Re: how to reload SSL certificates without restarting Tomcat
Jerry, On 3/11/24 14:51, Jerry Lin wrote: Hi Chris, There is also this: https://tomcat.apache.org/presentations.html#latest-lets-encrypt It's very LE-focused, but it shows you how to programmatically trigger a reload. Thanks for your presentation and script. We are using Let's Encrypt, so your material is quite relevant. If I were to present that material today, it would be a lot shorter. In fact, I was asked last-minute to fill-in for a missing speaker in Halifax and I updated that presentation a bit and made it more of a conversation with the audience. I hadn't included anything about the automatic-update feature Tomcat has added since the previous staging of that presentation and afterwards I went in and removed something like 40% of the material in the presentation. So it's all perfectly valid, but it's even easier to use LE with Tomcat, now. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: how to reload SSL certificates without restarting Tomcat
Hi Chris, There is also this: > https://tomcat.apache.org/presentations.html#latest-lets-encrypt > > It's very LE-focused, but it shows you how to programmatically trigger a > reload. > Thanks for your presentation and script. We are using Let's Encrypt, so your material is quite relevant. Jerry
Re: how to reload SSL certificates without restarting Tomcat
Jerry, On 3/10/24 16:00, Jerry Lin wrote: Hi Chuck, Presumably, you mean “not behind https", since “Apache” refers to the organization that develops and maintains a plethora of software products. Yes, “not behind https" (I meant not behind an Apache HTTP server) you can configure the TLS config listener: https://tomcat.apache.org/tomcat-10.1-doc/config/listeners.html#TLS_configuration_reload_listener_-_org.apache.catalina.security.TLSCertificateReloadListener Great, thanks! This is what I was looking for. There is also this: https://tomcat.apache.org/presentations.html#latest-lets-encrypt It's very LE-focused, but it shows you how to programmatically trigger a reload. Chuck's reference to the auto-reloading is even better if you don't mind the background process checking for you, instead of proactively-triggering the reload. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: how to reload SSL certificates without restarting Tomcat
> On Mar 10, 2024, at 15:00, Jerry Lin wrote: > > Hi Chuck, > > Presumably, you mean “not behind https", since “Apache” refers to the >> organization that develops and maintains a plethora of software products. >> > Spell checker got me - I meant “httpd”, not “https”. - Chuck - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: how to reload SSL certificates without restarting Tomcat
Hi Chuck, Presumably, you mean “not behind https", since “Apache” refers to the > organization that develops and maintains a plethora of software products. > Yes, “not behind https" (I meant not behind an Apache HTTP server) > you can configure the TLS config listener: > > > https://tomcat.apache.org/tomcat-10.1-doc/config/listeners.html#TLS_configuration_reload_listener_-_org.apache.catalina.security.TLSCertificateReloadListener Great, thanks! This is what I was looking for. Regards, Jerry
Re: how to reload SSL certificates without restarting Tomcat
> On Mar 10, 2024, at 12:39, Jerry Lin wrote: > > For those of us with a publicly accessible instance of Tomcat (e.g. not > behind Apache), is there a good way of having a renewed SSL/HTTPS > certificate take effect without restarting Tomcat? Presumably, you mean “not behind https", since “Apache” refers to the organization that develops and maintains a plethora of software products. If you’re running on a supported version of Tomcat (you didn’t tell us what level you’re using), you can configure the TLS config listener: https://tomcat.apache.org/tomcat-10.1-doc/config/listeners.html#TLS_configuration_reload_listener_-_org.apache.catalina.security.TLSCertificateReloadListener https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html#TLS_configuration_reload_listener_-_org.apache.catalina.security.TLSCertificateReloadListener https://tomcat.apache.org/tomcat-8.5-doc/config/listeners.html#TLS_configuration_reload_listener_-_org.apache.catalina.security.TLSCertificateReloadListener - Chuck
AW: how to reload SSL certificates without restarting Tomcat
I would have several parallel productive instances, and renew them in sequence to be always online -> on connection will be interrupted with the customer. Best Alex -Ursprüngliche Nachricht- Von: Jerry Lin Gesendet: Sonntag, 10. März 2024 18:40 An: users@tomcat.apache.org Betreff: how to reload SSL certificates without restarting Tomcat Hello, For those of us with a publicly accessible instance of Tomcat (e.g. not behind Apache), is there a good way of having a renewed SSL/HTTPS certificate take effect without restarting Tomcat? Thank you, Jerry - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
how to reload SSL certificates without restarting Tomcat
Hello, For those of us with a publicly accessible instance of Tomcat (e.g. not behind Apache), is there a good way of having a renewed SSL/HTTPS certificate take effect without restarting Tomcat? Thank you, Jerry
Re: SSL Certificates and Tomcat 8.5.11
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Laurie, On 5/17/18 11:33 AM, Laurie Miller-Cook wrote: > I am very new to Tomcat so please bear with me. Welcome. > I currently have a Thawte certificate that is installed within IIS > for our domain that is all managed by Rackspace. > > I now have a new server set-up with Tomcat 8.5.11 installed and > have created a keystore. > > I have been supplied by Rackspace the following text a > Certificate, Private Key and CA Bundle. You should start over. If Rackspace supplied the private key, then you have no control over your own security. You should generate your own private key on a server you control and trust. > So my question is, with the three text files from Rackspace can I > import these (in what order) into the Keystore to get SSL working > with our Domain or do I need something totally different. > > Just as a sub-note we need to have the SSL certificate for the > domain working on both IIS and Tomcat. It is very difficult to import a private key into a Java keystore. You usually have to go through a PKCS12 file, first, and OpenSSL is the best tool IMO to manipulate those. JKS files are fortunately being abandoned and PKCS12 files are directly-readable by Java, so it's a one-step operation if you have OpenSSL handy: openssl pkcs12 -export -in server.crt -inkey server.key -certfile intermediate.crt -out keystore.p12 -chain Now, you can configure your Tomcat to use keystore.p12 as the keystore, and use whatever password you gave to OpenSSL when writing the PKCS12 file. I'd still highly recommend that you start over from scratch with yourown private key, though. Generate a key, certificate signing request (CSR), and send the CSR to Thawte. Once they sign it, import any intermediate certs into your keystore first (top-most first) then your server's signed certificate into your keystore and use the result with Tomcat. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlr95eYACgkQHPApP6U8 pFj3PRAAlEHlY5czP+i7yHyqgWakieUufMJDcW98JpEZdq9fiv+fTtSKQzx0IKOV Z588ikrZU7DdRhB5WNMiYFO9fDMtiV5d7KhGEBggSzuyAKEFDos1YXpk2uj42lPH u3OSXS4igkgbWWiuxRxjSNlyMpTHoG+TSdhr7+W/hdF2rMnHSBz4VgEteQVymXeu pHyjTeIp2CabKYmz9u2A86vF2pdmwLUQ2B4twvRkdCG6QNcr8uOom70itltvXGIG T7vhtFgjYnJQ0MqV1+QJbBEfO0NVIE/+LKseuiGoGJN5oWWQY8MdW5yfH2mQcITk bCAkDUkbBHTBnWgAl3U6Ly/k7mtfRa2FQfPOpPVyoefMgpwJGYPQ0U7IPr6YIROw X6Rc/9FTerAmkwUgv9Ls2Hsyi31J5BqS1dhp4+kEYWoGEMq+Uu0Cy8GJqPvPJM75 sug6rQuLSaARB2b1inNkvwED3u2ju6HVCgp+5M4hyHDkLuYPajpRau+LC1gusHeN UB/zaLLUZZL1Ujr9WvDHnEFSBj+UmpUCwLRiqeUZKIlX/JdmBZA2nlxdbMgBWztq GPkdvhKCEO2SGJi1q5OJ6NiNtC4H93ZmNvbg1xtQGweRjmc8LfLIjgEiMAsCA2ns 7Wjr8lMO93t4ehWnmDQYk34uHL6I9ieWDfFkvmN2DD+SPsL9ibU= =154L -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificates and Tomcat 8.5.11
Hi Laurie, This is what I do. I don't use keystore. I use this within SSLHostConfig section. > On May 17, 2018, at 11:33 AM, Laurie Miller-Cook >wrote: > > Hi there, > > I am very new to Tomcat so please bear with me. > > I currently have a Thawte certificate that is installed within IIS for our > domain that is all managed by Rackspace. > > I now have a new server set-up with Tomcat 8.5.11 installed and have created > a keystore. > > I have been supplied by Rackspace the following text a Certificate, Private > Key and CA Bundle. > > So my question is, with the three text files from Rackspace can I import > these (in what order) into the Keystore to get SSL working with our Domain or > do I need something totally different. > > Just as a sub-note we need to have the SSL certificate for the domain working > on both IIS and Tomcat. > > Best regards > > Laurie - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SSL Certificates and Tomcat 8.5.11
Hi there, I am very new to Tomcat so please bear with me. I currently have a Thawte certificate that is installed within IIS for our domain that is all managed by Rackspace. I now have a new server set-up with Tomcat 8.5.11 installed and have created a keystore. I have been supplied by Rackspace the following text a Certificate, Private Key and CA Bundle. So my question is, with the three text files from Rackspace can I import these (in what order) into the Keystore to get SSL working with our Domain or do I need something totally different. Just as a sub-note we need to have the SSL certificate for the domain working on both IIS and Tomcat. Best regards Laurie
Re: Tomcat8 - How to configure ssl certificates for both https and two-way authentication
On 09/08/17 12:24, Senthil Kumar wrote: > Mark, > > Tomcat version is 8.0.39. > > I have to use both server certificate (.pfx) and service certificate as > keystore. Do I need to convert PFX format certificate to JKS format. How to > configure more than on private certificate in keystore. The setenv.sh settings shouldn't interfere with the Tomcat connector but to be sure I suggest the following: - comment out the setenv.sh settings - start Tomcat - test https on port 443 and report and errors including those in the logs Once port 443 is working then uncomment the settings in setenv and check port 433 still works. Mark > > Senthil > > On Wed, Aug 9, 2017 at 1:39 AM, Mark Thomas <ma...@apache.org> wrote: > >> On 08/08/17 21:03, dsenthil...@gmail.com wrote: >>> >>>> Hello, >>>> >>>> I have configured ssl certificates for below requirements: >>>> >>>> 1. Tomcat server certificate configuration in 'server.xml' file to run >> tomcat server on port 443 and https >>>> >>>> > minSpareThreads="25" >>>>maxSpareThreads="75" enableLookups="false" >> disableUploadTimeout="true" >>>>acceptCount="100" scheme="https" secure="true" >> SSLEnabled="true" clientAuth="false" >>>>sslProtocol="TLSv1.2" >>>> ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256" >> keystoreFile="Tomcat.HostName.pfx" keystorePass="password" >>>>keystoreType="PKCS12" /> >>>> >>>> 2. Service certificate configuration in 'setenv.sh' file for the >> two-way ssl authentication for the connection to MQ / Soap service servers. >>>> >>>> export JAVA_OPTS='-Djavax.net.ssl.keyStore=ServiceCertificate.p12 >> -Djavax.net.ssl.keyStorePassword=password >> -Djavax.net.ssl.trustStore=clienttruststore.jks >> -Djavax.net.ssl.trustStorePassword=changeit' >>>> >>>> >>>> But It looks like the service certificate configured (for the two-way >> ssl handshake with MQ and Soap service servers) in 'setenv.sh' file is >> overwriting the tomcat server ssl configuration configured in 'server.xml' >> and subsequently tomcat server is down for https and port 443. >>>> >>>> Can someone recommend suitable tomcat config to fix this issue. The >> tomcat config should support both https (port 443) and two-ways ssl >> handshake with other servers. >> >> Tomcat version? >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat8 - How to configure ssl certificates for both https and two-way authentication
Mark, Tomcat version is 8.0.39. I have to use both server certificate (.pfx) and service certificate as keystore. Do I need to convert PFX format certificate to JKS format. How to configure more than on private certificate in keystore. Senthil On Wed, Aug 9, 2017 at 1:39 AM, Mark Thomas <ma...@apache.org> wrote: > On 08/08/17 21:03, dsenthil...@gmail.com wrote: > > > >> Hello, > >> > >> I have configured ssl certificates for below requirements: > >> > >> 1. Tomcat server certificate configuration in 'server.xml' file to run > tomcat server on port 443 and https > >> > >> minSpareThreads="25" > >>maxSpareThreads="75" enableLookups="false" > disableUploadTimeout="true" > >>acceptCount="100" scheme="https" secure="true" > SSLEnabled="true" clientAuth="false" > >>sslProtocol="TLSv1.2" > >> ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256" > keystoreFile="Tomcat.HostName.pfx" keystorePass="password" > >>keystoreType="PKCS12" /> > >> > >> 2. Service certificate configuration in 'setenv.sh' file for the > two-way ssl authentication for the connection to MQ / Soap service servers. > >> > >> export JAVA_OPTS='-Djavax.net.ssl.keyStore=ServiceCertificate.p12 > -Djavax.net.ssl.keyStorePassword=password > -Djavax.net.ssl.trustStore=clienttruststore.jks > -Djavax.net.ssl.trustStorePassword=changeit' > >> > >> > >> But It looks like the service certificate configured (for the two-way > ssl handshake with MQ and Soap service servers) in 'setenv.sh' file is > overwriting the tomcat server ssl configuration configured in 'server.xml' > and subsequently tomcat server is down for https and port 443. > >> > >> Can someone recommend suitable tomcat config to fix this issue. The > tomcat config should support both https (port 443) and two-ways ssl > handshake with other servers. > > Tomcat version? > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Tomcat8 - How to configure ssl certificates for both https and two-way authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Senthil, On 8/8/17 4:03 PM, dsenthil...@gmail.com wrote: > >> Hello, >> >> I have configured ssl certificates for below requirements: >> >> 1. Tomcat server certificate configuration in 'server.xml' file >> to run tomcat server on port 443 and https >> >> > minSpareThreads="25" maxSpareThreads="75" enableLookups="false" >> disableUploadTimeout="true" acceptCount="100" scheme="https" >> secure="true" SSLEnabled="true" clientAuth="false" >> sslProtocol="TLSv1.2" ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256" >> keystoreFile="Tomcat.HostName.pfx" keystorePass="password" >> keystoreType="PKCS12" /> >> >> 2. Service certificate configuration in 'setenv.sh' file for the >> two-way ssl authentication for the connection to MQ / Soap >> service servers. >> >> export JAVA_OPTS='-Djavax.net.ssl.keyStore=ServiceCertificate.p12 >> -Djavax.net.ssl.keyStorePassword=password >> -Djavax.net.ssl.trustStore=clienttruststore.jks >> -Djavax.net.ssl.trustStorePassword=changeit' >> >> >> But It looks like the service certificate configured (for the >> two-way ssl handshake with MQ and Soap service servers) in >> 'setenv.sh' file is overwriting the tomcat server ssl >> configuration configured in 'server.xml' and subsequently tomcat >> server is down for https and port 443. >> >> Can someone recommend suitable tomcat config to fix this issue. >> The tomcat config should support both https (port 443) and >> two-ways ssl handshake with other servers. Regardless of the actual problem and solution, here, I would always highly recommend that you use explicit configuration for your for your truststore as well as our keystore. Using system properties is very heavy-handed and ends up applying the same trust store to a whole variety of components, not just the . - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlmKOlgACgkQHPApP6U8 pFiIvRAArbBwixXhAxxgegBWYIrCMxtqgg8KAccfRyvkmSIGOkQ/xMV+Z8sP+2Xr KHEnK8P2vKDzgGKT7fjAaD0HCTbWK7j455OKRKYXxowZkOU5Qbz10xW1j25bHtUy 3mD2Vn5jmrv/vMEkr0sJ3AxB8QeyyZ/ZpK33Zy0bNMYB945H3QQ3QX5lX6d8k9El 0VSt4NKglYdLXvuYmI/YVBvIZw0rzt9hPjBAO9Mc0cIEGJfNJafMKjdYpFSfoUOs b5TpvVEszEGwgsaaOU4Y7EyHg72EAyNtUzyeSIbn0s0VsvYWS3AqT7QiL5GUvQ4Z glLdYL+34R1gfsB462fE0RFgVaUuGEBUFs/YxV3loh2FUkCe91MbJ02OTRK27Z/o ipKXNzcwPJ6ASafMRc2qBR6Wt0Mwg+FC/tXIlMcIhVBbkCXNUuhs21n0lO13kdJM 7uK7XSWWTjHyXd38b1NhplidNmDygzTzJ2lcEs/7MDf1lzU0h4l46FbvWNbInDw7 OvvWjheDKH8mqmCNDgbj7iA+b3FMoSwE+Xv5qG54k1nwoStAWzeTFi4vjqHNMxEa VzKQMcIa++31/Ytdp7UElixMeGwQfxSGJluWi2wnXmupC/+h2YXM3TwG3hgv3t1H SHQeBUXtnsITpy5iSka1Y2efhEL26jIiApsPIl+TUOLcvumlTrc= =Bz/F -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat8 - How to configure ssl certificates for both https and two-way authentication
On 08/08/17 21:03, dsenthil...@gmail.com wrote: > >> Hello, >> >> I have configured ssl certificates for below requirements: >> >> 1. Tomcat server certificate configuration in 'server.xml' file to run >> tomcat server on port 443 and https >> >> > minSpareThreads="25" >>maxSpareThreads="75" enableLookups="false" >> disableUploadTimeout="true" >>acceptCount="100" scheme="https" secure="true" >> SSLEnabled="true" clientAuth="false" >>sslProtocol="TLSv1.2" >> ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256" keystoreFile="Tomcat.HostName.pfx" >> keystorePass="password" >>keystoreType="PKCS12" /> >> >> 2. Service certificate configuration in 'setenv.sh' file for the two-way ssl >> authentication for the connection to MQ / Soap service servers. >> >> export JAVA_OPTS='-Djavax.net.ssl.keyStore=ServiceCertificate.p12 >> -Djavax.net.ssl.keyStorePassword=password >> -Djavax.net.ssl.trustStore=clienttruststore.jks >> -Djavax.net.ssl.trustStorePassword=changeit' >> >> >> But It looks like the service certificate configured (for the two-way ssl >> handshake with MQ and Soap service servers) in 'setenv.sh' file is >> overwriting the tomcat server ssl configuration configured in 'server.xml' >> and subsequently tomcat server is down for https and port 443. >> >> Can someone recommend suitable tomcat config to fix this issue. The tomcat >> config should support both https (port 443) and two-ways ssl handshake with >> other servers. Tomcat version? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat8 - How to configure ssl certificates for both https and two-way authentication
> Hello, > > I have configured ssl certificates for below requirements: > > 1. Tomcat server certificate configuration in 'server.xml' file to run tomcat > server on port 443 and https > > minSpareThreads="25" >maxSpareThreads="75" enableLookups="false" > disableUploadTimeout="true" >acceptCount="100" scheme="https" secure="true" > SSLEnabled="true" clientAuth="false" >sslProtocol="TLSv1.2" > ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256" keystoreFile="Tomcat.HostName.pfx" > keystorePass="password" >keystoreType="PKCS12" /> > > 2. Service certificate configuration in 'setenv.sh' file for the two-way ssl > authentication for the connection to MQ / Soap service servers. > > export JAVA_OPTS='-Djavax.net.ssl.keyStore=ServiceCertificate.p12 > -Djavax.net.ssl.keyStorePassword=password > -Djavax.net.ssl.trustStore=clienttruststore.jks > -Djavax.net.ssl.trustStorePassword=changeit' > > > But It looks like the service certificate configured (for the two-way ssl > handshake with MQ and Soap service servers) in 'setenv.sh' file is > overwriting the tomcat server ssl configuration configured in 'server.xml' > and subsequently tomcat server is down for https and port 443. > > Can someone recommend suitable tomcat config to fix this issue. The tomcat > config should support both https (port 443) and two-ways ssl handshake with > other servers. > > Thanks, > Senthil > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need help to install GoDaddy's SSL certificates on Tomcat 8.0.32 (Amazon Linux)
