> and
>>>
>>> - "After that you can proceed with importing your Certificate."
>>
>>
>> You have a "server certificate" -- that's yours, and represents you.
>> There is (usually) another certificate, called the "chain" or
>> "intermediate" certificate, which represents the Certificate Authority
>> who signed your certificate.
>>
>> When your server performs a TLS handshake with the client, it needs to
>> present a "certificate chain" which includes your server certificate
>> (the "leaf") and any certificates required to link the server cert to
>> a root certificate which is stored within the client and already
>> trusted (e.g. VeriSign, DigiCert, etc.). So your server needs to have
>> multiple certificates available to send, and only one "belongs" to you.
>>
>>> I was able to execute the command:
>>>
>>> keytool -import -alias root -keystore <your_keystore_filename>
>>> -trustcacerts -file <filename_of_the_chain_certificate>
>>>
>>> using a single file that has the "Signed Certificate" and
>>> "Intermediate Certificate" from gethttpsforfree.  But then I get an
>>> error from the next command
>>>
>>> ~$ keytool -import -alias tomcat -keystore .keystore -file
>>> chained.pem Enter keystore password: keytool error:
>>> java.lang.Exception: Certificate reply does not contain public key
>>> for <tomcat>
>>
>>
>> Which file is which? Looks like you imported the chain twice.
>>
>>> When I run
>>>
>>> ~$ keytool -list -v
>>>
>>> I see (in part)
>>>
>>> Alias name: tomcat Creation date: Oct 9, 2017 Entry type:
>>> PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner:
>>> CN=Adam Pease
>>>
>>> I'm very new to certificates.  Could someone point me in the right
>>> direction?
>>
>>
>> Java keystores are a nightmare... it's not your fault. ;)
>>
>> It looks like you didn't successfully import the CA's
>> root/intermediate certificate. Can you reply with some more specifics?
>> What files do you have from the CA, what keystore(s) do you have, and
>> what are the exact commands you are running? You've left-out some
>> important details from your post above.
>>
>> Here's what I have in my "Java Keystore Cheat Cheet":
>>
>> Create your server key and self-signed cert:
>>>
>>> $ keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 4096
>>> -alias ${HOSTNAME} -keystore ${HOSTNAME}.jks
>>
>>
>> Now, export your CSR:
>>
>>> $ keytool -certreq -sigalg SHA256withRSA -keystore ${HOSTNAME}.jks
>>>
>> Use that CSR to get your cert signed.
>>
>> Now, import the signed cert back into your keystore, starting with the
>> root and/or intermediate cert and finishing with your server's cert:
>>
>>> $ keytool -import -alias [Authority.CA] -trustcacerts -file
>>> [authority's CA cert] -keystore ${HOSTNAME}.jks
>>
>>
>> (^^^^^ if necessary)
>>
>>> $ keytool -import -alias [Authority.intermediate] -trustcacerts
>>> -file [authority's intermediate cert] -keystore ${HOSTNAME}.jks $
>>> keytool -import -alias ${HOSTNAME} -file ${HOSTNAME}.crt -keystore
>>> ${HOSTNAME}.jks
>>
>>
>> Hope that helps,
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb41sdHGNocmlzQGNo
>> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjanw//ZLdT9HeenslFlWAz
>> 6Bn76MPvXVnBAQ2NqK0ufp26p70KpOpYb+3+4OxxVIvZBo7DAFwS3Q6EY/bntij7
>> eyH8m/7GH3ZwIiNrwyFpRbIVQh9Jft5Q+Cmf9ARvUespfJZ0MjxvPKXfxGvt6IAI
>> ojyexYNlQ4P2kL2I1CCcYwQtwu838nFlZOHIw+11BlPl2Opm5GLcXVgVUtIoNS4n
>> JfgS7818t45mUeH1kPfTYwGaI/3KNRJS2OFp0A7dSr3qamR9Xpve0mYG2G4XH9BI
>> PGbGgXKQhaAAsw4rMtuOxp1ukxsfRW3VQItrTTg5F0juR2BkTZOsxzJMlJrKcvrG
>> 3p+BmH9rTEUE6EctyLOu0b20DzeM5FHtBGxNOSuPBuQpFq28Nzgvjm5QQPosyEZG
>> uESgDOpsJ/qVLgBZeEd3HlLJGF2UQQryW5gAWhUVn3gk3/IEyrmhfWipqw1IBhgP
>> uJ6g8rowShwIOz/9b7ZLwPlyl0r+diTtMXf8qT5+DpsS7SMHSJ47/Kcba2wQxoON
>> TQnerLohHKJcKg140liZvpYI7bh63nendNsUdMTOKcyAKLhIw0deDkeHDTx/DCks
>> 0QJAkW2SvjeIBeRN/3+xrsvYD/XvKr/xCuUGIdsHCDotrFsF+lk7SwecFhU+8I+W
>> RoezW/Qt6SSgu5iyyfuioT/na64=
>> =3ECo
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> --
> -------------------
> Adam Pease
> http://www.ontologyportal.org
> http://www.adampease.org
> @apease_ontology on Twitter
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org