there's the tuto : https://fr.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239 use sha2 root and intermediate and for the last use my_certificate here's the repo : https://certs.godaddy.com/repository/ Le 04/06/2016 00:18, Hardibo Pierre-Jean a écrit : gdig2.crt is intermediate my_certificate must be the last to configure so i think bundle may be the root. Le 04/06/2016 00:13, Conor Skyler a écrit : Hello Pierre, Yes, I contacted the technical support at GoDaddy and then basically told me that I'm on my own and that I should find someone that knows how to handle the configuration -- that's all the aid they gave me. I think that there two separate problems here. First one, the mismatch between the files I receive zipped and the ones referred in the website when it reads: "The file names for your root and intermediate certificates depend on your signature algorithm. - SHA-1 root certificate: gd_class2_root.crt - SHA-2 root certificate: gdroot-g2.crt - SHA-1 intermediate certificate: gd.intermediate.crt - SHA-2 intermediate certificate: gdig2.crt - (*Java 6/7 only*) SHA-2 Root Certificate: gdroot-g2_cross.crt" But the files I get when I unzip the downloaded archive are: my_certificate.crt gd_bundle-g2-g1.crt gdig2.crt So first thing here is that I don't how to use them when following the instructions stated on the site (the only one I can identify is my_certificate.crt). With the second issue my guess is that it might be related to the KeyStore file not holding the private key: I wasn't given the original tomcat.keystore file (following the example on GoDaddy's website) so here I'm starting from the scratch, generating a new KeyStore. What I have though is a PEM file from the person I presume the .csr request file; is there a way to add it to the KeyStore file I create when following the instructions on GoDaddy's site? Thank you very much for stepping in! -Conor On Fri, Jun 3, 2016 at 6:09 PM, Hardibo Pierre-Jeanwrote: there's all here no ? https://fr.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239 Le 03/06/2016 22:37, Conor Skyler a écrit : Hi again, At this point I don't know what else to try: I carefully gone through the process stated at GoDaddy's website once again trying different combinations with the certificates (as the instructions provided by GoDaddy doesn't match the certificates you download) but the result was the same as before, it didn't work. Early today I found this post in StackOverflow: http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-cr which somehow brought some hope to me as the title states literally the issue I'm having: ' http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-crt ' Sadly after trying everything what's shown there and reading tons of stuff I still can't make the KeyStore work with my Tomcat server. Any help will be greatly appreciated. -Conor On Wed, Jun 1, 2016 at 6:12 PM, Conor Skyler wrote: Hi Daniel, Thank you very much for stepping in, I’m processing a new set of certificates that I hope to try tomorrow. Warm regards, -Conor On Tue, May 31, 2016 at 8:41 AM, Daniel Mikusa wrote: On Mon, May 30, 2016 at 11:26 PM, Conor Skyler wrote: Hello list, I'm trying to install the certificates I bought from GoDaddy into my Tomcat server, however so far I've been unsuccessful to achieve this. My system specs are: OS: Amazon Linux (fully updated) Tomcat version: 8.0.32, installed from the repos Java version: $ java -version openjdk version "1.8.0_91" OpenJDK Runtime Environment (build 1.8.0_91-b14) OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode) To install the certificates I followed this tutorial from GoDaddy website: https://ar.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239 which explains how to create a KeyStore and configure the in the server.xml file. Follow these instructions. Now, judging from the official Tomcat documentation in https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html it's stated that I first need to conver the .crt files provided by GoDaddy to PKCS12 format -- I wonder then why the instructions in GoDaddy's website state other thing! There's more than one way to do this. If you started out by following the GoDaddy instructions to generate your CSR, then continue to follow them to import your signed certificate. But then I read this piece of documentation that left me completely bewildered: To import an existing certificate signed by your own CA into a PKCS12 keystore using OpenSSL you would execute a command like: openssl pkcs12 -export -in mycert.crt -inkey mykey.key -out mycert.p12 -name tomcat
Re: Need help to install GoDaddy's SSL certificates on Tomcat 8.0.32 (Amazon Linux)
gdig2.crt is intermediate my_certificate must be the last to configure so i think bundle may be the root. Le 04/06/2016 00:13, Conor Skyler a écrit : Hello Pierre, Yes, I contacted the technical support at GoDaddy and then basically told me that I'm on my own and that I should find someone that knows how to handle the configuration -- that's all the aid they gave me. I think that there two separate problems here. First one, the mismatch between the files I receive zipped and the ones referred in the website when it reads: "The file names for your root and intermediate certificates depend on your signature algorithm. - SHA-1 root certificate: gd_class2_root.crt - SHA-2 root certificate: gdroot-g2.crt - SHA-1 intermediate certificate: gd.intermediate.crt - SHA-2 intermediate certificate: gdig2.crt - (*Java 6/7 only*) SHA-2 Root Certificate: gdroot-g2_cross.crt" But the files I get when I unzip the downloaded archive are: my_certificate.crt gd_bundle-g2-g1.crt gdig2.crt So first thing here is that I don't how to use them when following the instructions stated on the site (the only one I can identify is my_certificate.crt). With the second issue my guess is that it might be related to the KeyStore file not holding the private key: I wasn't given the original tomcat.keystore file (following the example on GoDaddy's website) so here I'm starting from the scratch, generating a new KeyStore. What I have though is a PEM file from the person I presume the .csr request file; is there a way to add it to the KeyStore file I create when following the instructions on GoDaddy's site? Thank you very much for stepping in! -Conor On Fri, Jun 3, 2016 at 6:09 PM, Hardibo Pierre-Jeanwrote: there's all here no ? https://fr.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239 Le 03/06/2016 22:37, Conor Skyler a écrit : Hi again, At this point I don't know what else to try: I carefully gone through the process stated at GoDaddy's website once again trying different combinations with the certificates (as the instructions provided by GoDaddy doesn't match the certificates you download) but the result was the same as before, it didn't work. Early today I found this post in StackOverflow: http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-cr which somehow brought some hope to me as the title states literally the issue I'm having: ' http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-crt ' Sadly after trying everything what's shown there and reading tons of stuff I still can't make the KeyStore work with my Tomcat server. Any help will be greatly appreciated. -Conor On Wed, Jun 1, 2016 at 6:12 PM, Conor Skyler wrote: Hi Daniel, Thank you very much for stepping in, I’m processing a new set of certificates that I hope to try tomorrow. Warm regards, -Conor On Tue, May 31, 2016 at 8:41 AM, Daniel Mikusa wrote: On Mon, May 30, 2016 at 11:26 PM, Conor Skyler wrote: Hello list, I'm trying to install the certificates I bought from GoDaddy into my Tomcat server, however so far I've been unsuccessful to achieve this. My system specs are: OS: Amazon Linux (fully updated) Tomcat version: 8.0.32, installed from the repos Java version: $ java -version openjdk version "1.8.0_91" OpenJDK Runtime Environment (build 1.8.0_91-b14) OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode) To install the certificates I followed this tutorial from GoDaddy website: https://ar.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239 which explains how to create a KeyStore and configure the in the server.xml file. Follow these instructions. Now, judging from the official Tomcat documentation in https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html it's stated that I first need to conver the .crt files provided by GoDaddy to PKCS12 format -- I wonder then why the instructions in GoDaddy's website state other thing! There's more than one way to do this. If you started out by following the GoDaddy instructions to generate your CSR, then continue to follow them to import your signed certificate. But then I read this piece of documentation that left me completely bewildered: To import an existing certificate signed by your own CA into a PKCS12 keystore using OpenSSL you would execute a command like: openssl pkcs12 -export -in mycert.crt -inkey mykey.key -out mycert.p12 -name tomcat -CAfile myCA.crt -caname root -chain In this example there's a reference to a 'mykey.key' file that I don't have a clue how to obtain it or from where it comes since when I download the certificates provided by GoDaddy, there's no such .key file: I can download several different types of
Re: Need help to install GoDaddy's SSL certificates on Tomcat 8.0.32 (Amazon Linux)
Hello Pierre, Yes, I contacted the technical support at GoDaddy and then basically told me that I'm on my own and that I should find someone that knows how to handle the configuration -- that's all the aid they gave me. I think that there two separate problems here. First one, the mismatch between the files I receive zipped and the ones referred in the website when it reads: "The file names for your root and intermediate certificates depend on your signature algorithm. - SHA-1 root certificate: gd_class2_root.crt - SHA-2 root certificate: gdroot-g2.crt - SHA-1 intermediate certificate: gd.intermediate.crt - SHA-2 intermediate certificate: gdig2.crt - (*Java 6/7 only*) SHA-2 Root Certificate: gdroot-g2_cross.crt" But the files I get when I unzip the downloaded archive are: my_certificate.crt gd_bundle-g2-g1.crt gdig2.crt So first thing here is that I don't how to use them when following the instructions stated on the site (the only one I can identify is my_certificate.crt). With the second issue my guess is that it might be related to the KeyStore file not holding the private key: I wasn't given the original tomcat.keystore file (following the example on GoDaddy's website) so here I'm starting from the scratch, generating a new KeyStore. What I have though is a PEM file from the person I presume the .csr request file; is there a way to add it to the KeyStore file I create when following the instructions on GoDaddy's site? Thank you very much for stepping in! -Conor On Fri, Jun 3, 2016 at 6:09 PM, Hardibo Pierre-Jeanwrote: > there's all here no ? > > https://fr.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239 > > Le 03/06/2016 22:37, Conor Skyler a écrit : > >> Hi again, >> >> At this point I don't know what else to try: I carefully gone through the >> process stated at GoDaddy's website once again trying different >> combinations with the certificates (as the instructions provided by >> GoDaddy >> doesn't match the certificates you download) but the result was the same >> as before, it didn't work. >> >> Early today I found this post in StackOverflow: >> >> http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-cr >> which somehow brought some hope to me as the title states literally the >> issue I'm having: ' >> >> http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-crt >> ' >> >> Sadly after trying everything what's shown there and reading tons of stuff >> I still can't make the KeyStore work with my Tomcat server. >> >> Any help will be greatly appreciated. >> -Conor >> >> >> >> On Wed, Jun 1, 2016 at 6:12 PM, Conor Skyler >> wrote: >> >> Hi Daniel, >>> >>> Thank you very much for stepping in, I’m processing a new set of >>> certificates that I hope to try tomorrow. >>> >>> Warm regards, >>> -Conor >>> >>> >>> On Tue, May 31, 2016 at 8:41 AM, Daniel Mikusa >>> wrote: >>> >>> On Mon, May 30, 2016 at 11:26 PM, Conor Skyler wrote: Hello list, > > I'm trying to install the certificates I bought from GoDaddy into my > Tomcat > server, however so far I've been unsuccessful to achieve this. > > My system specs are: > OS: Amazon Linux (fully updated) > Tomcat version: 8.0.32, installed from the repos > Java version: $ java -version > openjdk version "1.8.0_91" > OpenJDK Runtime Environment (build 1.8.0_91-b14) > OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode) > > To install the certificates I followed this tutorial from GoDaddy > website: > > https://ar.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239 > which explains how to create a KeyStore and configure the > in > the server.xml file. > > Follow these instructions. Now, judging from the official Tomcat documentation in > https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html it's stated > that I > first need to conver the .crt files provided by GoDaddy to PKCS12 > format -- > I wonder then why the instructions in GoDaddy's website state other > thing! There's more than one way to do this. If you started out by following the GoDaddy instructions to generate your CSR, then continue to follow them to import your signed certificate. But then I read this piece of documentation that left me completely > bewildered: > To import an existing certificate signed by your own CA into a PKCS12 > keystore using OpenSSL you would execute a command like: > > openssl pkcs12 -export -in mycert.crt -inkey mykey.key > -out mycert.p12 -name tomcat -CAfile myCA.crt >
Re: Need help to install GoDaddy's SSL certificates on Tomcat 8.0.32 (Amazon Linux)
there's all here no ? https://fr.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239 Le 03/06/2016 22:37, Conor Skyler a écrit : Hi again, At this point I don't know what else to try: I carefully gone through the process stated at GoDaddy's website once again trying different combinations with the certificates (as the instructions provided by GoDaddy doesn't match the certificates you download) but the result was the same as before, it didn't work. Early today I found this post in StackOverflow: http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-cr which somehow brought some hope to me as the title states literally the issue I'm having: ' http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-crt ' Sadly after trying everything what's shown there and reading tons of stuff I still can't make the KeyStore work with my Tomcat server. Any help will be greatly appreciated. -Conor On Wed, Jun 1, 2016 at 6:12 PM, Conor Skylerwrote: Hi Daniel, Thank you very much for stepping in, I’m processing a new set of certificates that I hope to try tomorrow. Warm regards, -Conor On Tue, May 31, 2016 at 8:41 AM, Daniel Mikusa wrote: On Mon, May 30, 2016 at 11:26 PM, Conor Skyler wrote: Hello list, I'm trying to install the certificates I bought from GoDaddy into my Tomcat server, however so far I've been unsuccessful to achieve this. My system specs are: OS: Amazon Linux (fully updated) Tomcat version: 8.0.32, installed from the repos Java version: $ java -version openjdk version "1.8.0_91" OpenJDK Runtime Environment (build 1.8.0_91-b14) OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode) To install the certificates I followed this tutorial from GoDaddy website: https://ar.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239 which explains how to create a KeyStore and configure the in the server.xml file. Follow these instructions. Now, judging from the official Tomcat documentation in https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html it's stated that I first need to conver the .crt files provided by GoDaddy to PKCS12 format -- I wonder then why the instructions in GoDaddy's website state other thing! There's more than one way to do this. If you started out by following the GoDaddy instructions to generate your CSR, then continue to follow them to import your signed certificate. But then I read this piece of documentation that left me completely bewildered: To import an existing certificate signed by your own CA into a PKCS12 keystore using OpenSSL you would execute a command like: openssl pkcs12 -export -in mycert.crt -inkey mykey.key -out mycert.p12 -name tomcat -CAfile myCA.crt -caname root -chain In this example there's a reference to a 'mykey.key' file that I don't have a clue how to obtain it or from where it comes since when I download the certificates provided by GoDaddy, there's no such .key file: I can download several different types of certificates in .crt format but there isn't any .key file to download. This has to do with the way that you generated the CSR. The GoDaddy instructions have you using keytool and a keystore. In this case, your private key will exist in the keystore, so you won't have a .key file and that's OK. I tried contacting their support and well, they weren't any helpful at all, they pointed me to the repository where all the certificates are stored and told me to 'find someone that knows how to handle them' -- thanks for nothing :( Finally I want to say that I have Tomcat running smooth at port 8080, I even configured an administrator user to access the status page which works perfectly, my problem is that I just can't find how to properly install and configure the SSL. Follow the GoDaddy instructions. They should work. If you get stuck on a specific step, let us know. Dan What I'm not sure though is what part or steps I'm missing, I believe this has to be much more simpler that it's been so far for me but seriously I can't wrap my mind around it. Thank you very much for taking the time to read this n00b's help scream. Best regards, -Conor - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need help to install GoDaddy's SSL certificates on Tomcat 8.0.32 (Amazon Linux)
godaddy didn't give you instructions ? Le 03/06/2016 22:37, Conor Skyler a écrit : Hi again, At this point I don't know what else to try: I carefully gone through the process stated at GoDaddy's website once again trying different combinations with the certificates (as the instructions provided by GoDaddy doesn't match the certificates you download) but the result was the same as before, it didn't work. Early today I found this post in StackOverflow: http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-cr which somehow brought some hope to me as the title states literally the issue I'm having: ' http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-crt ' Sadly after trying everything what's shown there and reading tons of stuff I still can't make the KeyStore work with my Tomcat server. Any help will be greatly appreciated. -Conor On Wed, Jun 1, 2016 at 6:12 PM, Conor Skylerwrote: Hi Daniel, Thank you very much for stepping in, I’m processing a new set of certificates that I hope to try tomorrow. Warm regards, -Conor On Tue, May 31, 2016 at 8:41 AM, Daniel Mikusa wrote: On Mon, May 30, 2016 at 11:26 PM, Conor Skyler wrote: Hello list, I'm trying to install the certificates I bought from GoDaddy into my Tomcat server, however so far I've been unsuccessful to achieve this. My system specs are: OS: Amazon Linux (fully updated) Tomcat version: 8.0.32, installed from the repos Java version: $ java -version openjdk version "1.8.0_91" OpenJDK Runtime Environment (build 1.8.0_91-b14) OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode) To install the certificates I followed this tutorial from GoDaddy website: https://ar.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239 which explains how to create a KeyStore and configure the in the server.xml file. Follow these instructions. Now, judging from the official Tomcat documentation in https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html it's stated that I first need to conver the .crt files provided by GoDaddy to PKCS12 format -- I wonder then why the instructions in GoDaddy's website state other thing! There's more than one way to do this. If you started out by following the GoDaddy instructions to generate your CSR, then continue to follow them to import your signed certificate. But then I read this piece of documentation that left me completely bewildered: To import an existing certificate signed by your own CA into a PKCS12 keystore using OpenSSL you would execute a command like: openssl pkcs12 -export -in mycert.crt -inkey mykey.key -out mycert.p12 -name tomcat -CAfile myCA.crt -caname root -chain In this example there's a reference to a 'mykey.key' file that I don't have a clue how to obtain it or from where it comes since when I download the certificates provided by GoDaddy, there's no such .key file: I can download several different types of certificates in .crt format but there isn't any .key file to download. This has to do with the way that you generated the CSR. The GoDaddy instructions have you using keytool and a keystore. In this case, your private key will exist in the keystore, so you won't have a .key file and that's OK. I tried contacting their support and well, they weren't any helpful at all, they pointed me to the repository where all the certificates are stored and told me to 'find someone that knows how to handle them' -- thanks for nothing :( Finally I want to say that I have Tomcat running smooth at port 8080, I even configured an administrator user to access the status page which works perfectly, my problem is that I just can't find how to properly install and configure the SSL. Follow the GoDaddy instructions. They should work. If you get stuck on a specific step, let us know. Dan What I'm not sure though is what part or steps I'm missing, I believe this has to be much more simpler that it's been so far for me but seriously I can't wrap my mind around it. Thank you very much for taking the time to read this n00b's help scream. Best regards, -Conor - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need help to install GoDaddy's SSL certificates on Tomcat 8.0.32 (Amazon Linux)
Hi again, At this point I don't know what else to try: I carefully gone through the process stated at GoDaddy's website once again trying different combinations with the certificates (as the instructions provided by GoDaddy doesn't match the certificates you download) but the result was the same as before, it didn't work. Early today I found this post in StackOverflow: http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-cr which somehow brought some hope to me as the title states literally the issue I'm having: ' http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-crt ' Sadly after trying everything what's shown there and reading tons of stuff I still can't make the KeyStore work with my Tomcat server. Any help will be greatly appreciated. -Conor On Wed, Jun 1, 2016 at 6:12 PM, Conor Skylerwrote: > Hi Daniel, > > Thank you very much for stepping in, I’m processing a new set of > certificates that I hope to try tomorrow. > > Warm regards, > -Conor > > > On Tue, May 31, 2016 at 8:41 AM, Daniel Mikusa wrote: > >> On Mon, May 30, 2016 at 11:26 PM, Conor Skyler >> wrote: >> >> > Hello list, >> > >> > I'm trying to install the certificates I bought from GoDaddy into my >> Tomcat >> > server, however so far I've been unsuccessful to achieve this. >> > >> > My system specs are: >> > OS: Amazon Linux (fully updated) >> > Tomcat version: 8.0.32, installed from the repos >> > Java version: $ java -version >> > openjdk version "1.8.0_91" >> > OpenJDK Runtime Environment (build 1.8.0_91-b14) >> > OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode) >> > >> > To install the certificates I followed this tutorial from GoDaddy >> website: >> > >> > >> https://ar.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239 >> > which explains how to create a KeyStore and configure the in >> > the server.xml file. >> > >> >> Follow these instructions. >> >> >> > >> > Now, judging from the official Tomcat documentation in >> > https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html it's stated >> that I >> > first need to conver the .crt files provided by GoDaddy to PKCS12 >> format -- >> > I wonder then why the instructions in GoDaddy's website state other >> thing! >> > >> >> There's more than one way to do this. If you started out by following the >> GoDaddy instructions to generate your CSR, then continue to follow them to >> import your signed certificate. >> >> >> > >> > But then I read this piece of documentation that left me completely >> > bewildered: >> > To import an existing certificate signed by your own CA into a PKCS12 >> > keystore using OpenSSL you would execute a command like: >> > >> > openssl pkcs12 -export -in mycert.crt -inkey mykey.key >> >-out mycert.p12 -name tomcat -CAfile myCA.crt >> >-caname root -chain >> > >> > In this example there's a reference to a 'mykey.key' file that I don't >> > have a clue how to obtain it or from where it comes since when I >> > download the certificates provided by GoDaddy, there's no such .key >> > file: I can download several different types of certificates in .crt >> > format but there isn't any .key file to download. >> > >> >> This has to do with the way that you generated the CSR. The GoDaddy >> instructions have you using keytool and a keystore. In this case, your >> private key will exist in the keystore, so you won't have a .key file and >> that's OK. >> >> >> > >> > I tried contacting their support and well, they weren't any helpful at >> > all, they pointed me to the repository where all the certificates are >> > stored and told me to 'find someone that knows how to handle them' -- >> > thanks for nothing :( >> > >> > Finally I want to say that I have Tomcat running smooth at port 8080, >> > I even configured an administrator user to access the status page >> > which works perfectly, my problem is that I just can't find how to >> > properly install and configure the SSL. >> > >> >> Follow the GoDaddy instructions. They should work. If you get stuck on a >> specific step, let us know. >> >> Dan >> >> >> > >> > What I'm not sure though is what part or steps I'm missing, I believe >> > this has to be much more simpler that it's been so far for me but >> > seriously I can't wrap my mind around it. >> > >> > Thank you very much for taking the time to read this n00b's help scream. >> > >> > Best regards, >> > -Conor >> > >> > >
Re: Need help to install GoDaddy's SSL certificates on Tomcat 8.0.32 (Amazon Linux)
Hi Daniel, Thank you very much for stepping in, I’m processing a new set of certificates that I hope to try tomorrow. Warm regards, -Conor On Tue, May 31, 2016 at 8:41 AM, Daniel Mikusawrote: > On Mon, May 30, 2016 at 11:26 PM, Conor Skyler > wrote: > > > Hello list, > > > > I'm trying to install the certificates I bought from GoDaddy into my > Tomcat > > server, however so far I've been unsuccessful to achieve this. > > > > My system specs are: > > OS: Amazon Linux (fully updated) > > Tomcat version: 8.0.32, installed from the repos > > Java version: $ java -version > > openjdk version "1.8.0_91" > > OpenJDK Runtime Environment (build 1.8.0_91-b14) > > OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode) > > > > To install the certificates I followed this tutorial from GoDaddy > website: > > > > > https://ar.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239 > > which explains how to create a KeyStore and configure the in > > the server.xml file. > > > > Follow these instructions. > > > > > > Now, judging from the official Tomcat documentation in > > https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html it's stated > that I > > first need to conver the .crt files provided by GoDaddy to PKCS12 format > -- > > I wonder then why the instructions in GoDaddy's website state other > thing! > > > > There's more than one way to do this. If you started out by following the > GoDaddy instructions to generate your CSR, then continue to follow them to > import your signed certificate. > > > > > > But then I read this piece of documentation that left me completely > > bewildered: > > To import an existing certificate signed by your own CA into a PKCS12 > > keystore using OpenSSL you would execute a command like: > > > > openssl pkcs12 -export -in mycert.crt -inkey mykey.key > >-out mycert.p12 -name tomcat -CAfile myCA.crt > >-caname root -chain > > > > In this example there's a reference to a 'mykey.key' file that I don't > > have a clue how to obtain it or from where it comes since when I > > download the certificates provided by GoDaddy, there's no such .key > > file: I can download several different types of certificates in .crt > > format but there isn't any .key file to download. > > > > This has to do with the way that you generated the CSR. The GoDaddy > instructions have you using keytool and a keystore. In this case, your > private key will exist in the keystore, so you won't have a .key file and > that's OK. > > > > > > I tried contacting their support and well, they weren't any helpful at > > all, they pointed me to the repository where all the certificates are > > stored and told me to 'find someone that knows how to handle them' -- > > thanks for nothing :( > > > > Finally I want to say that I have Tomcat running smooth at port 8080, > > I even configured an administrator user to access the status page > > which works perfectly, my problem is that I just can't find how to > > properly install and configure the SSL. > > > > Follow the GoDaddy instructions. They should work. If you get stuck on a > specific step, let us know. > > Dan > > > > > > What I'm not sure though is what part or steps I'm missing, I believe > > this has to be much more simpler that it's been so far for me but > > seriously I can't wrap my mind around it. > > > > Thank you very much for taking the time to read this n00b's help scream. > > > > Best regards, > > -Conor > > >
Re: using SSLHostConfig on tomcat 9 in order to get 2 SSL certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hardibo, On 6/1/16 9:48 AM, Hardibo Pierre-Jean wrote: > Hello, when i add the second, or i put only the second (tomcat2) > browser doesn't reach the website but doesnt stop with error > message. If you connect with openssl s_client, can you see what certificate is presented with the server handshake? Depending upon your version of OpenSSL, it may or may not support the - -servername option, which is the way to trigger the use of SNI. - -chris > Le 31/05/2016 18:52, Christopher Schultz a écrit : Hardibo, > > On 5/31/16 10:33 AM, Hardibo Pierre-Jean wrote: Hello, i made two startSSL's certificates because i could only add 5 domains once. > ??! > When i use SSLHostConfig for the domains of the first certificate all is working, but when i try to add other domains (2° certificate) websites are no more accessible, there's few documentation about that and no tutorial so i am blocked. Here is my connector (server.xml): >>> port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" > > You'll also want to set secure="true" and scheme="https" on your > . This might be the only thing you are missing. > > http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_- _S > > SLHostConfig > >>> certificateKeystoreFile="/opt/tomcat9/tomcat" certificateKeystorePassword="" type="RSA"/> >>> hostName="www.tagdirectory.net"> >>> certificateKeystoreFile="/opt/tomcat9/tomcat" certificateKeystorePassword="" type="RSA"/> >>> hostName="www.xn--kzako-bsa.com"> >>> certificateKeystoreFile="/opt/tomcat9/tomcat" certificateKeystorePassword="" type="RSA"/> >>> hostName="www.xn--tltravail-b4ab.com"> >>> certificateKeystoreFile="/opt/tomcat9/tomcat" certificateKeystorePassword="" type="RSA"/> >>> hostName="www.xn--changedeliens-9gb.com"> >>> certificateKeystoreFile="/opt/tomcat9/tomcat" certificateKeystorePassword="" type="RSA"/> >>> hostName="en.tagdirectory.net"> >>> certificateKeystoreFile="/opt/tomcat9/tomcat2" certificateKeystorePassword="" type="RSA"/> >>> hostName="www.retrogeekzone.com"> >>> certificateKeystoreFile="/opt/tomcat9/tomcat2" certificateKeystorePassword="" type="RSA"/> >>> hostName="en.retrogeekzone.com"> >>> certificateKeystoreFile="/opt/tomcat9/tomcat2" certificateKeystorePassword="" type="RSA"/> >>> hostName="www.troc-livres-informatique.com"> >>> certificateKeystoreFile="/opt/tomcat9/tomcat2" certificateKeystorePassword="" type="RSA"/> > Those all look okay to me. What are you using to test? With a > single can you establish a connection? When you add > the second , how do things change? > > -chris >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAldPFJ0ACgkQ9CaO5/Lv0PAF6ACfVcTBSYK14jmbTe8Ajs2JBvtT ZLcAn350K2zMGeVOo8SmAoZgqDt6kGnf =xtvv -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: using SSLHostConfig on tomcat 9 in order to get 2 SSL certificates
Hello, when i add the second, or i put only the second (tomcat2) browser doesn't reach the website but doesnt stop with error message. Le 31/05/2016 18:52, Christopher Schultz a écrit : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hardibo, On 5/31/16 10:33 AM, Hardibo Pierre-Jean wrote: Hello, i made two startSSL's certificates because i could only add 5 domains once. ??! When i use SSLHostConfig for the domains of the first certificate all is working, but when i try to add other domains (2° certificate) websites are no more accessible, there's few documentation about that and no tutorial so i am blocked. Here is my connector (server.xml): You'll also want to set secure="true" and scheme="https" on your . This might be the only thing you are missing. http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_S SLHostConfig Those all look okay to me. What are you using to test? With a single can you establish a connection? When you add the second , how do things change? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJXTcFCAAoJEBzwKT+lPKRY0JkQAKoHkVmJJ5Gn52BwVolkvZIW gnnxEmjIIB1+XmemEfpsIYvRNMdPQL4pd0tZcRUzN59yhxPm20XoZguYUlBTOjcg ocuZN5/Q6otJ27eMOlcN5ZTWqqpuRbItjY103WX+q2fmC3ulGGrV/ZNyJcgbE2+y 2SWO/WAGB/KT1QzL+DNfDyk0zLyl8Poc9ax1NUrPmW/1eM/ubdrAOe+GOyAoY3Et vZQkXNDfTp+l+yekvUY4YKSNAj3l/Rjd6XQSyLG97bmMRe+3q37pZmIjYyX/BI/7 vnx5WX+UWz8pCrXktgZCpG/CIJC5FLeSmbObmvYKyehUDBFo93AQBgU5SwgkDha2 Uy6apmjjJYqKtJlijz3fA7AFo9SoQntQH/gIu+zdReLidMa5R9Cuu4cTYUrAcCrl vPE4elwVsfKAaWDg8UZk8CDevLNBG/9LYXFw6e2UVvo19hn9+7gf4YBsj0qHgU9m lKFThhD3w/IawLpqS2ZS5sXJR+KMO1Yy2mektmWBsN+BaR1gcnUacrc678wtsHGw 3cJFn8mKQdomIhRy85TzNqt6vVjeLtZC8Md1vqOasPM73GiV7c4ijoSkioLZNwM1 uovy0J8v3sE9JpJOoDsRxVc3gsBbHhj84EWlVgYYVnomt7p/z0RS30oCU7l/u0j/ 5umswB87kivFp2laHPu3 =jJvc -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: using SSLHostConfig on tomcat 9 in order to get 2 SSL certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hardibo, On 5/31/16 10:33 AM, Hardibo Pierre-Jean wrote: > Hello, i made two startSSL's certificates because i could only add > 5 domains once. ??! > When i use SSLHostConfig for the domains of the first certificate > all is working, but when i try to add other domains (2° > certificate) websites are no more accessible, there's few > documentation about that and no tutorial so i am blocked. Here is > my connector (server.xml): protocol="org.apache.coyote.http11.Http11NioProtocol" > maxThreads="150" SSLEnabled="true" > You'll also want to set secure="true" and scheme="https" on your . This might be the only thing you are missing. http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_S SLHostConfig > certificateKeystoreFile="/opt/tomcat9/tomcat" > certificateKeystorePassword="" type="RSA"/> > certificateKeystoreFile="/opt/tomcat9/tomcat" > certificateKeystorePassword="" type="RSA"/> > certificateKeystoreFile="/opt/tomcat9/tomcat" > certificateKeystorePassword="" type="RSA"/> > certificateKeystoreFile="/opt/tomcat9/tomcat" > certificateKeystorePassword="" type="RSA"/> > > certificateKeystorePassword="" type="RSA"/> > certificateKeystoreFile="/opt/tomcat9/tomcat2" > certificateKeystorePassword="" type="RSA"/> > certificateKeystoreFile="/opt/tomcat9/tomcat2" > certificateKeystorePassword="" type="RSA"/> > certificateKeystoreFile="/opt/tomcat9/tomcat2" > certificateKeystorePassword="" type="RSA"/> > > certificateKeystorePassword="" type="RSA"/> > Those all look okay to me. What are you using to test? With a single can you establish a connection? When you add the second , how do things change? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJXTcFCAAoJEBzwKT+lPKRY0JkQAKoHkVmJJ5Gn52BwVolkvZIW gnnxEmjIIB1+XmemEfpsIYvRNMdPQL4pd0tZcRUzN59yhxPm20XoZguYUlBTOjcg ocuZN5/Q6otJ27eMOlcN5ZTWqqpuRbItjY103WX+q2fmC3ulGGrV/ZNyJcgbE2+y 2SWO/WAGB/KT1QzL+DNfDyk0zLyl8Poc9ax1NUrPmW/1eM/ubdrAOe+GOyAoY3Et vZQkXNDfTp+l+yekvUY4YKSNAj3l/Rjd6XQSyLG97bmMRe+3q37pZmIjYyX/BI/7 vnx5WX+UWz8pCrXktgZCpG/CIJC5FLeSmbObmvYKyehUDBFo93AQBgU5SwgkDha2 Uy6apmjjJYqKtJlijz3fA7AFo9SoQntQH/gIu+zdReLidMa5R9Cuu4cTYUrAcCrl vPE4elwVsfKAaWDg8UZk8CDevLNBG/9LYXFw6e2UVvo19hn9+7gf4YBsj0qHgU9m lKFThhD3w/IawLpqS2ZS5sXJR+KMO1Yy2mektmWBsN+BaR1gcnUacrc678wtsHGw 3cJFn8mKQdomIhRy85TzNqt6vVjeLtZC8Md1vqOasPM73GiV7c4ijoSkioLZNwM1 uovy0J8v3sE9JpJOoDsRxVc3gsBbHhj84EWlVgYYVnomt7p/z0RS30oCU7l/u0j/ 5umswB87kivFp2laHPu3 =jJvc -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
using SSLHostConfig on tomcat 9 in order to get 2 SSL certificates
Hello, i made two startSSL's certificates because i could only add 5 domains once. When i use SSLHostConfig for the domains of the first certificate all is working, but when i try to add other domains (2° certificate) websites are no more accessible, there's few documentation about that and no tutorial so i am blocked. Here is my connector (server.xml): protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" > Thanks for your help ! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need help to install GoDaddy's SSL certificates on Tomcat 8.0.32 (Amazon Linux)
On Mon, May 30, 2016 at 11:26 PM, Conor Skylerwrote: > Hello list, > > I'm trying to install the certificates I bought from GoDaddy into my Tomcat > server, however so far I've been unsuccessful to achieve this. > > My system specs are: > OS: Amazon Linux (fully updated) > Tomcat version: 8.0.32, installed from the repos > Java version: $ java -version > openjdk version "1.8.0_91" > OpenJDK Runtime Environment (build 1.8.0_91-b14) > OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode) > > To install the certificates I followed this tutorial from GoDaddy website: > > https://ar.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239 > which explains how to create a KeyStore and configure the in > the server.xml file. > Follow these instructions. > > Now, judging from the official Tomcat documentation in > https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html it's stated that I > first need to conver the .crt files provided by GoDaddy to PKCS12 format -- > I wonder then why the instructions in GoDaddy's website state other thing! > There's more than one way to do this. If you started out by following the GoDaddy instructions to generate your CSR, then continue to follow them to import your signed certificate. > > But then I read this piece of documentation that left me completely > bewildered: > To import an existing certificate signed by your own CA into a PKCS12 > keystore using OpenSSL you would execute a command like: > > openssl pkcs12 -export -in mycert.crt -inkey mykey.key >-out mycert.p12 -name tomcat -CAfile myCA.crt >-caname root -chain > > In this example there's a reference to a 'mykey.key' file that I don't > have a clue how to obtain it or from where it comes since when I > download the certificates provided by GoDaddy, there's no such .key > file: I can download several different types of certificates in .crt > format but there isn't any .key file to download. > This has to do with the way that you generated the CSR. The GoDaddy instructions have you using keytool and a keystore. In this case, your private key will exist in the keystore, so you won't have a .key file and that's OK. > > I tried contacting their support and well, they weren't any helpful at > all, they pointed me to the repository where all the certificates are > stored and told me to 'find someone that knows how to handle them' -- > thanks for nothing :( > > Finally I want to say that I have Tomcat running smooth at port 8080, > I even configured an administrator user to access the status page > which works perfectly, my problem is that I just can't find how to > properly install and configure the SSL. > Follow the GoDaddy instructions. They should work. If you get stuck on a specific step, let us know. Dan > > What I'm not sure though is what part or steps I'm missing, I believe > this has to be much more simpler that it's been so far for me but > seriously I can't wrap my mind around it. > > Thank you very much for taking the time to read this n00b's help scream. > > Best regards, > -Conor >
Need help to install GoDaddy's SSL certificates on Tomcat 8.0.32 (Amazon Linux)
Hello list, I'm trying to install the certificates I bought from GoDaddy into my Tomcat server, however so far I've been unsuccessful to achieve this. My system specs are: OS: Amazon Linux (fully updated) Tomcat version: 8.0.32, installed from the repos Java version: $ java -version openjdk version "1.8.0_91" OpenJDK Runtime Environment (build 1.8.0_91-b14) OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode) To install the certificates I followed this tutorial from GoDaddy website: https://ar.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239 which explains how to create a KeyStore and configure the in the server.xml file. Now, judging from the official Tomcat documentation in https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html it's stated that I first need to conver the .crt files provided by GoDaddy to PKCS12 format -- I wonder then why the instructions in GoDaddy's website state other thing! But then I read this piece of documentation that left me completely bewildered: To import an existing certificate signed by your own CA into a PKCS12 keystore using OpenSSL you would execute a command like: openssl pkcs12 -export -in mycert.crt -inkey mykey.key -out mycert.p12 -name tomcat -CAfile myCA.crt -caname root -chain In this example there's a reference to a 'mykey.key' file that I don't have a clue how to obtain it or from where it comes since when I download the certificates provided by GoDaddy, there's no such .key file: I can download several different types of certificates in .crt format but there isn't any .key file to download. I tried contacting their support and well, they weren't any helpful at all, they pointed me to the repository where all the certificates are stored and told me to 'find someone that knows how to handle them' -- thanks for nothing :( Finally I want to say that I have Tomcat running smooth at port 8080, I even configured an administrator user to access the status page which works perfectly, my problem is that I just can't find how to properly install and configure the SSL. What I'm not sure though is what part or steps I'm missing, I believe this has to be much more simpler that it's been so far for me but seriously I can't wrap my mind around it. Thank you very much for taking the time to read this n00b's help scream. Best regards, -Conor
TC9: Configuring ProtocolHandler SSL certificates (SSLHostConfig) via JMX
Hi, I am very new to JMX so maybe I miss an important piece that prevents me from configuring SSL certificates in ProtocolHandler via JMX. I just implemented modification of aliases property on Host via JMX which seems to work fine. I would like to set for some of those aliases SSL certificates via JMX aswell. I found out that ProtocolHandler has methods findSslHostConfigs() for retrieval of existing SSL configurations and addSslHostConfig() for adding new SSLHostConfig instance. My web application is built on Apache Felix and consists of OSGi bundles. I have no idea how to (and if ever I should) import tomcat-coyote "bundle" so that I could create new instance of SSLHostConfig to be able to add it to the ProtocolHandler. I suppose there might also be issues with incompatible classes, different classloaders etc so it does not sound like a good solution anyway. In my opinion a clean way would be to provide a factory for creation of new instances of SSLHostConfig (maybe just createSslHostConfig() or newSslHostConfig() method on ProtocolHandler?) so these could be instantiated by Tomcat code and classloader, configured (via reflection) and added to the ProtocolHandler. Or is there another way how to do this? Thanks for any help. Miroslav - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Updating SSL certificates
On 19/02/2016 15:23, Christopher Schultz wrote: > Mark, > > On 2/18/16 5:15 PM, Mark Thomas wrote: >> On 18/02/2016 22:03, James H. H. Lampert wrote: >>> Out of morbid curiosity, is there a way to make a certificate >>> update take effect without restarting Tomcat? > >> Sort of. > >> Set bindOnInit on the connector to false. > >> Modify the config via JMX. > >> Then you should be able to use JMX to call stop() followed by >> start() on the TLS connector which should re-initialise the TLS >> settings from the in-memory config. > > Theoretically, this should also allow re-loading of a CRL, right? In theory yes. But this is entirely untested and based solely on code inspection. There will also be a small gap where requests could get rejected. Mark > > I keep meaning to write an auto-reloading CRL component for Tomcat, > but I haven't gotten around to doing it, yet. :( > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Updating SSL certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 2/18/16 5:15 PM, Mark Thomas wrote: > On 18/02/2016 22:03, James H. H. Lampert wrote: >> Out of morbid curiosity, is there a way to make a certificate >> update take effect without restarting Tomcat? > > Sort of. > > Set bindOnInit on the connector to false. > > Modify the config via JMX. > > Then you should be able to use JMX to call stop() followed by > start() on the TLS connector which should re-initialise the TLS > settings from the in-memory config. Theoretically, this should also allow re-loading of a CRL, right? I keep meaning to write an auto-reloading CRL component for Tomcat, but I haven't gotten around to doing it, yet. :( - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlbHM4AACgkQ9CaO5/Lv0PBv8QCgrMC9QaSKDQIszBI0ZCMC3oMw 9IAAnRZT2ypQEqBAlG9HWp8/tS3LK+Ok =cH+n -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Updating SSL certificates
On 18/02/2016 22:03, James H. H. Lampert wrote: > Out of morbid curiosity, is there a way to make a certificate update > take effect without restarting Tomcat? Sort of. Set bindOnInit on the connector to false. Modify the config via JMX. Then you should be able to use JMX to call stop() followed by start() on the TLS connector which should re-initialise the TLS settings from the in-memory config. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Updating SSL certificates
Out of morbid curiosity, is there a way to make a certificate update take effect without restarting Tomcat? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Multiple SSL certificates on one Instance
-Original Message- From: Rory Kelly [mailto:rory.ke...@fernsoftware.com] Sent: Monday, March 16, 2015 7:53 AM To: Tomcat Users List Subject: Multiple SSL certificates on one Instance Hey guys, I’ve a bad feeling what I’m trying to do is impossible, and I’m going to have to implement a different solution. Been hunting for an answer, but couldn’t find anything definite. I’m running Tomcat 8.0.18, Java 1.7.0_75-b13, Ubuntu 14.04. I have multiple sites running on Virtual Hosts on the instance. For a bit of background, I am intending on creating a 2-server load balanced system using nginx as a balancer on virtual servers (Best I can do, given our hosting/not possible to move away from it) I need each site to be protected by its own SSL certificate, provided by the client for each site. Can I actually have multiple SSL certs with Tomcat Virtual Hosts, or am I going to have to go learn nginx/httpd and provide it that way? Thanks, Rory Rory - The guys have all given some hints that this is probably coming, but not yet here. The rest of the answers depends on your ultimate requirements. If you require that all the hosts are truly virtual, i.e. they all listen to the same IP-port combo, then it's definitely easier/better to terminate the SSL on your NGINX load-balancer, which presumably already has the needed support. There are some minor adjustments on the Tomcat connector config, but they are adequately explained in the Tomcat docs. Plus terminating on the load-balancer will save some processing cycles in Tomcat. If you have the ability to assign multiple IP-port combo, then there's really only 1 way to do it on the Tomcat side: Create a unique Service tree for each host. This tree will have its own Engine, Connector, Valve, Host, etc. entries, basically everything you might need that can't be put at the Global level. Be sure to specify both an HTTP and HTTPS connector so that TRANSPORT GUARANTEE will function properly. Trying to do it all inside one Service tree is just asking for trouble. If you go back in the archives a year or so, I think I posted a sample server.xml implementing the above. Jeff - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Multiple SSL certificates on one Instance
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Stefan, On 3/16/15 5:03 PM, Stefan Frei wrote: 2 points: configure the reverse proxy is simpler. s/simpler/possible/ tomcat may be harder to troubleshoot issues. Tomcat can't even do SNI at this point. i would take the prxy to do that, in fact we use squid rev-proxy to solve exact the same problem. It's nice not to have to introduce a reverse proxy unless it's actually necessary. Tomcat should really support SNI. - -chris 2015-03-16 14:16 GMT+01:00 Mark Thomas ma...@apache.org: On 16/03/2015 12:53, Rory Kelly wrote: Hey guys, I’ve a bad feeling what I’m trying to do is impossible, and I’m going to have to implement a different solution. Been hunting for an answer, but couldn’t find anything definite. I’m running Tomcat 8.0.18, Java 1.7.0_75-b13, Ubuntu 14.04. I have multiple sites running on Virtual Hosts on the instance. For a bit of background, I am intending on creating a 2-server load balanced system using nginx as a balancer on virtual servers (Best I can do, given our hosting/not possible to move away from it) I need each site to be protected by its own SSL certificate, provided by the client for each site. Can I actually have multiple SSL certs with Tomcat Virtual Hosts, or am I going to have to go learn nginx/httpd and provide it that way? https://bz.apache.org/bugzilla/show_bug.cgi?id=57108 Mark Thanks, Rory - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVCFARAAoJEBzwKT+lPKRYnSoQAI7II/iU2t/GrKj9F7c8suPr InjFD2BhHWIGqAzWiKQAOmoozgqLuGX6ME/Qmxd69eEoOLQelq0/ZJCA+VuH/Epk C5hMBflHwQPD9UHb98nxRzQ3FaXW2Jdh6qk1weYa696Ol/2cHabEs4MYaTHVlQvq E8dV6R0dhE4cU08tft0KCyk/i+OgTmyJpC6fxqxXjgoduauiLE9owzErywojWy7d PR7M/twuM5XGJBYY59oFDHZO0zrshMBxzHWmw1xHIMde5eDtlyeQo+xVzA7PiDpt LHGi9U0SX8MPR1+Vl9EZ0LdKxvIvpduFPleBDWub85iGKBdMUAiuYaknD2hZGCxF 4rDlOVpQpuHp9Sxk9TqTRG7vYMQR5wJpTtnvyBnZm7ls0VkBXaR9IiG9/LtUUHEh eVHux1XjYmDnnZb83FQ+C5QX2xDsJ53zjvtEgagEucMDWwf+cQwXCl1VLLemBHeF wem0sR225hGmD+FDDE7dqYvAQLzi4JbTXpOU6JZYBJVAvG+zg3stCcQJHdjp82GV bxSUlmE8jr3AWqNBhpOUdVkNbb0h8Eb6GU0in4TilD3AxAPwi5UOtpfFRE9mIm/F r2fN9Pzx3DQGikl1X2rRkjStLtZDh1PuB6IMg26Sq4HXtDD6ZABhGouxOWnb/oBz 4gSd0Em4+w8qkGr7bZBq =thve -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Multiple SSL certificates on one Instance
On 16/03/2015 12:53, Rory Kelly wrote: Hey guys, I’ve a bad feeling what I’m trying to do is impossible, and I’m going to have to implement a different solution. Been hunting for an answer, but couldn’t find anything definite. I’m running Tomcat 8.0.18, Java 1.7.0_75-b13, Ubuntu 14.04. I have multiple sites running on Virtual Hosts on the instance. For a bit of background, I am intending on creating a 2-server load balanced system using nginx as a balancer on virtual servers (Best I can do, given our hosting/not possible to move away from it) I need each site to be protected by its own SSL certificate, provided by the client for each site. Can I actually have multiple SSL certs with Tomcat Virtual Hosts, or am I going to have to go learn nginx/httpd and provide it that way? https://bz.apache.org/bugzilla/show_bug.cgi?id=57108 Mark Thanks, Rory - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Multiple SSL certificates on one Instance
Hey guys, I’ve a bad feeling what I’m trying to do is impossible, and I’m going to have to implement a different solution. Been hunting for an answer, but couldn’t find anything definite. I’m running Tomcat 8.0.18, Java 1.7.0_75-b13, Ubuntu 14.04. I have multiple sites running on Virtual Hosts on the instance. For a bit of background, I am intending on creating a 2-server load balanced system using nginx as a balancer on virtual servers (Best I can do, given our hosting/not possible to move away from it) I need each site to be protected by its own SSL certificate, provided by the client for each site. Can I actually have multiple SSL certs with Tomcat Virtual Hosts, or am I going to have to go learn nginx/httpd and provide it that way? Thanks, Rory
Re: Multiple SSL certificates on one Instance
hi 2 points: configure the reverse proxy is simpler. tomcat may be harder to troubleshoot issues. i would take the prxy to do that, in fact we use squid rev-proxy to solve exact the same problem. Regards Stefan 2015-03-16 14:16 GMT+01:00 Mark Thomas ma...@apache.org: On 16/03/2015 12:53, Rory Kelly wrote: Hey guys, I’ve a bad feeling what I’m trying to do is impossible, and I’m going to have to implement a different solution. Been hunting for an answer, but couldn’t find anything definite. I’m running Tomcat 8.0.18, Java 1.7.0_75-b13, Ubuntu 14.04. I have multiple sites running on Virtual Hosts on the instance. For a bit of background, I am intending on creating a 2-server load balanced system using nginx as a balancer on virtual servers (Best I can do, given our hosting/not possible to move away from it) I need each site to be protected by its own SSL certificate, provided by the client for each site. Can I actually have multiple SSL certs with Tomcat Virtual Hosts, or am I going to have to go learn nginx/httpd and provide it that way? https://bz.apache.org/bugzilla/show_bug.cgi?id=57108 Mark Thanks, Rory - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Deploying .ca-bundle file .crt file as SSL certificates
On Wed, Nov 26, 2014 at 7:21 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 To whom it may concern, On 11/26/14 12:00 PM, Kernel freak wrote: On Wed, Nov 26, 2014 at 5:33 PM, Christopher Schultz ch...@christopherschultz.net wrote: To whom it may concern, On 11/26/14 9:03 AM, Kernel freak wrote: After arguing with the admins for all this time, I finally have the few files ready. I have the following files : keystore.p12 That should contain your key. Can you confirm that with a 'keytool -list'? server.crt Is this the certificate that was signed by the CA? Yes, this is certificated signed by CA, but its a servercertificate, the domain certificate is below. This server.crt is provided by the hosting guys. I told them I will need a certificate for the server on which my domain is hosted, and i got this file. I have no idea what a domain certificate is. A cert is a cert, and it's signed by another cert all the way up to a root cert, known as a CA who has widespread trust. Hi, Domaincertificate is the one which I want to deploy. It is the one provided by CA authority. ssl-cert-snakeoil.key Uh, oh. That looks like one of OpenSSL's built-in CAs that are used for documentation and instructional purposes. I hope this isn't being used for anything at all. domainname.com.ca-bundle This should be the bundle of certificates for your domain, which may include intermediate certificates. Are you using your own internal CA or something? domainname.com.crt Which certificate is this? This is the SSL certificate which has to be deployed. domainname.com.csr Is this the CSR that you generated yourself? No, this is also provided by hosting guys So, did your hosting guys generate everything for you, then? It's customary to create your own key and CSR and then merely have the CA sign the CSR which results in your certificate. You import your certificate and, if necessary, any intermediate certificates your clients will require to form a trust chain from your server's cert up to the root that the client trusts. Hosting guys only generated the server.crt, and domainname.crt was provided by trusted authority. Can you tell me why the commands you provided/same on apache user guide are not working, showing me the error that unable to load certificates? Thank you for your patience.
Re: Deploying .ca-bundle file .crt file as SSL certificates
Hello, After arguing with the admins for all this time, I finally have the few files ready. I have the following files : keystore.p12, server.crt, ssl-cert-snakeoil.key, domainname.com.ca-bundle, domainname.com.crt domainname.com.csr domainname.com.key, vsftpd.pem. I did the following as Christoph said: root@domainname:/etc/ssl/private# openssl pkcs12 -export -in server.crt -inkey ssl-cert-snakeoil.key -certfile domainname.com.crt -out keystore.p12 -chain (pressed enter here) unable to load certificates // This is the error. If i just plain import the .crt file like this : keytool -import -alias tomcat -file domainname.com.crt -keystore /root/.keystore, Then firefox gives me this error : An error occurred during a connection to domainname.com:8443. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. On Tue, Nov 25, 2014 at 10:24 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 To whom it may concern, On 11/25/14 3:32 AM, Kernel freak wrote: I don't have the server.key and server.crt. I have root access to server, I can generate my own if necessary. I only have .crt and .ca-bundle file. Can you tell me what to do. Thank you very much for your help. If you don't have the server's key but you have the server's certificate, then you must start all over again because the key is half of a paired key. Did you generate the CSR yourself? With what key did you generate that CSR? If someone else generated the CSR, go ask them where the key is that they used. If you have lost the key then you must redo the whole process, starting with generating a new key and CSR, then get the CSR signed. Then, import the signed certificate back into the same keystore. Then, configure Tomcat to use that keystore. The instructions on the Tomcat users' guide are fairly straightforward even if they don't explain the intricacies of public key infrastructure -- that's outside the scope of the users' guide. Thanks, - -chris On Mon, Nov 24, 2014 at 7:48 PM, Christopher Schultz ch...@christopherschultz.net wrote: Niranjan, On 11/24/14 10:51 AM, Niranjan Babu Bommu wrote: I think you have create a keystore from the cert, please follow these instruction and ket me know. Create store with temporary key inside: keytool -genkey -alias alias name -keystore yourkeystore.jks -storepass Hello1 Then delete existing entry: keytool -delete -alias temp -keystore yourkeystore.jks -storepass Hello1 Now you've got empty store. You can check that it's empty: keytool -list -keystore yourkeystore.jks -storepass Hello1 Then import your certificate to the store: keytool -import -alias alias name -file cert_file.crt -keypass keypass -keystore yourkeystore.jks -storepass Hello1 Nope: the existing key *and* cert need to be imported simultaneously into the keystore. If the OP already has a cert, he's already got a key, too. The problem is that you probably started with OpenSSL to generate your keys and stuff. Here is the proper procedure to import your key, certificate, and CA bundle into a Java keystore. You'll need these files: server.key (this is your server's secret key) server.crt (this is your server's certificate, signed by the CA) ca.crt (this is your CA's certificate) Here is the incantation: $ openssl pkcs12 -export -in server.crt -inkey server.key \ -certfile ca.crt -out keystore.p12 -chain $ $JAVA_HOME/bin/keytool -importkeystore -srckeystore keystore.p12 \ -srcstoretype pkcs12 \ -destkeystore keystore.jks Now, use keystore.jks in Tomcat's server.xml. If you already had created your key and cert request using Java's 'keytool', then you can instead just import the signed certificate into your keystore: $ $JAVA_HOME/bin/keytool -importcert -file server.crt \ -keystore keystore.jks \ -alias [alias] If you used an alias to create the certificate signing request (CSR), then use the same alias in the above command. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUdPOpAAoJEBzwKT+lPKRYVikP/jrxPiejAjwm9B9T4nGDASyZ BeweTPhXLd1Fg8e95r8K6xBFfZy921Ax+NimRLqTUfU2cCen9YsHB2Xdp0a6xiw4 oC8+e2JlyZhGFhJY2TsgYRpRoqIhhJeluSUpukUYZz73Pq10LHUnetDhsEHwJEtE uz2ekNcXH1Vr+Fy4k+O+PpFJnl8N5QprjO6PX/WlflrFihFa7bC7l+8FqF4QQ7U1 gw0nKt/0VcYOPepyDfV6VKGD7gBurNmlqrx9GxkYss0YVKghyCDFllNuX9tSw7j7
Re: Deploying .ca-bundle file .crt file as SSL certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 To whom it may concern, On 11/26/14 9:03 AM, Kernel freak wrote: After arguing with the admins for all this time, I finally have the few files ready. I have the following files : keystore.p12 That should contain your key. Can you confirm that with a 'keytool -list'? server.crt Is this the certificate that was signed by the CA? ssl-cert-snakeoil.key Uh, oh. That looks like one of OpenSSL's built-in CAs that are used for documentation and instructional purposes. I hope this isn't being used for anything at all. domainname.com.ca-bundle This should be the bundle of certificates for your domain, which may include intermediate certificates. Are you using your own internal CA or something? domainname.com.crt Which certificate is this? domainname.com.csr Is this the CSR that you generated yourself? domainname.com.key Weird. Okay, I would expect domainname.com.key to have the key that was used to generate domainname.com.csr, and that domainname.com.crt is a signed version of that CSR. That should be all you need... I'm not sure what all the other stuff is. vsftpd.pem. What is this? I did the following as Christoph said: root@domainname:/etc/ssl/private# openssl pkcs12 -export -in server.crt -inkey ssl-cert-snakeoil.key -certfile domainname.com.crt -out keystore.p12 -chain (pressed enter here) unable to load certificates // This is the error. I think you might want to do this: $ openssl pkcs12 -export -in domainname.com.crt \ -inkey domainname.com.key \ -certfile domainname.com.ca-bundle \ -out keystore.p21 -chain $ keytool -importkeystore -srckeystore keystore.p12 \ -srcstoretype pkcs12 \ -destkeystore keystore.jks You are supposed to be able to use PKCS12 keystores directly with Tomcat, but IIRC it's a pain and a bit more finicky than with just a normal JKS-format keystore. If i just plain import the .crt file like this : keytool -import -alias tomcat -file domainname.com.crt -keystore /root/.keystore A couple of things: 1. Don't run as root. Not for anything. Not even to run keytool. 2. Don't store your keystore under /root/.keystore, or you'll (likely) have to run Tomcat as root. You can put your keystore anywhere you want and point Tomcat to it explicitly. 3. If you import a certificate into a keystore and there is nothing else in it (the keystore), then you can't perform a handshake because the key is required for secure communication. Then firefox gives me this error : An error occurred during a connection to domainname.com:8443. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. The no_cipher_overlap error is likely to be incorrect... the real problem is that the server can't decrypt the client's handshake because the key is unavailable. I think you might need to get some help with this from someone else at your organization... someone who is a bit more versed in PKI and configuring TLS for web servers. - -chris On Tue, Nov 25, 2014 at 10:24 PM, Christopher Schultz ch...@christopherschultz.net wrote: To whom it may concern, On 11/25/14 3:32 AM, Kernel freak wrote: I don't have the server.key and server.crt. I have root access to server, I can generate my own if necessary. I only have .crt and .ca-bundle file. Can you tell me what to do. Thank you very much for your help. If you don't have the server's key but you have the server's certificate, then you must start all over again because the key is half of a paired key. Did you generate the CSR yourself? With what key did you generate that CSR? If someone else generated the CSR, go ask them where the key is that they used. If you have lost the key then you must redo the whole process, starting with generating a new key and CSR, then get the CSR signed. Then, import the signed certificate back into the same keystore. Then, configure Tomcat to use that keystore. The instructions on the Tomcat users' guide are fairly straightforward even if they don't explain the intricacies of public key infrastructure -- that's outside the scope of the users' guide. Thanks, -chris On Mon, Nov 24, 2014 at 7:48 PM, Christopher Schultz ch...@christopherschultz.net wrote: Niranjan, On 11/24/14 10:51 AM, Niranjan Babu Bommu wrote: I think you have create a keystore from the cert, please follow these instruction and ket me know. Create store with temporary key inside: keytool -genkey -alias alias name -keystore yourkeystore.jks -storepass Hello1 Then delete existing entry: keytool -delete -alias temp -keystore yourkeystore.jks -storepass Hello1 Now you've got empty
Re: Deploying .ca-bundle file .crt file as SSL certificates
On Wed, Nov 26, 2014 at 5:33 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 To whom it may concern, On 11/26/14 9:03 AM, Kernel freak wrote: After arguing with the admins for all this time, I finally have the few files ready. I have the following files : keystore.p12 That should contain your key. Can you confirm that with a 'keytool -list'? server.crt Is this the certificate that was signed by the CA? Yes, this is certificated signed by CA, but its a servercertificate, the domain certificate is below. ssl-cert-snakeoil.key Uh, oh. That looks like one of OpenSSL's built-in CAs that are used for documentation and instructional purposes. I hope this isn't being used for anything at all. domainname.com.ca-bundle This should be the bundle of certificates for your domain, which may include intermediate certificates. Are you using your own internal CA or something? domainname.com.crt Which certificate is this? This is the SSL certificate which has to be deployed. domainname.com.csr Is this the CSR that you generated yourself? No, this is also provided by hosting guys domainname.com.key Weird. Okay, I would expect domainname.com.key to have the key that was used to generate domainname.com.csr, and that domainname.com.crt is a signed version of that CSR. That should be all you need... I'm not sure what all the other stuff is. vsftpd.pem. What is this? I did the following as Christoph said: root@domainname:/etc/ssl/private# openssl pkcs12 -export -in server.crt -inkey ssl-cert-snakeoil.key -certfile domainname.com.crt -out keystore.p12 -chain (pressed enter here) unable to load certificates // This is the error. I think you might want to do this: $ openssl pkcs12 -export -in domainname.com.crt \ -inkey domainname.com.key \ -certfile domainname.com.ca-bundle \ -out keystore.p21 -chain $ keytool -importkeystore -srckeystore keystore.p12 \ -srcstoretype pkcs12 \ -destkeystore keystore.jks You are supposed to be able to use PKCS12 keystores directly with Tomcat, but IIRC it's a pain and a bit more finicky than with just a normal JKS-format keystore. If i just plain import the .crt file like this : keytool -import -alias tomcat -file domainname.com.crt -keystore /root/.keystore A couple of things: 1. Don't run as root. Not for anything. Not even to run keytool. 2. Don't store your keystore under /root/.keystore, or you'll (likely) have to run Tomcat as root. You can put your keystore anywhere you want and point Tomcat to it explicitly. 3. If you import a certificate into a keystore and there is nothing else in it (the keystore), then you can't perform a handshake because the key is required for secure communication. Then firefox gives me this error : An error occurred during a connection to domainname.com:8443. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. The no_cipher_overlap error is likely to be incorrect... the real problem is that the server can't decrypt the client's handshake because the key is unavailable. I think you might need to get some help with this from someone else at your organization... someone who is a bit more versed in PKI and configuring TLS for web servers. I have told you what key is for what, can you give me the updated commands please, unfortunately there is no one here who knows this. - -chris On Tue, Nov 25, 2014 at 10:24 PM, Christopher Schultz ch...@christopherschultz.net wrote: To whom it may concern, On 11/25/14 3:32 AM, Kernel freak wrote: I don't have the server.key and server.crt. I have root access to server, I can generate my own if necessary. I only have .crt and .ca-bundle file. Can you tell me what to do. Thank you very much for your help. If you don't have the server's key but you have the server's certificate, then you must start all over again because the key is half of a paired key. Did you generate the CSR yourself? With what key did you generate that CSR? If someone else generated the CSR, go ask them where the key is that they used. If you have lost the key then you must redo the whole process, starting with generating a new key and CSR, then get the CSR signed. Then, import the signed certificate back into the same keystore. Then, configure Tomcat to use that keystore. The instructions on the Tomcat users' guide are fairly straightforward even if they don't explain the intricacies of public key infrastructure -- that's outside the scope of the users' guide. Thanks, -chris
Re: Deploying .ca-bundle file .crt file as SSL certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 To whom it may concern, On 11/26/14 12:00 PM, Kernel freak wrote: On Wed, Nov 26, 2014 at 5:33 PM, Christopher Schultz ch...@christopherschultz.net wrote: To whom it may concern, On 11/26/14 9:03 AM, Kernel freak wrote: After arguing with the admins for all this time, I finally have the few files ready. I have the following files : keystore.p12 That should contain your key. Can you confirm that with a 'keytool -list'? server.crt Is this the certificate that was signed by the CA? Yes, this is certificated signed by CA, but its a servercertificate, the domain certificate is below. I have no idea what a domain certificate is. A cert is a cert, and it's signed by another cert all the way up to a root cert, known as a CA who has widespread trust. ssl-cert-snakeoil.key Uh, oh. That looks like one of OpenSSL's built-in CAs that are used for documentation and instructional purposes. I hope this isn't being used for anything at all. domainname.com.ca-bundle This should be the bundle of certificates for your domain, which may include intermediate certificates. Are you using your own internal CA or something? domainname.com.crt Which certificate is this? This is the SSL certificate which has to be deployed. domainname.com.csr Is this the CSR that you generated yourself? No, this is also provided by hosting guys So, did your hosting guys generate everything for you, then? It's customary to create your own key and CSR and then merely have the CA sign the CSR which results in your certificate. You import your certificate and, if necessary, any intermediate certificates your clients will require to form a trust chain from your server's cert up to the root that the client trusts. domainname.com.key Weird. Okay, I would expect domainname.com.key to have the key that was used to generate domainname.com.csr, and that domainname.com.crt is a signed version of that CSR. That should be all you need... I'm not sure what all the other stuff is. vsftpd.pem. What is this? I did the following as Christoph said: root@domainname:/etc/ssl/private# openssl pkcs12 -export -in server.crt -inkey ssl-cert-snakeoil.key -certfile domainname.com.crt -out keystore.p12 -chain (pressed enter here) unable to load certificates // This is the error. I think you might want to do this: $ openssl pkcs12 -export -in domainname.com.crt \ -inkey domainname.com.key \ -certfile domainname.com.ca-bundle \ -out keystore.p21 -chain $ keytool -importkeystore -srckeystore keystore.p12 \ -srcstoretype pkcs12 \ -destkeystore keystore.jks You are supposed to be able to use PKCS12 keystores directly with Tomcat, but IIRC it's a pain and a bit more finicky than with just a normal JKS-format keystore. If i just plain import the .crt file like this : keytool -import -alias tomcat -file domainname.com.crt -keystore /root/.keystore A couple of things: 1. Don't run as root. Not for anything. Not even to run keytool. 2. Don't store your keystore under /root/.keystore, or you'll (likely) have to run Tomcat as root. You can put your keystore anywhere you want and point Tomcat to it explicitly. 3. If you import a certificate into a keystore and there is nothing else in it (the keystore), then you can't perform a handshake because the key is required for secure communication. Then firefox gives me this error : An error occurred during a connection to domainname.com:8443. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. The no_cipher_overlap error is likely to be incorrect... the real problem is that the server can't decrypt the client's handshake because the key is unavailable. I think you might need to get some help with this from someone else at your organization... someone who is a bit more versed in PKI and configuring TLS for web servers. I have told you what key is for what, can you give me the updated commands please, unfortunately there is no one here who knows this. I can't understand something on your behalf: you have to understand it yourself. Once you understand what is going on, these commands will make sense and you should be able to execute them without guessing. If you can't figure it out, hire someone who already knows. The only weird part about Java keystores is the use of an alias which allows you to pack a keystore full of all kinds of goodies and then refer to specific items by their names (I don't know why CN isn't a good enough identifier, but I guess keystore wonks thought it would be a good idea). It's not a bad idea to give every item in your keystore (key, certificate, etc.) an alias so
Re: Deploying .ca-bundle file .crt file as SSL certificates
Hello Christopher, I don't have the server.key and server.crt. I have root access to server, I can generate my own if necessary. I only have .crt and .ca-bundle file. Can you tell me what to do. Thank you very much for your help. On Mon, Nov 24, 2014 at 7:48 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Niranjan, On 11/24/14 10:51 AM, Niranjan Babu Bommu wrote: I think you have create a keystore from the cert, please follow these instruction and ket me know. Create store with temporary key inside: keytool -genkey -alias alias name -keystore yourkeystore.jks -storepass Hello1 Then delete existing entry: keytool -delete -alias temp -keystore yourkeystore.jks -storepass Hello1 Now you've got empty store. You can check that it's empty: keytool -list -keystore yourkeystore.jks -storepass Hello1 Then import your certificate to the store: keytool -import -alias alias name -file cert_file.crt -keypass keypass -keystore yourkeystore.jks -storepass Hello1 Nope: the existing key *and* cert need to be imported simultaneously into the keystore. If the OP already has a cert, he's already got a key, too. The problem is that you probably started with OpenSSL to generate your keys and stuff. Here is the proper procedure to import your key, certificate, and CA bundle into a Java keystore. You'll need these files: server.key (this is your server's secret key) server.crt (this is your server's certificate, signed by the CA) ca.crt (this is your CA's certificate) Here is the incantation: $ openssl pkcs12 -export -in server.crt -inkey server.key \ -certfile ca.crt -out keystore.p12 -chain $ $JAVA_HOME/bin/keytool -importkeystore -srckeystore keystore.p12 \ -srcstoretype pkcs12 \ -destkeystore keystore.jks Now, use keystore.jks in Tomcat's server.xml. If you already had created your key and cert request using Java's 'keytool', then you can instead just import the signed certificate into your keystore: $ $JAVA_HOME/bin/keytool -importcert -file server.crt \ -keystore keystore.jks \ -alias [alias] If you used an alias to create the certificate signing request (CSR), then use the same alias in the above command. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUc32WAAoJEBzwKT+lPKRYn5UP/RynvOjSw2UlMn4wwPlvWIQC EiyfUjHaSK3YSCniGK9yiDuwEshXjAE88aEFptmnhcgZnJpJ1o0ybbdw5xZLk+Vv 68XDqnuD1klYsmufnDKETKTEpQk4aMke8jHUdbLtx4/TtK0aKZirEKzmDrXFlBDI YvEdlBvhH494Q/fvm0ARBdV1I8nwSt33DQ8WPcAMNVdgJzla7BcgAqupkBiMCpD4 49BDOyDZmiulFzL0Co6d2bEx/yWHECx1Zu/gfH6NXjeJ/UgZNkn9aABS8RsO+sa5 Oq/AJvXTgcKGUUQpBPOVcmhOrjgG9jYyMd9TfYZHllNQDqbBL7MgpkmXiSEGusAg zvsfiksWEhDj4xremuQHVstCV4FZYqyLKjfBbiYABfZ50mOoYgF4J+sN97/CVo8F pp29hiDN7YnqPCJzlWFi0DRPOFjJX2CFXyzoxkDvx/5gXhn8ZoPwU7i6gGxmcMg1 52xPXjEPBbf/q+MbwxUfRRBvNTzXB+b3hU5aN5HHpflqxodasNod+kW7VWnZZZI/ aCq5kKdXX7VQFfsEtWJnPYDe2yCj/KHzLCDAJMJA8iLpMUrN1Xb8jEOOe0vq5h60 vFUiFMrEyWOv7BPVszsnDx1EO8tDpDZS766/AigtYxGJzAF0DS8wNX9awCGYknxB zSoDIu3mfw1r3546epjF =IeMh -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Deploying .ca-bundle file .crt file as SSL certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 To whom it may concern, On 11/25/14 3:32 AM, Kernel freak wrote: I don't have the server.key and server.crt. I have root access to server, I can generate my own if necessary. I only have .crt and .ca-bundle file. Can you tell me what to do. Thank you very much for your help. If you don't have the server's key but you have the server's certificate, then you must start all over again because the key is half of a paired key. Did you generate the CSR yourself? With what key did you generate that CSR? If someone else generated the CSR, go ask them where the key is that they used. If you have lost the key then you must redo the whole process, starting with generating a new key and CSR, then get the CSR signed. Then, import the signed certificate back into the same keystore. Then, configure Tomcat to use that keystore. The instructions on the Tomcat users' guide are fairly straightforward even if they don't explain the intricacies of public key infrastructure -- that's outside the scope of the users' guide. Thanks, - -chris On Mon, Nov 24, 2014 at 7:48 PM, Christopher Schultz ch...@christopherschultz.net wrote: Niranjan, On 11/24/14 10:51 AM, Niranjan Babu Bommu wrote: I think you have create a keystore from the cert, please follow these instruction and ket me know. Create store with temporary key inside: keytool -genkey -alias alias name -keystore yourkeystore.jks -storepass Hello1 Then delete existing entry: keytool -delete -alias temp -keystore yourkeystore.jks -storepass Hello1 Now you've got empty store. You can check that it's empty: keytool -list -keystore yourkeystore.jks -storepass Hello1 Then import your certificate to the store: keytool -import -alias alias name -file cert_file.crt -keypass keypass -keystore yourkeystore.jks -storepass Hello1 Nope: the existing key *and* cert need to be imported simultaneously into the keystore. If the OP already has a cert, he's already got a key, too. The problem is that you probably started with OpenSSL to generate your keys and stuff. Here is the proper procedure to import your key, certificate, and CA bundle into a Java keystore. You'll need these files: server.key (this is your server's secret key) server.crt (this is your server's certificate, signed by the CA) ca.crt (this is your CA's certificate) Here is the incantation: $ openssl pkcs12 -export -in server.crt -inkey server.key \ -certfile ca.crt -out keystore.p12 -chain $ $JAVA_HOME/bin/keytool -importkeystore -srckeystore keystore.p12 \ -srcstoretype pkcs12 \ -destkeystore keystore.jks Now, use keystore.jks in Tomcat's server.xml. If you already had created your key and cert request using Java's 'keytool', then you can instead just import the signed certificate into your keystore: $ $JAVA_HOME/bin/keytool -importcert -file server.crt \ -keystore keystore.jks \ -alias [alias] If you used an alias to create the certificate signing request (CSR), then use the same alias in the above command. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUdPOpAAoJEBzwKT+lPKRYVikP/jrxPiejAjwm9B9T4nGDASyZ BeweTPhXLd1Fg8e95r8K6xBFfZy921Ax+NimRLqTUfU2cCen9YsHB2Xdp0a6xiw4 oC8+e2JlyZhGFhJY2TsgYRpRoqIhhJeluSUpukUYZz73Pq10LHUnetDhsEHwJEtE uz2ekNcXH1Vr+Fy4k+O+PpFJnl8N5QprjO6PX/WlflrFihFa7bC7l+8FqF4QQ7U1 gw0nKt/0VcYOPepyDfV6VKGD7gBurNmlqrx9GxkYss0YVKghyCDFllNuX9tSw7j7 3PcQu/cmEc6u7CePAY4VCXpMSPNO9Ggn+AnLZxj6FWL09fuUfb3bL/I0kufn4xqE qeEs/Kb9p8PaGCXOofF9nOsoz1krV5ttS3ei8Ayjt84MgXgge3q3n//ZC/s6EMMd /zPlPbI3azTi658+R9sCL/jJwRbxzjnpMj/q/ae1jDawkZHYndijiWt6BSVMrfuo awCDxrzissptgKrgokyeQocHWSyGWpEuYEIRDoS6KzgRQ40iCbaCOYTlJg11yS0Z 0ItdSYURh4b4nPtlwFzvTZ8pzxnO3dDod16NVEScIjEIMAGLFrCpfy+xF3/e+Hof QXFDzE4XX5WtGIJdSN0g8mRlf3KymkJ+Z4ZnamUprD9NDC7vwCw1nhyBJLGkTHF4 +KKT8HNKTnW71IzKhPai =WH38 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Deploying .ca-bundle file .crt file as SSL certificates
Hello friends, I am using apache tomcat and I would like to deploy a Spring-MVC application which I am working on. In that, via Spring-Security I have specified to use https which requires to install the SSL certificate on the server. I am running a Debian Wheezy server, and I have certificate files with extension as .crt and .ca-bundle. Unfortunately I cannot find any resources which mention where and how to install these files. What I found was these files are meant for webserver. Is that correct? If yes, can I use them to deploy these 2 files? Kindly let me know. Also if anyone can help me with one more problem I have posted on StackOverflow : http://stackoverflow.com/questions/27106983/configuring-apache-tomcat-to-start-webapp-by-default Regards, Kernel
Re: Deploying .ca-bundle file .crt file as SSL certificates
Hi Kernel, I think you have create a keystore from the cert, please follow these instruction and ket me know. Create store with temporary key inside: keytool -genkey -alias alias name -keystore yourkeystore.jks -storepass Hello1 Then delete existing entry: keytool -delete -alias temp -keystore yourkeystore.jks -storepass Hello1 Now you've got empty store. You can check that it's empty: keytool -list -keystore yourkeystore.jks -storepass Hello1 Then import your certificate to the store: keytool -import -alias alias name -file cert_file.crt -keypass keypass -keystore yourkeystore.jks -storepass Hello1 Thanks Niranjan On Mon, Nov 24, 2014 at 10:13 AM, Kernel freak kernelfr...@gmail.com wrote: Hello friends, I am using apache tomcat and I would like to deploy a Spring-MVC application which I am working on. In that, via Spring-Security I have specified to use https which requires to install the SSL certificate on the server. I am running a Debian Wheezy server, and I have certificate files with extension as .crt and .ca-bundle. Unfortunately I cannot find any resources which mention where and how to install these files. What I found was these files are meant for webserver. Is that correct? If yes, can I use them to deploy these 2 files? Kindly let me know. Also if anyone can help me with one more problem I have posted on StackOverflow : http://stackoverflow.com/questions/27106983/configuring-apache-tomcat-to-start-webapp-by-default Regards, Kernel -- *Thanks* *Niranjan* *+1 781.956.6900*
Re: Deploying .ca-bundle file .crt file as SSL certificates
Thank you, and what about the CA-Bundle file? Did you got a chance to look at the question I have posted on Stackoverflow mentioned in the original question? On Mon, Nov 24, 2014 at 4:51 PM, Niranjan Babu Bommu niranjan.bo...@gmail.com wrote: Hi Kernel, I think you have create a keystore from the cert, please follow these instruction and ket me know. Create store with temporary key inside: keytool -genkey -alias alias name -keystore yourkeystore.jks -storepass Hello1 Then delete existing entry: keytool -delete -alias temp -keystore yourkeystore.jks -storepass Hello1 Now you've got empty store. You can check that it's empty: keytool -list -keystore yourkeystore.jks -storepass Hello1 Then import your certificate to the store: keytool -import -alias alias name -file cert_file.crt -keypass keypass -keystore yourkeystore.jks -storepass Hello1 Thanks Niranjan On Mon, Nov 24, 2014 at 10:13 AM, Kernel freak kernelfr...@gmail.com wrote: Hello friends, I am using apache tomcat and I would like to deploy a Spring-MVC application which I am working on. In that, via Spring-Security I have specified to use https which requires to install the SSL certificate on the server. I am running a Debian Wheezy server, and I have certificate files with extension as .crt and .ca-bundle. Unfortunately I cannot find any resources which mention where and how to install these files. What I found was these files are meant for webserver. Is that correct? If yes, can I use them to deploy these 2 files? Kindly let me know. Also if anyone can help me with one more problem I have posted on StackOverflow : http://stackoverflow.com/questions/27106983/configuring-apache-tomcat-to-start-webapp-by-default Regards, Kernel -- *Thanks* *Niranjan* *+1 781.956.6900*
Re: Deploying .ca-bundle file .crt file as SSL certificates
Sorry, I did not notice that. - *Import a root or intermediate CA certificate to an existing Java keystore* keytool -import -trustcacerts -alias root -file *ca.crt* -keystore *yourkeystore.jks* On Mon, Nov 24, 2014 at 11:02 AM, Kernel freak kernelfr...@gmail.com wrote: Thank you, and what about the CA-Bundle file? Did you got a chance to look at the question I have posted on Stackoverflow mentioned in the original question? On Mon, Nov 24, 2014 at 4:51 PM, Niranjan Babu Bommu niranjan.bo...@gmail.com wrote: Hi Kernel, I think you have create a keystore from the cert, please follow these instruction and ket me know. Create store with temporary key inside: keytool -genkey -alias alias name -keystore yourkeystore.jks -storepass Hello1 Then delete existing entry: keytool -delete -alias temp -keystore yourkeystore.jks -storepass Hello1 Now you've got empty store. You can check that it's empty: keytool -list -keystore yourkeystore.jks -storepass Hello1 Then import your certificate to the store: keytool -import -alias alias name -file cert_file.crt -keypass keypass -keystore yourkeystore.jks -storepass Hello1 Thanks Niranjan On Mon, Nov 24, 2014 at 10:13 AM, Kernel freak kernelfr...@gmail.com wrote: Hello friends, I am using apache tomcat and I would like to deploy a Spring-MVC application which I am working on. In that, via Spring-Security I have specified to use https which requires to install the SSL certificate on the server. I am running a Debian Wheezy server, and I have certificate files with extension as .crt and .ca-bundle. Unfortunately I cannot find any resources which mention where and how to install these files. What I found was these files are meant for webserver. Is that correct? If yes, can I use them to deploy these 2 files? Kindly let me know. Also if anyone can help me with one more problem I have posted on StackOverflow : http://stackoverflow.com/questions/27106983/configuring-apache-tomcat-to-start-webapp-by-default Regards, Kernel -- *Thanks* *Niranjan* *+1 781.956.6900* -- *Thanks* *Niranjan* *+1 781.956.6900*
Re: Deploying .ca-bundle file .crt file as SSL certificates
I have added the certificate. I modified the server.xml code to add the following lines : Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/root/.keystore keystorepass=password for keystore / Now when I open the application, it redirects to https, but it says unable to connect, your connection to this website maynotbe encrypted. What am I doing wrong? On Mon, Nov 24, 2014 at 5:20 PM, Niranjan Babu Bommu niranjan.bo...@gmail.com wrote: Sorry, I did not notice that. - *Import a root or intermediate CA certificate to an existing Java keystore* keytool -import -trustcacerts -alias root -file *ca.crt* -keystore *yourkeystore.jks* On Mon, Nov 24, 2014 at 11:02 AM, Kernel freak kernelfr...@gmail.com wrote: Thank you, and what about the CA-Bundle file? Did you got a chance to look at the question I have posted on Stackoverflow mentioned in the original question? On Mon, Nov 24, 2014 at 4:51 PM, Niranjan Babu Bommu niranjan.bo...@gmail.com wrote: Hi Kernel, I think you have create a keystore from the cert, please follow these instruction and ket me know. Create store with temporary key inside: keytool -genkey -alias alias name -keystore yourkeystore.jks -storepass Hello1 Then delete existing entry: keytool -delete -alias temp -keystore yourkeystore.jks -storepass Hello1 Now you've got empty store. You can check that it's empty: keytool -list -keystore yourkeystore.jks -storepass Hello1 Then import your certificate to the store: keytool -import -alias alias name -file cert_file.crt -keypass keypass -keystore yourkeystore.jks -storepass Hello1 Thanks Niranjan On Mon, Nov 24, 2014 at 10:13 AM, Kernel freak kernelfr...@gmail.com wrote: Hello friends, I am using apache tomcat and I would like to deploy a Spring-MVC application which I am working on. In that, via Spring-Security I have specified to use https which requires to install the SSL certificate on the server. I am running a Debian Wheezy server, and I have certificate files with extension as .crt and .ca-bundle. Unfortunately I cannot find any resources which mention where and how to install these files. What I found was these files are meant for webserver. Is that correct? If yes, can I use them to deploy these 2 files? Kindly let me know. Also if anyone can help me with one more problem I have posted on StackOverflow : http://stackoverflow.com/questions/27106983/configuring-apache-tomcat-to-start-webapp-by-default Regards, Kernel -- *Thanks* *Niranjan* *+1 781.956.6900* -- *Thanks* *Niranjan* *+1 781.956.6900*
Re: Deploying .ca-bundle file .crt file as SSL certificates
Are you able to see the 8443 port listening? nc -z ipaddress 8443 On Mon, Nov 24, 2014 at 11:25 AM, Kernel freak kernelfr...@gmail.com wrote: I have added the certificate. I modified the server.xml code to add the following lines : Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/root/.keystore keystorepass=password for keystore / Now when I open the application, it redirects to https, but it says unable to connect, your connection to this website maynotbe encrypted. What am I doing wrong? On Mon, Nov 24, 2014 at 5:20 PM, Niranjan Babu Bommu niranjan.bo...@gmail.com wrote: Sorry, I did not notice that. - *Import a root or intermediate CA certificate to an existing Java keystore* keytool -import -trustcacerts -alias root -file *ca.crt* -keystore *yourkeystore.jks* On Mon, Nov 24, 2014 at 11:02 AM, Kernel freak kernelfr...@gmail.com wrote: Thank you, and what about the CA-Bundle file? Did you got a chance to look at the question I have posted on Stackoverflow mentioned in the original question? On Mon, Nov 24, 2014 at 4:51 PM, Niranjan Babu Bommu niranjan.bo...@gmail.com wrote: Hi Kernel, I think you have create a keystore from the cert, please follow these instruction and ket me know. Create store with temporary key inside: keytool -genkey -alias alias name -keystore yourkeystore.jks -storepass Hello1 Then delete existing entry: keytool -delete -alias temp -keystore yourkeystore.jks -storepass Hello1 Now you've got empty store. You can check that it's empty: keytool -list -keystore yourkeystore.jks -storepass Hello1 Then import your certificate to the store: keytool -import -alias alias name -file cert_file.crt -keypass keypass -keystore yourkeystore.jks -storepass Hello1 Thanks Niranjan On Mon, Nov 24, 2014 at 10:13 AM, Kernel freak kernelfr...@gmail.com wrote: Hello friends, I am using apache tomcat and I would like to deploy a Spring-MVC application which I am working on. In that, via Spring-Security I have specified to use https which requires to install the SSL certificate on the server. I am running a Debian Wheezy server, and I have certificate files with extension as .crt and .ca-bundle. Unfortunately I cannot find any resources which mention where and how to install these files. What I found was these files are meant for webserver. Is that correct? If yes, can I use them to deploy these 2 files? Kindly let me know. Also if anyone can help me with one more problem I have posted on StackOverflow : http://stackoverflow.com/questions/27106983/configuring-apache-tomcat-to-start-webapp-by-default Regards, Kernel -- *Thanks* *Niranjan* *+1 781.956.6900* -- *Thanks* *Niranjan* *+1 781.956.6900* -- *Thanks* *Niranjan* *+1 781.956.6900*
Re: Deploying .ca-bundle file .crt file as SSL certificates
it works for me with this conf. Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true address=IPADDRESS executor=THREADNAME scheme=https secure=true keystoreFile=PATH of keystore file keystorePass=PASSWRD sslProtocol=TLSv1 / On Mon, Nov 24, 2014 at 11:27 AM, Niranjan Babu Bommu niranjan.bo...@gmail.com wrote: Are you able to see the 8443 port listening? nc -z ipaddress 8443 On Mon, Nov 24, 2014 at 11:25 AM, Kernel freak kernelfr...@gmail.com wrote: I have added the certificate. I modified the server.xml code to add the following lines : Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/root/.keystore keystorepass=password for keystore / Now when I open the application, it redirects to https, but it says unable to connect, your connection to this website maynotbe encrypted. What am I doing wrong? On Mon, Nov 24, 2014 at 5:20 PM, Niranjan Babu Bommu niranjan.bo...@gmail.com wrote: Sorry, I did not notice that. - *Import a root or intermediate CA certificate to an existing Java keystore* keytool -import -trustcacerts -alias root -file *ca.crt* -keystore *yourkeystore.jks* On Mon, Nov 24, 2014 at 11:02 AM, Kernel freak kernelfr...@gmail.com wrote: Thank you, and what about the CA-Bundle file? Did you got a chance to look at the question I have posted on Stackoverflow mentioned in the original question? On Mon, Nov 24, 2014 at 4:51 PM, Niranjan Babu Bommu niranjan.bo...@gmail.com wrote: Hi Kernel, I think you have create a keystore from the cert, please follow these instruction and ket me know. Create store with temporary key inside: keytool -genkey -alias alias name -keystore yourkeystore.jks -storepass Hello1 Then delete existing entry: keytool -delete -alias temp -keystore yourkeystore.jks -storepass Hello1 Now you've got empty store. You can check that it's empty: keytool -list -keystore yourkeystore.jks -storepass Hello1 Then import your certificate to the store: keytool -import -alias alias name -file cert_file.crt -keypass keypass -keystore yourkeystore.jks -storepass Hello1 Thanks Niranjan On Mon, Nov 24, 2014 at 10:13 AM, Kernel freak kernelfr...@gmail.com wrote: Hello friends, I am using apache tomcat and I would like to deploy a Spring-MVC application which I am working on. In that, via Spring-Security I have specified to use https which requires to install the SSL certificate on the server. I am running a Debian Wheezy server, and I have certificate files with extension as .crt and .ca-bundle. Unfortunately I cannot find any resources which mention where and how to install these files. What I found was these files are meant for webserver. Is that correct? If yes, can I use them to deploy these 2 files? Kindly let me know. Also if anyone can help me with one more problem I have posted on StackOverflow : http://stackoverflow.com/questions/27106983/configuring-apache-tomcat-to-start-webapp-by-default Regards, Kernel -- *Thanks* *Niranjan* *+1 781.956.6900* -- *Thanks* *Niranjan* *+1 781.956.6900* -- *Thanks* *Niranjan* *+1 781.956.6900 %2B1%20781.956.6900* -- *Thanks* *Niranjan* *+1 781.956.6900*
Re: Deploying .ca-bundle file .crt file as SSL certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Niranjan, On 11/24/14 10:51 AM, Niranjan Babu Bommu wrote: I think you have create a keystore from the cert, please follow these instruction and ket me know. Create store with temporary key inside: keytool -genkey -alias alias name -keystore yourkeystore.jks -storepass Hello1 Then delete existing entry: keytool -delete -alias temp -keystore yourkeystore.jks -storepass Hello1 Now you've got empty store. You can check that it's empty: keytool -list -keystore yourkeystore.jks -storepass Hello1 Then import your certificate to the store: keytool -import -alias alias name -file cert_file.crt -keypass keypass -keystore yourkeystore.jks -storepass Hello1 Nope: the existing key *and* cert need to be imported simultaneously into the keystore. If the OP already has a cert, he's already got a key, too. The problem is that you probably started with OpenSSL to generate your keys and stuff. Here is the proper procedure to import your key, certificate, and CA bundle into a Java keystore. You'll need these files: server.key (this is your server's secret key) server.crt (this is your server's certificate, signed by the CA) ca.crt (this is your CA's certificate) Here is the incantation: $ openssl pkcs12 -export -in server.crt -inkey server.key \ -certfile ca.crt -out keystore.p12 -chain $ $JAVA_HOME/bin/keytool -importkeystore -srckeystore keystore.p12 \ -srcstoretype pkcs12 \ -destkeystore keystore.jks Now, use keystore.jks in Tomcat's server.xml. If you already had created your key and cert request using Java's 'keytool', then you can instead just import the signed certificate into your keystore: $ $JAVA_HOME/bin/keytool -importcert -file server.crt \ -keystore keystore.jks \ -alias [alias] If you used an alias to create the certificate signing request (CSR), then use the same alias in the above command. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUc32WAAoJEBzwKT+lPKRYn5UP/RynvOjSw2UlMn4wwPlvWIQC EiyfUjHaSK3YSCniGK9yiDuwEshXjAE88aEFptmnhcgZnJpJ1o0ybbdw5xZLk+Vv 68XDqnuD1klYsmufnDKETKTEpQk4aMke8jHUdbLtx4/TtK0aKZirEKzmDrXFlBDI YvEdlBvhH494Q/fvm0ARBdV1I8nwSt33DQ8WPcAMNVdgJzla7BcgAqupkBiMCpD4 49BDOyDZmiulFzL0Co6d2bEx/yWHECx1Zu/gfH6NXjeJ/UgZNkn9aABS8RsO+sa5 Oq/AJvXTgcKGUUQpBPOVcmhOrjgG9jYyMd9TfYZHllNQDqbBL7MgpkmXiSEGusAg zvsfiksWEhDj4xremuQHVstCV4FZYqyLKjfBbiYABfZ50mOoYgF4J+sN97/CVo8F pp29hiDN7YnqPCJzlWFi0DRPOFjJX2CFXyzoxkDvx/5gXhn8ZoPwU7i6gGxmcMg1 52xPXjEPBbf/q+MbwxUfRRBvNTzXB+b3hU5aN5HHpflqxodasNod+kW7VWnZZZI/ aCq5kKdXX7VQFfsEtWJnPYDe2yCj/KHzLCDAJMJA8iLpMUrN1Xb8jEOOe0vq5h60 vFUiFMrEyWOv7BPVszsnDx1EO8tDpDZS766/AigtYxGJzAF0DS8wNX9awCGYknxB zSoDIu3mfw1r3546epjF =IeMh -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL Certificates
Thanks Chris! I want to get public private keys from WebSphere and import into Tomcat. We have WebSphere certificates (Signed by Verisign) until 2015 and we want to use the same in tomcat. When I create a keystore (keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/tomcat/SSL/tomcat.keystore), a keystore is getting created. But I'm unable to import the certificates into it. Is there any document or documentation which might be helpful? Could you please let me know? Thanks. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Monday, March 31, 2014 2:58 PM To: Tomcat Users List Subject: Re: SSL Certificates -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ninthun, On 3/31/14, 10:19 AM, Bomma, Nithun wrote: Hello, We are using WebSphere v6.1 for SSO and we are moving to ForgeRock and it uses Apache Tomcat (v7.0.37) We are trying to import the certificates (Verisign) including the chain certificates from WebSphere to Tomcat. Have any of you did this before? If yes, could you help us out? Websphere probably should be using Java keystores. You should just be able to use the same keystore, although something might need to be re-named or something. Save yourself a huge headache and use Portecle: http://portecle.sourceforge.net/ You should be able to take your server key and issued certificate and create a new Java Keystore to use with the BIO or NIO connectors. If you are using APR, then you will have to export your key and certificate to individual files and configure them appropriately. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTObq8AAoJEBzwKT+lPKRY99sQAKdQryt76EFPHD42vk72o/pJ vgBaWBsLL57rK+6LgsUSuNneTviGaBkDY6kBVjnGzA1w3I9MJn4XnhX8Pm/Z1ZQd rpYDk3/E+CI2Gh5C6HTkgcXE/hffQ8xKAhS/CZj4riJu6S3YSIPFtX6H3vTkQD1A tWlUE8fEWm0Wo529izbiPPPseZTBdAU1Sbv4z4AEjZolrxyvE6Bm0GSyvSYTu5cm g0oxv7hoSl8IxKHaI6mxmRFLCrBSRBmIHp6vSB7OHzmx0pi6UuZzWnhjL9N1VhZ6 zA3vxlQlicXxjMdWOY2dsy6GLxzK+CmOK61Fk52uJMRJgEz1Dzdb2hyuypdt1aVC F160wtePQpbYkjnXusjsfE8PsiZxFyiFOBbfVnoni6yY7DiVSID5lglbvXPjnveA jMCHKTjDrGZAeou7Tuu1aUMqvg9kaSOlCGAstK5G5wuAV8GSvGoqAfuZ70EbrTdj pqK4xGl+uFKaJfw0bkFzD6seSWevk8CiWCZ46h3JVISM42VWqtiWnfKkTNjFSUVx ECFll3YGmEwWbwo9cTDHD/GJYMqi878vhA34v/YmOVFLV6dVy0hOjudC6NXeu9/t Hk2AGm82Fi5mgP3ZWT8K35/GcH1ezd77M+jFmikFjCZC6btZw26ir2A9i2xbdZ// In71YEw3kQauMHA6UsgL =BbUU -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Nithun, On 4/1/14, 4:02 PM, Bomma, Nithun wrote: I want to get public private keys from WebSphere and import into Tomcat. We have WebSphere certificates (Signed by Verisign) until 2015 and we want to use the same in tomcat. Where are the keys, now? Are they in a keystore? If so, open that keystore and export the key and certificate. Then, import them into another keystore for use with Tomcat. When I create a keystore (keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/tomcat/SSL/tomcat.keystore), a keystore is getting created. But I'm unable to import the certificates into it. You don't want to use genkey because that will create a new key. You already have a key. You want to import from an existing keystore into a new one. Is there any document or documentation which might be helpful? Could you please let me know? Did you try Googling for export websphere certificate into tomcat? We don't exactly document that procedure in the Tomcat documentation. You can probably go back to VeriSign and ask for the certificate again, then import that into your keystore. As for the server key, you're going to have to get that from wherever Websphere keeps it. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTOyrKAAoJEBzwKT+lPKRYfaMP/Rw7EpCb/aesr9LxS+ZIV1cU IvsQgM0CKgVR03YwGk/+6lPwi/596xXfVMXmFI/Ekzen6jx1H/GgXvAUYtEnnqJc nf+TgVGAZ7JIZ1zcffX24Rv86xecPdMpuvxekyOdrBDITCnDCGCt3jkA/VozrACL 0FfiGNVJTJEuQSIuPkA3jWFE5Ci98RFvMRTo7YEsBmOmQm9pNHw9zUFrV8Con4Yt TYGCvVHFJ2DypS0z0f0DvJ0BkZ8QIYAbGp2Tx9YREOSbQzYzqmrjJIXlw3QixHkV qcAN+xnhu4OPk/5HKGPPMenHhaj+a2Ukg08MnvPoLD8Ml24+i4KNBFbapgR9cUOz M/c91EH8TLr/WXSlR+7YTGVlm1plwWkancEBsBImTQeRmW4TFJg9/lohV0pSum7D tLi5UbgE4JrwT++OukDJ553Cavg+Pv5v5awM1aL/SKlwtBPZG19ppjBjqkAsudmE 1Wf+ZPr77Fb9AhzU182DzhHcoIFT4EaQ8EdqZAOpl7idgNsRnHN25YWNp1O8wsJk QFvqOcsGddIhZ6AdZ1nN+TLCk4hTazhttWToHwB3MHIY9tDXDnj9yjOM9ZLmVz4f U2pyfitJ6UlplCvhzWZSZ+tq8nmWPeYkXHyZf4L0FO9PlxkCn0Jl6pt7f9KBbV/x DYsBY1XNqiEg6TQgRGj5 =JmZE -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SSL Certificates
Hello, We are using WebSphere v6.1 for SSO and we are moving to ForgeRock and it uses Apache Tomcat (v7.0.37) We are trying to import the certificates (Verisign) including the chain certificates from WebSphere to Tomcat. Have any of you did this before? If yes, could you help us out? Thanks, Nithun
Re: SSL Certificates
On Mon, Mar 31, 2014 at 7:19 AM, Bomma, Nithun nithun.bo...@amtrak.comwrote: Hello, We are using WebSphere v6.1 for SSO and we are moving to ForgeRock and it uses Apache Tomcat (v7.0.37) We are trying to import the certificates (Verisign) including the chain certificates from WebSphere to Tomcat. Have any of you did this before? If yes, could you help us out? Thanks, Nithun It's all right here: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Installing_a_Certificate_from_a_Certificate_Authority Where do you need help specifically?
RE: SSL Certificates
Thanks Leo! I don't want to create a new CSR, since the certificate with WebSphere exists until 2015. I just want to export the certificate with chain from WebSphere and import into Tomcat directly. Any thoughts? Thanks, Nithun Bomma WebSphere Administrator Amtrak - Information Technology (Operations) AIM: nithunbomma EMAIL: nithun.bo...@amtrak.com Desk: 215-349-2065; ATS: 728-2065; Cell: 215-704-4981 -Original Message- From: Leo Donahue [mailto:donahu...@gmail.com] Sent: Monday, March 31, 2014 10:39 AM To: Tomcat Users List Subject: Re: SSL Certificates On Mon, Mar 31, 2014 at 7:19 AM, Bomma, Nithun nithun.bo...@amtrak.comwrote: Hello, We are using WebSphere v6.1 for SSO and we are moving to ForgeRock and it uses Apache Tomcat (v7.0.37) We are trying to import the certificates (Verisign) including the chain certificates from WebSphere to Tomcat. Have any of you did this before? If yes, could you help us out? Thanks, Nithun It's all right here: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Installing_a_Certificate_from_a_Certificate_Authority Where do you need help specifically? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificates
Hi, If your certificate need not be changed, then you need not create a new Certificate Signing Request (CSR) to get a new certificate, but only do the Importing the Certificate part of the description: Import chain certificate, then your existing certificate. Wolfgang 2014-03-31 16:45 GMT+02:00 Bomma, Nithun nithun.bo...@amtrak.com: Thanks Leo! I don't want to create a new CSR, since the certificate with WebSphere exists until 2015. I just want to export the certificate with chain from WebSphere and import into Tomcat directly. Any thoughts? Thanks, Nithun Bomma WebSphere Administrator Amtrak - Information Technology (Operations) AIM: nithunbomma EMAIL: nithun.bo...@amtrak.com Desk: 215-349-2065; ATS: 728-2065; Cell: 215-704-4981 -Original Message- From: Leo Donahue [mailto:donahu...@gmail.com] Sent: Monday, March 31, 2014 10:39 AM To: Tomcat Users List Subject: Re: SSL Certificates On Mon, Mar 31, 2014 at 7:19 AM, Bomma, Nithun nithun.bo...@amtrak.com wrote: Hello, We are using WebSphere v6.1 for SSO and we are moving to ForgeRock and it uses Apache Tomcat (v7.0.37) We are trying to import the certificates (Verisign) including the chain certificates from WebSphere to Tomcat. Have any of you did this before? If yes, could you help us out? Thanks, Nithun It's all right here: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Installing_a_Certificate_from_a_Certificate_Authority Where do you need help specifically? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificates
On 3/31/14 10:32 AM, Blume Wolfgang wrote: Hi, If your certificate need not be changed, then you need not create a new Certificate Signing Request (CSR) to get a new certificate, but only do the Importing the Certificate part of the description: Import chain certificate, then your existing certificate. Of course, that presupposes that you can export the certificate in a format that Tomcat can use. If we're talking WebSphere on an AS/400, it probably uses DCM. And if we're talking Tomcat on an AS/400, the only option I'm aware of is a Java keystore. And if there's a way to get from the former to the latter, I wouldn't mind knowing about it myself: we've had customers jump the gun, and generate DCM-compatible certificates, not knowing that Tomcat didn't use them. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ninthun, On 3/31/14, 10:19 AM, Bomma, Nithun wrote: Hello, We are using WebSphere v6.1 for SSO and we are moving to ForgeRock and it uses Apache Tomcat (v7.0.37) We are trying to import the certificates (Verisign) including the chain certificates from WebSphere to Tomcat. Have any of you did this before? If yes, could you help us out? Websphere probably should be using Java keystores. You should just be able to use the same keystore, although something might need to be re-named or something. Save yourself a huge headache and use Portecle: http://portecle.sourceforge.net/ You should be able to take your server key and issued certificate and create a new Java Keystore to use with the BIO or NIO connectors. If you are using APR, then you will have to export your key and certificate to individual files and configure them appropriately. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTObq8AAoJEBzwKT+lPKRY99sQAKdQryt76EFPHD42vk72o/pJ vgBaWBsLL57rK+6LgsUSuNneTviGaBkDY6kBVjnGzA1w3I9MJn4XnhX8Pm/Z1ZQd rpYDk3/E+CI2Gh5C6HTkgcXE/hffQ8xKAhS/CZj4riJu6S3YSIPFtX6H3vTkQD1A tWlUE8fEWm0Wo529izbiPPPseZTBdAU1Sbv4z4AEjZolrxyvE6Bm0GSyvSYTu5cm g0oxv7hoSl8IxKHaI6mxmRFLCrBSRBmIHp6vSB7OHzmx0pi6UuZzWnhjL9N1VhZ6 zA3vxlQlicXxjMdWOY2dsy6GLxzK+CmOK61Fk52uJMRJgEz1Dzdb2hyuypdt1aVC F160wtePQpbYkjnXusjsfE8PsiZxFyiFOBbfVnoni6yY7DiVSID5lglbvXPjnveA jMCHKTjDrGZAeou7Tuu1aUMqvg9kaSOlCGAstK5G5wuAV8GSvGoqAfuZ70EbrTdj pqK4xGl+uFKaJfw0bkFzD6seSWevk8CiWCZ46h3JVISM42VWqtiWnfKkTNjFSUVx ECFll3YGmEwWbwo9cTDHD/GJYMqi878vhA34v/YmOVFLV6dVy0hOjudC6NXeu9/t Hk2AGm82Fi5mgP3ZWT8K35/GcH1ezd77M+jFmikFjCZC6btZw26ir2A9i2xbdZ// In71YEw3kQauMHA6UsgL =BbUU -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL certificates
Hi James, Thanks a lot. I followed your steps but seems I am getting different error as if the signed certificate is not dns based. The original self signed certificate was able to work fine in dns based format for keytool when I imported it into client keystore. below I created the self signed cert and csr for signing: keytool -genkey -keyalg RSA -alias tomcat -keystore ${prefix}_keystore_dns.jks -storepass $storepw -keysize 1024 -ext san=dns:$host $setup$machine keytool -certreq -keyalg RSA -alias tomcat -file certreq${prefix}_dns.csr -keystore ${prefix}_keystore_dns.jks $storepw The $host has been set to mhoodws.ril.local I suppose that during certreq I do not have to use -ext san=dns:$host. Below are keytsore entries after I imported as per your instructions. Keystore type: JKS Keystore provider: SUN Your keystore contains 3 entries mhoodws.ril.local, Jan 17, 2014, trustedCertEntry, Certificate fingerprint (SHA1): 1E:C9:5E:FB:2F:6A:0B:27:BA:36:14:76:8B:5A:48:F7:4D:02:60:73 root, Jan 17, 2014, trustedCertEntry, Certificate fingerprint (SHA1): 42:38:43:DA:10:D5:E2:C9:20:69:6B:9D:98:4D:9D:B6:38:88:44:CE tomcat, Dec 25, 2013, PrivateKeyEntry, Certificate fingerprint (SHA1): E0:58:FD:D8:0B:9E:FE:B5:9B:37:71:3E:00:59:2B:24:EC:27:C6:15 The catalina.out complaines with SSL handshake stating No Name matching mhoodws.ril.local found. I have defined that mhoodws.ril.local entry in /etc/hots too. could it be that the signing step done by CA also needs to do dns entry like I did ? Regards, Miten. On Thu, Jan 16, 2014 at 10:37 PM, James H. H. Lampert jam...@touchtonecorp.com wrote: On 1/16/14 9:01 AM, Miten Mehta wrote: Hi, I am understanding SSL for tomcat using http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html. 1)I create jks using self signed certificate using keytool. 2) I generate CSR from that keystore/certificate. 3) I get it signed by CA who gives me root certificate and signed certificate. So far, so good. 4) I need to delete the existing certificate from keystore and then import root and signed one ? NO! ABSOLUTELY NOT! You import the signed certificate into THE SAME KEYSTORE, UNDER THE SAME ALIAS, *ON TOP OF* THE UNSIGNED CERTIFICATE! Not only will it not complain; it is the ONLY way to apply the CSR reply. -- James H. H. Lampert Touchtone Corporation - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL certificates
Miten, On 17.1.2014 14:33, Miten Mehta wrote: The catalina.out complaines with SSL handshake stating No Name matching mhoodws.ril.local found. For security reasons, CA shouldn't sign any certificate containing internal server name (either as CN, or subjectAltName): As of July 1, 2012, all CAs were required to notify customers applying for internal name certificates that the use of such certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. https://cabforum.org/internal-names/ So, I guess your CA removed subjectAltName while signing the certificate, and also missed to notify you about the removal. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL certificates
What's the alternative to using subjectAltName? I thought it was flexible to make certificate portable across our development environments. Should I use IP (internal instead)? - Miten. On Jan 17, 2014 7:31 PM, Ognjen Blagojevic ognjen.d.blagoje...@gmail.com wrote: Miten, On 17.1.2014 14:33, Miten Mehta wrote: The catalina.out complaines with SSL handshake stating No Name matching mhoodws.ril.local found. For security reasons, CA shouldn't sign any certificate containing internal server name (either as CN, or subjectAltName): As of July 1, 2012, all CAs were required to notify customers applying for internal name certificates that the use of such certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. https://cabforum.org/internal-names/ So, I guess your CA removed subjectAltName while signing the certificate, and also missed to notify you about the removal. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL certificates
If I remove internal /etc/hosts lookup entry should it resolve or you mean CA just dropped subjectAltName even though I included. - miten On Jan 17, 2014 7:31 PM, Ognjen Blagojevic ognjen.d.blagoje...@gmail.com wrote: Miten, On 17.1.2014 14:33, Miten Mehta wrote: The catalina.out complaines with SSL handshake stating No Name matching mhoodws.ril.local found. For security reasons, CA shouldn't sign any certificate containing internal server name (either as CN, or subjectAltName): As of July 1, 2012, all CAs were required to notify customers applying for internal name certificates that the use of such certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. https://cabforum.org/internal-names/ So, I guess your CA removed subjectAltName while signing the certificate, and also missed to notify you about the removal. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL certificates
Hi Ognjen, Reading the pdf link you provided it seems that I should use ip based certificates and for each different ip which needs certificate I will have to request one. I should use -ext san=ip:$ip instead of -ext san=dns:$host. Then CA will not drop the details. Regards, Miten. On Fri, Jan 17, 2014 at 7:30 PM, Ognjen Blagojevic ognjen.d.blagoje...@gmail.com wrote: Miten, On 17.1.2014 14:33, Miten Mehta wrote: The catalina.out complaines with SSL handshake stating No Name matching mhoodws.ril.local found. For security reasons, CA shouldn't sign any certificate containing internal server name (either as CN, or subjectAltName): As of July 1, 2012, all CAs were required to notify customers applying for internal name certificates that the use of such certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. https://cabforum.org/internal-names/ So, I guess your CA removed subjectAltName while signing the certificate, and also missed to notify you about the removal. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL certificates
At this point, if you haven't already done so, I would strongly suggest getting your CA's tech support in on this. Of course, your latest posts also beg the question of why you would be spending good money on a signed SSL certificate for an internal web site, or why you'd be using an internal URL for a web site that's visible to the outside, but I don't know your exact situation, so I'm certainly not denying that you have a reason. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL certificates
On 17.1.2014 19:14, James H. H. Lampert wrote: At this point, if you haven't already done so, I would strongly suggest getting your CA's tech support in on this. +1 Reserved IP addresses and internal server names are not unique on the Internet, so the certificates for them may be reused in different places, which is a security problem. Imagine you get a certificate for IP 192.168.0.1 or for internal server name server.local, or worse, wildcard certificate *.local. That certificate may be reused on any local network that uses that same IP address or server name, for e.g. man-in-the-middle attack. The user of such network will hardly notice that the certificate is from completely different network. Therefore I believe that it is reasonable for any CA to treat internal server names and reserved IP addresses as two faces of the same problem. However, on second reading I noticed that Baseline Requirements say that CAs shall sign the certificate with either or both of them, but that certificate must expire before 1 November 2015. So check your CSR expiration date and, as James recommends, your CA's policy on that matter. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SSL certificates
Hi, I am understanding SSL for tomcat using http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html. 1)I create jks using self signed certificate using keytool. 2) I generate CSR from that keystore/certificate. 3) I get it signed by CA who gives me root certificate and signed certificate. 4) I need to delete the existing certificate from keystore and then import root and signed one ? The docs do not mention to delete the existing certificate then if I import it for same alias will not it complain ? Do I need to keep existing certificate and import new one under new alias ? will existing become redundant ? Regards, Miten
Re: SSL certificates
On 1/16/14 9:01 AM, Miten Mehta wrote: Hi, I am understanding SSL for tomcat using http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html. 1)I create jks using self signed certificate using keytool. 2) I generate CSR from that keystore/certificate. 3) I get it signed by CA who gives me root certificate and signed certificate. So far, so good. 4) I need to delete the existing certificate from keystore and then import root and signed one ? NO! ABSOLUTELY NOT! You import the signed certificate into THE SAME KEYSTORE, UNDER THE SAME ALIAS, *ON TOP OF* THE UNSIGNED CERTIFICATE! Not only will it not complain; it is the ONLY way to apply the CSR reply. -- James H. H. Lampert Touchtone Corporation - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL certificates
Hi, Adding more clarification for ease below. 1) create keystore.jks with self signed cert (alias tomcat). 2) generate old.csr and send for signing to CA 3) get back new.cer (signed certificate) and root.cer (root certificate) 4) delete existing cert from keystore.jks (alias tomcat) 5) import root cert (alias root) 6) import new cert (alias tomcat) From server.xml now in connector entry for ssl use alias tomcat to refer to it. Earlier when there was only tomcat (no root) the alias might not have been needed but now since there are two cert we need alias. Regards, Miten. On Thu, Jan 16, 2014 at 10:31 PM, Miten Mehta indiami...@gmail.com wrote: Hi, I am understanding SSL for tomcat using http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html. 1)I create jks using self signed certificate using keytool. 2) I generate CSR from that keystore/certificate. 3) I get it signed by CA who gives me root certificate and signed certificate. 4) I need to delete the existing certificate from keystore and then import root and signed one ? The docs do not mention to delete the existing certificate then if I import it for same alias will not it complain ? Do I need to keep existing certificate and import new one under new alias ? will existing become redundant ? Regards, Miten
Re: SSL certificates
Hi, Step #4 is not correct; if you delete the existing certificate you would have lost everything. Please follow the instruction given by James H. H. Lampert. Thanks, Ike From: Miten Mehta indiami...@gmail.com To: users@tomcat.apache.org, Date: 01/16/2014 11:09 AM Subject:Re: SSL certificates Hi, Adding more clarification for ease below. 1) create keystore.jks with self signed cert (alias tomcat). 2) generate old.csr and send for signing to CA 3) get back new.cer (signed certificate) and root.cer (root certificate) 4) delete existing cert from keystore.jks (alias tomcat) 5) import root cert (alias root) 6) import new cert (alias tomcat) From server.xml now in connector entry for ssl use alias tomcat to refer to it. Earlier when there was only tomcat (no root) the alias might not have been needed but now since there are two cert we need alias. Regards, Miten. On Thu, Jan 16, 2014 at 10:31 PM, Miten Mehta indiami...@gmail.com wrote: Hi, I am understanding SSL for tomcat using http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html. 1)I create jks using self signed certificate using keytool. 2) I generate CSR from that keystore/certificate. 3) I get it signed by CA who gives me root certificate and signed certificate. 4) I need to delete the existing certificate from keystore and then import root and signed one ? The docs do not mention to delete the existing certificate then if I import it for same alias will not it complain ? Do I need to keep existing certificate and import new one under new alias ? will existing become redundant ? Regards, Miten
Re: SSL certificates
? will existing become redundant ? NO, the SIGNED certificate will, at least in effect, be MERGED with the original certificate. Deleting the original certificate from the keystore before importing the signed one will render the signed certificate WORTHLESS. -- James H. H. Lampert - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Miten, On 1/16/14, 12:09 PM, Miten Mehta wrote: Hi, Adding more clarification for ease below. 1) create keystore.jks with self signed cert (alias tomcat). Why are you self-signing a certificate if you are going to get it signed by a CA? 2) generate old.csr and send for signing to CA 3) get back new.cer (signed certificate) and root.cer (root certificate) 4) delete existing cert from keystore.jks (alias tomcat) 5) import root cert (alias root) 6) import new cert (alias tomcat) You should be able to create a server key, then a CSR. I happen to hate keytool (and Java key stores in general) so I avoid it whenever possible but I'd be surprised if you couldn't create a CSR without creating a self-signing certificate in the process. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS2FQDAAoJEBzwKT+lPKRY/cwP/jQc9t1QkhKwyzUxw2yZNVjx fk0fHIucw+EkxMRa9Xue/DouZPpGRbdvzMRVn8Jr7wzBPIqUNmNITfCSYduJVNWu 8atVHG9CwRK0HVLnN/CESjm1Ex46jOn9BiAzH9n1AZ9UfY+a3MS6z/9XjS/NMxmJ yhRkkltYUHdtjHEoFCehhormbHcS44CAR9uxkPXW+MeJCwWu2JXL0dxu/BGVY/Rj 7niOd9kk5ziKcN1NfYWXSClOV81AuxlW6vJnaP8+ZzW9JZRE/9Od1Hx3Ie+WmxG+ 9y+x2j4WwS7xyN4nD1Sfg5bK0lUFe4HFsexmnMEbUcsY4SbvgjhaTuBaqam+JZgx 31e9hTcZKaQ0042qRk8dOYNM9vi7Wje9pYuUca3yIOPDorIXBSU2dK2rW9hF5ZJ7 HiBhLHRa88b9tWX79y3hOAOuYnTxBVttrXXlGs4U+iiheynwhGYUrx+vpPyMY1mm GyZEln8RiTOZhpMOzcYAsHvG4pUjHFs7sSPBOjA3sMTVC7/6EH5AHzsPgLyIXUHZ 00XoQgsWs4LNQ4NyfekChtotX8VeIJR2KZRNlVU++sTpkGdkYx03LMnFC201th0K A+1VH1lE6ii6mfVCH6impeN0P1GFMLHn+bqVREvPgEnMT9lIS0xBak7gvnDOd0dN qDg299ebMIvnMMDsi483 =0XWS -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL certificates
On 1/16/14 1:49 PM, Christopher Schultz wrote: Why are you self-signing a certificate if you are going to get it signed by a CA? A newly-created keypair in a Java keystore is, by definition, a self-signed certificate. And you can't create a CSR without having a keypair from which to create it. One suggestion: If you haven't done this dozens of times, or don't do it several times a year, or haven't done it for a particular CA, MAKE AT LEAST ONE BACKUP COPY OF YOUR KEYSTORE BEFORE YOU SUBMIT YOUR CSR TO THE CA! That way (and I've been there a number of times) if you screw up your keystore while trying to install the signed certificate, you can try again. You really don't want to pay the fee to the CA, and then find out you've screwed up something that you have no way of unscrewing. Also: if by any chance you're running Tomcat on an AS/400, you want to do this whole process on something else entirely, and then FTP your keystore into place on the 400. Keytool does NOT work well on AS/400s, and I haven't the slightest idea why. -- James H. H. Lampert - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 1/16/14, 5:04 PM, James H. H. Lampert wrote: On 1/16/14 1:49 PM, Christopher Schultz wrote: Why are you self-signing a certificate if you are going to get it signed by a CA? A newly-created keypair in a Java keystore is, by definition, a self-signed certificate. That's probably one of the reasons I'm continually confused by using keytool... generating an RSA key pair should never require the creation of a certificate. *shrugs* And you can't create a CSR without having a keypair from which to create it. That is always true. But you don't need a certificate to create a CSR. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS2FuBAAoJEBzwKT+lPKRYSq8QALpnk2BWQnxBN1ouVZY4B3RJ Xvx7kQOtgk6hhduwpWtvGbnEH6qjjWFo1rexoFZ/9XM0ig5zgIZ9dxnD1H3G20KU eNrmnVEx6t6wREDXJdbVQ6xYfcx2iQwGcoa4fcA9/SwUb3T17fnOVeFDcaR8wexF z04FgoQkRWY0bfD0N1mwmsqgqsjGFYrrWxryRM8SaiHkouJb2a0Ly+xLMIHa5/4d GAqb5/MVGL3NzBUU5S+8K4k0/AtQ7D0wj4tvH+LYpgvNtfWT6D4lXVBk3JVgBOWE k1Znkx2kjE45NcB9Oq/lknv1yixwsSMojTuimKYtjWLGgUNFMxt5wPM30NdQG+0d 245GkrBc873onHufIJtqiPzLXMx9SqCCsXVVn5ArVhuJ26Zd/qAVGXvxIhFmkjZD 0OvtgWzNoPrGAVyUXGbwXuDIF7UVotjwePcA7V2aUtOI3QntK9TcJ5icxp4rEbj/ SXxkZ4iDQduL5UFWtfTilK9eZ76BvcJWeU68NsLXm6oA44gYdXO73dDIpsUPtJRh q0q502GtUgZkpVqDoo0V75R8nZhVoIf7hW/Z1lIh38q4e2V5o+ndfEvMYTWGpyH8 HQ3Cj8Jc/wByt7ub5h+HFj47M8ysLwcF9U1fh4EuiqG5rdtP0ejMnPdsYDIBk8uG k9Bw/gOfegL5SM4yMA48 =ifdp -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL certificates
Christopher Schultz wrote: That is always true. But you don't need a certificate to create a CSR. shrug If Keytool and the Java Keystore format even recognize any difference between the concepts of keypair and self-signed certificate, it would be news to me. shrug Speaking of one who regularly installs (and secures) Tomcat on AS/400s (in fact, that's the only platform I can recall EVER personally installing it on, because I have colleagues who know how to do it on other platforms): The messes people can make for themselves by misunderstanding the subtleties of Keytool are nothing, compared to the mess people can make for themselves trying to use IBM's Digital Certificate Manager to secure Tomcat on their 400s (hint: DCM and Tomcat are completely incompatible with each other). -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 1/16/14, 6:18 PM, James H. H. Lampert wrote: Christopher Schultz wrote: That is always true. But you don't need a certificate to create a CSR. shrug If Keytool and the Java Keystore format even recognize any difference between the concepts of keypair and self-signed certificate, it would be news to me. shrug Speaking of one who regularly installs (and secures) Tomcat on AS/400s (in fact, that's the only platform I can recall EVER personally installing it on, because I have colleagues who know how to do it on other platforms): The messes people can make for themselves by misunderstanding the subtleties of Keytool are nothing, compared to the mess people can make for themselves trying to use IBM's Digital Certificate Manager to secure Tomcat on their 400s (hint: DCM and Tomcat are completely incompatible with each other). :) Give me OpenSSL any day of the week. ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS2GrbAAoJEBzwKT+lPKRYe4AP/i12by+gfG8QzkITOr/Pr5My kKLSmXad3+Cw0Fl1gRjei6hRsZnX7gdvye4MBAVW//z8JhzejXFp20KJmdUDsNE4 EFn/oT7SOTF/Dmga28u/qte8212KIktkxziIMCigoXiXVbQ9Ym4eBdBxlqEtiouc 5lMuGuLfCshGP9xd8NigghLtWS4B06YG6Rc9I8BWPeXj1aPAB8naaHeLlrQvAGeb /urAPZn9R+3Kow0Hs06OqIC06FN4VCIujq6aZ2pIBCe2apQkUC2ftBP50xYkwN5e f9PohTuhE9Sk2H9VzxZqCumy6vEIfTfZtrjw0gbF8e/x9brUOfZ1clIoyyYrjNCa A4a84uGBFrX4wHwLQRT/0biXYz9X61AaMmRBOF3Dvargf5Q+u99PYXBcTWcUTPJA byv8OpywtCBaRcR5DbSSN999JFf8kYOn6DFzcj8xEN/auWQ0AJdLZLZdeNEszwZi WcnDHH9MAFPj4a042sue3en9JAtFT/GA2zlgpx9UW/hzv//MvTxE5UO8Ap7GDw/0 1sHsOk+1yNt21o2LQ/bS3Zn0e9Ad76hiTbdWeoBj80eUpsOH1h6xd+vZ7glYd617 CBlexfEMdifTcVh320gYM2b+NUuN+jtPspp+f9KQSZtti5OnWqQylrBMXVbvUIWE keGqbCCKZlqfQfe485Bf =OZem -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL certificates
Christopher Schultz wrote: :) Give me OpenSSL any day of the week. ;) Dunno. Can't recall ever having any experience with it at all. Just DCM (for securing IBM-proprietary servers, like their Secured Telnet [NOT ssh] server and their various proprietary web-serving products), and Keytool (for securing Tomcat, and [if I remember right] for prepping jar-signing keys). -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Error configuring tomcat with ssl certificates
Thanks Brijesh, The certificate that I am using is RSA based certificate, I tried listing the RSA based ciphers in the server the xml, however it still gave me the same error. Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true keystoreFile=/tmp/.keystore keystorePass=changeit enableLookups=false ciphers=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA clientAuth=false sslProtocol=TLS / Any idea what else could be going wrong? Thanks, Siddhi -Original Message- From: Brijesh Deo [mailto:b...@sonicwall.com] Sent: Wednesday, March 06, 2013 12:25 PM To: Tomcat Users List Subject: RE: Error configuring tomcat with ssl certificates -Original Message- From: Siddhi Borkar [mailto:siddhi_bor...@persistent.co.in] Sent: 06 March 2013 12:15 To: users@tomcat.apache.org Subject: Error configuring tomcat with ssl certificates Hi, I need help configuring tomcat 6 will ssl certificates. I have been provided with the following cacert.pem prvkey.key and sslcert.crt I tried the following steps: 1) Generated a keystore using java keytool and the certificate file using the following command. keytool -import -trustcacerts -alias tomcatcert -file sslcert.crt -keystore keystore 2) Added the .pem file to the keystore keytool -import -trustcacerts -alias root -file cacert.pem-keystore keystore 3) Start the tomcat server 4) After starting the server, the following error was seen in the logs. Mar 4, 2013 10:52:22 PM org.apache.coyote.http11.Http11Protocol start SEVERE: Error starting endpoint java.io.IOException: jsse.invalid_ssl_conf at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:755) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:460) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130) at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538) at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565) at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203) at org.apache.catalina.connector.Connector.start(Connector.java:1107) at org.apache.catalina.core.StandardService.start(StandardService.java:531) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:593) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. at sun.security.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:327) at sun.security.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:272) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:751) ... 15 more Can someone help on this? Thanks Siddhi, You might want to check your ciphers attribute value in the Connector definition in server.xml file. Generally, the list of ciphers that you include here are based upon the type of your certificate. If you have RSA based certificate, you need to enlist RSA based ciphers (ones with _RSA in the cipher suite name) and similarly for DSA based certificate you should have corresponding cipher suites (ones with _DSS in the cipher suite names). May be you have this mismatched and that is the problem. The other way round would be to generate or use a certificate based upon the cipher suites that you want or are supported in your ciphers attribute value. Brijesh Deo Dell | SonicWALL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy
Re: Error configuring tomcat with ssl certificates
Siddhi, On 6.3.2013 10:41, Siddhi Borkar wrote: The certificate that I am using is RSA based certificate, I tried listing the RSA based ciphers in the server the xml, however it still gave me the same error. Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true keystoreFile=/tmp/.keystore keystorePass=changeit enableLookups=false ciphers=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA clientAuth=false sslProtocol=TLS / Any idea what else could be going wrong? You didn't import your private key into Java keystore. Use openssl to create PKCS#12 keystore containing your private key (prvkey.key), your certificate (sslcert.crt) and sertificate chain (cacert.pem). Then, import PKCS#12 keystore to Java keystore using keytool. Verify Java keystore with: keytool -list -keystore /tmp/.keystore -v You should see one PrivateKeyEntry, with certificate chain to trusted CA. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Error configuring tomcat with ssl certificates
-Original Message- From: Siddhi Borkar [mailto:siddhi_bor...@persistent.co.in] Sent: 06 March 2013 15:12 To: Tomcat Users List Subject: RE: Error configuring tomcat with ssl certificates Thanks Brijesh, The certificate that I am using is RSA based certificate, I tried listing the RSA based ciphers in the server the xml, however it still gave me the same error. Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true keystoreFile=/tmp/.keystore keystorePass=changeit enableLookups=false ciphers=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA clientAuth=false sslProtocol=TLS / Any idea what else could be going wrong? Thanks, Siddhi Hi Siddhi, You can check your keystore type. If it is not JKS, then you need to specify the keyStoreType also in the connector definition. -Brijesh -Original Message- From: Brijesh Deo [mailto:b...@sonicwall.com] Sent: Wednesday, March 06, 2013 12:25 PM To: Tomcat Users List Subject: RE: Error configuring tomcat with ssl certificates -Original Message- From: Siddhi Borkar [mailto:siddhi_bor...@persistent.co.in] Sent: 06 March 2013 12:15 To: users@tomcat.apache.org Subject: Error configuring tomcat with ssl certificates Hi, I need help configuring tomcat 6 will ssl certificates. I have been provided with the following cacert.pem prvkey.key and sslcert.crt I tried the following steps: 1) Generated a keystore using java keytool and the certificate file using the following command. keytool -import -trustcacerts -alias tomcatcert -file sslcert.crt -keystore keystore 2) Added the .pem file to the keystore keytool -import -trustcacerts -alias root -file cacert.pem-keystore keystore 3) Start the tomcat server 4) After starting the server, the following error was seen in the logs. Mar 4, 2013 10:52:22 PM org.apache.coyote.http11.Http11Protocol start SEVERE: Error starting endpoint java.io.IOException: jsse.invalid_ssl_conf at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:755) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:460) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130) at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538) at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565) at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203) at org.apache.catalina.connector.Connector.start(Connector.java:1107) at org.apache.catalina.core.StandardService.start(StandardService.java:531) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:593) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. at sun.security.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:327) at sun.security.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:272) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:751) ... 15 more Can someone help on this? Thanks Siddhi, You might want to check your ciphers attribute value in the Connector definition in server.xml file. Generally, the list of ciphers that you include here are based upon the type of your certificate. If you have RSA based certificate, you need to enlist RSA based ciphers (ones with _RSA in the cipher suite name) and similarly for DSA based certificate you should have corresponding cipher suites (ones with _DSS in the cipher suite names). May be you have this mismatched and that is the problem. The other way round would be to generate or use a certificate based upon the cipher suites that you want or are supported in your ciphers attribute value. Brijesh Deo Dell | SonicWALL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands
RE: Error configuring tomcat with ssl certificates
Thanks a lot Ognjen, The solution you provided worked very well. -Original Message- From: Ognjen Blagojevic [mailto:ognjen.d.blagoje...@gmail.com] Sent: Wednesday, March 06, 2013 3:31 PM To: Tomcat Users List Subject: Re: Error configuring tomcat with ssl certificates Siddhi, On 6.3.2013 10:41, Siddhi Borkar wrote: The certificate that I am using is RSA based certificate, I tried listing the RSA based ciphers in the server the xml, however it still gave me the same error. Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true keystoreFile=/tmp/.keystore keystorePass=changeit enableLookups=false ciphers=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WIT H_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_E DE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EX PORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA clientAuth=false sslProtocol=TLS / Any idea what else could be going wrong? You didn't import your private key into Java keystore. Use openssl to create PKCS#12 keystore containing your private key (prvkey.key), your certificate (sslcert.crt) and sertificate chain (cacert.pem). Then, import PKCS#12 keystore to Java keystore using keytool. Verify Java keystore with: keytool -list -keystore /tmp/.keystore -v You should see one PrivateKeyEntry, with certificate chain to trusted CA. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Error configuring tomcat with ssl certificates
Hi, I need help configuring tomcat 6 will ssl certificates. I have been provided with the following cacert.pem prvkey.key and sslcert.crt I tried the following steps: 1) Generated a keystore using java keytool and the certificate file using the following command. keytool -import -trustcacerts -alias tomcatcert -file sslcert.crt -keystore keystore 2) Added the .pem file to the keystore keytool -import -trustcacerts -alias root -file cacert.pem-keystore keystore 3) Start the tomcat server 4) After starting the server, the following error was seen in the logs. Mar 4, 2013 10:52:22 PM org.apache.coyote.http11.Http11Protocol start SEVERE: Error starting endpoint java.io.IOException: jsse.invalid_ssl_conf at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:755) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:460) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130) at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538) at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565) at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203) at org.apache.catalina.connector.Connector.start(Connector.java:1107) at org.apache.catalina.core.StandardService.start(StandardService.java:531) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:593) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. at sun.security.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:327) at sun.security.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:272) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:751) ... 15 more Can someone help on this? Thanks DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
RE: Error configuring tomcat with ssl certificates
-Original Message- From: Siddhi Borkar [mailto:siddhi_bor...@persistent.co.in] Sent: 06 March 2013 12:15 To: users@tomcat.apache.org Subject: Error configuring tomcat with ssl certificates Hi, I need help configuring tomcat 6 will ssl certificates. I have been provided with the following cacert.pem prvkey.key and sslcert.crt I tried the following steps: 1) Generated a keystore using java keytool and the certificate file using the following command. keytool -import -trustcacerts -alias tomcatcert -file sslcert.crt -keystore keystore 2) Added the .pem file to the keystore keytool -import -trustcacerts -alias root -file cacert.pem-keystore keystore 3) Start the tomcat server 4) After starting the server, the following error was seen in the logs. Mar 4, 2013 10:52:22 PM org.apache.coyote.http11.Http11Protocol start SEVERE: Error starting endpoint java.io.IOException: jsse.invalid_ssl_conf at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:755) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:460) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130) at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538) at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565) at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203) at org.apache.catalina.connector.Connector.start(Connector.java:1107) at org.apache.catalina.core.StandardService.start(StandardService.java:531) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:593) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. at sun.security.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:327) at sun.security.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:272) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:751) ... 15 more Can someone help on this? Thanks Siddhi, You might want to check your ciphers attribute value in the Connector definition in server.xml file. Generally, the list of ciphers that you include here are based upon the type of your certificate. If you have RSA based certificate, you need to enlist RSA based ciphers (ones with _RSA in the cipher suite name) and similarly for DSA based certificate you should have corresponding cipher suites (ones with _DSS in the cipher suite names). May be you have this mismatched and that is the problem. The other way round would be to generate or use a certificate based upon the cipher suites that you want or are supported in your ciphers attribute value. Brijesh Deo Dell | SonicWALL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Web app calls JMS over SSL - certificates
I am using ActiveMQ and its activemq.xml file has a section where the keystore and truststore point to those files. So I assume that means that there is a way to set these at runtime. Still leaves me with the question of whether I can set these at runtime from my app on Tomcat. On Mon, Feb 6, 2012 at 11:50 PM, Pid * p...@pidster.com wrote: On 6 Feb 2012, at 23:10, Peter Kleczka pklec...@gmail.com wrote: Hello I have a web app on Tomcat 6.0.24. The app needs to call a JMS app on another server over SSL. I installed the keystore/truststore files in $CatalinaHome/conf/certs and set VM arguments so that the JVM knows where to find the certs. The server administrator says that I should encapsulate these certs within the WAR file and that we should not have to set the VM arguments. The documentation that I have read so far seems to only discuss how to set up SSL on Tomcat. Is there a way that Tomcat or my web app can automatically load the certs without setting VM arguments? How are you configuring JMS now? Which JMS provider/lib are you using? p Thanks kindly in advance. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Web app calls JMS over SSL - certificates
From: Peter Kleczka [mailto:pklec...@gmail.com] Subject: Re: Web app calls JMS over SSL - certificates I am using ActiveMQ and its activemq.xml file has a section where the keystore and truststore point to those files. So I assume that means that there is a way to set these at runtime. That would be a topic for the ActiveMQ group; nothing to do with Tomcat. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Web app calls JMS over SSL - certificates
Chuck Thanks, but my question really does have to do with Tomcat. The ActiveMQ is actually on another server and my application hosted on Tomcat needs to pull messages off of ActiveMQ over SSL. What I would like to do is tell my application where my keystore files are located rather than load them through the JVM. Another list member asked me how the message broker loads its keystore files, perhaps as a general hint to how I might load them from my web app. My Tomcat specific question then is, will the Tomcat container let me do that from the app level, and if not, can I configure it on the Tomcat server other than setting the keystore properties in the JVM VM startup parameters. On Tue, Feb 7, 2012 at 9:10 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Peter Kleczka [mailto:pklec...@gmail.com] Subject: Re: Web app calls JMS over SSL - certificates I am using ActiveMQ and its activemq.xml file has a section where the keystore and truststore point to those files. So I assume that means that there is a way to set these at runtime. That would be a topic for the ActiveMQ group; nothing to do with Tomcat. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Web app calls JMS over SSL - certificates
From: Peter Kleczka [mailto:pklec...@gmail.com] Subject: Re: Web app calls JMS over SSL - certificates What I would like to do is tell my application where my keystore files are located rather than load them through the JVM. So what stops you from doing that? There are numerous ways to communicate configuration information to a webapp; read the servlet spec and the Tomcat doc for the Context element. My Tomcat specific question then is, will the Tomcat container let me do that from the app level Let you do what, exactly? You have too many potential antecedents of that to figure out what you're referring to. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Web app calls JMS over SSL - certificates
On 6 Feb 2012, at 23:10, Peter Kleczka pklec...@gmail.com wrote: Hello I have a web app on Tomcat 6.0.24. The app needs to call a JMS app on another server over SSL. I installed the keystore/truststore files in $CatalinaHome/conf/certs and set VM arguments so that the JVM knows where to find the certs. The server administrator says that I should encapsulate these certs within the WAR file and that we should not have to set the VM arguments. The documentation that I have read so far seems to only discuss how to set up SSL on Tomcat. Is there a way that Tomcat or my web app can automatically load the certs without setting VM arguments? How are you configuring JMS now? Which JMS provider/lib are you using? p Thanks kindly in advance. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Generating SSL certificates
On 12/08/2011 02:26, Darryl Lewis wrote: Our certificates are about to expire and I need to generate new ones for tomcat. I'm using keytool, but getting a strange error. Please start an entirely new thread, rather than replying to an existing email just editing the subject body (which is called thread hijacking). p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Generating SSL certificates
Our certificates are about to expire and I need to generate new ones for tomcat. I'm using keytool, but getting a strange error. [root]# keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore keystore Enter keystore password: keytool error: java.lang.Exception: Key pair not generated, alias tomcat already exists ok, fair enough, so I try and delete it and I get this: [roots]# keytool -delete -alias tomcat keytool error: java.io.EOFException failing being able to do it in keytool, is it possible to delete the entire keychain and start from scratch? If so how? Thanks. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: Multiple SSL certificates on same server
Hi I'm not using XP, but a Unix server OS, and my domains are radically different - so the wildcard cert won't work either. sigh This is not about the OS the tomcat is running on, but about the OS the client browser is using... There are certificates with multiple names (even radically different ones) however, they will work for you. Regards, Steffen smime.p7s Description: S/MIME cryptographic signature
RE: Multiple SSL certificates on same server
Good Morning Richard david is right each keystore is bound to one certificate each cert will work on only one IP, one domain and one set of credentials (the same credentials used for the keystore) you may want to consider domain2 aliasing (to the working SSL connector on domain1) ..your hosting provider can help e.g. http://support.hostgator.com/articles/plesk/how-to-setup-a-domain-alias-windows-dedicated HTH Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Tue, 9 Mar 2010 08:38:40 -0500 From: d...@cornell.edu To: users@tomcat.apache.org Subject: Re: Multiple SSL certificates on same server On 3/8/2010 6:46 PM, Richard Huntrods wrote: Does anyone know if it is possible, or has anyone done this: I have two applications running on a single server. The applications use different domains and URLs, so the single Tomcat instance can easily tell them apart. (Note: this part is currently working just fine). https://domain1/application1 https://domain2/application2 Again, both domains point to the same static IP, and yes, it is possible for someone to access either application from either domain. Normally, that is not an issue with the clients. However, I currently have only one SSL certificate on the server - this is for domain1. So if you use domain1 to access application1, it's all fine. The security cert comes up green and all that. BUT - if you try and access application2 via domain2, you get the red security cert (wrong domain / server name). I would like to purchase a second certificate for the second domain, and am wondering if this can be done, and how one would tell Tomcat (in server.xml) to acknowledge the second certificate. Currently the stuff in server.xml looks like this: Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 enableLookups=false scheme=https secure=true keystoreFile=./keys/.keystore keystorePass=myPassword clientAuth=false sslProtocol=TLS / I have a bad feeling it's not possible, but wanted to ask anyway. Thanks in advance. -R Seems like you should be able to get another certificate and have two Connector elements, each configured with a different ssl cert (diff. keystore?). Each will also have to have an address attribute to bind it to a specific IP. I've never actually ever messed with SSL on tomcat so you may want to look at the tomcat docs and howtos on the subject. --David - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _ Hotmail: Trusted email with powerful SPAM protection. http://clk.atdmt.com/GBL/go/201469227/direct/01/
Re: Multiple SSL certificates on same server
On 3/8/2010 6:46 PM, Richard Huntrods wrote: Does anyone know if it is possible, or has anyone done this: I have two applications running on a single server. The applications use different domains and URLs, so the single Tomcat instance can easily tell them apart. (Note: this part is currently working just fine). https://domain1/application1 https://domain2/application2 Again, both domains point to the same static IP, and yes, it is possible for someone to access either application from either domain. Normally, that is not an issue with the clients. However, I currently have only one SSL certificate on the server - this is for domain1. So if you use domain1 to access application1, it's all fine. The security cert comes up green and all that. BUT - if you try and access application2 via domain2, you get the red security cert (wrong domain / server name). I would like to purchase a second certificate for the second domain, and am wondering if this can be done, and how one would tell Tomcat (in server.xml) to acknowledge the second certificate. Currently the stuff in server.xml looks like this: Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 enableLookups=false scheme=https secure=true keystoreFile=./keys/.keystore keystorePass=myPassword clientAuth=false sslProtocol=TLS / I have a bad feeling it's not possible, but wanted to ask anyway. Thanks in advance. -R Seems like you should be able to get another certificate and have two Connector elements, each configured with a different ssl cert (diff. keystore?). Each will also have to have an address attribute to bind it to a specific IP. I've never actually ever messed with SSL on tomcat so you may want to look at the tomcat docs and howtos on the subject. --David - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Multiple SSL certificates on same server
On 03/08/2010 06:46 PM, Richard Huntrods wrote: Does anyone know if it is possible, or has anyone done this: I have two applications running on a single server. The applications use different domains and URLs, so the single Tomcat instance can easily tell them apart. (Note: this part is currently working just fine). https://domain1/application1 https://domain2/application2 Again, both domains point to the same static IP, and yes, it is possible for someone to access either application from either domain. Normally, that is not an issue with the clients. However, I currently have only one SSL certificate on the server - this is for domain1. So if you use domain1 to access application1, it's all fine. The security cert comes up green and all that. BUT - if you try and access application2 via domain2, you get the red security cert (wrong domain / server name). I would like to purchase a second certificate for the second domain, and am wondering if this can be done, and how one would tell Tomcat (in server.xml) to acknowledge the second certificate. Currently the stuff in server.xml looks like this: Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 enableLookups=false scheme=https secure=true keystoreFile=./keys/.keystore keystorePass=myPassword clientAuth=false sslProtocol=TLS / I have a bad feeling it's not possible, but wanted to ask anyway. Thanks in advance. -R ~~~ No. The certificate is sent and SSL negotiated prior to the server receiving the Host header. ~~~ Richard, It's possible. It doesn't appear that Tomcat or Java(SUN) support RFC 3546 just yet (For Server Name Indication) even though Apache httpd does. However Windows XP users of IE will not be able to take advantage of SNI at this time anyway (to further rain on your parade). Vista and greater do make use of SNI though. Gotta wait for XP to die I guess. :-P End result: Multi-Domain Certificate, separate ports, separate IPs or a load balancer that distributes the load to an internal IP based on FQDN, to which you could then use X amount of different SSL certs.(This last bit may be a wee bit complicated) Hope this helps ~~ Hi, Here's an idea for you: You can use wildcard when generating your certificate, like *.domain.com, assuming your servers using same domain.com. Regards, Leon Kolchinsky ~~~ Thanks to all of you for your replies. I fear that Jason is correct for my case. I'm not using XP, but a Unix server OS, and my domains are radically different - so the wildcard cert won't work either. sigh Cheers, -R - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Multiple SSL certificates on same server
Does anyone know if it is possible, or has anyone done this: I have two applications running on a single server. The applications use different domains and URLs, so the single Tomcat instance can easily tell them apart. (Note: this part is currently working just fine). https://domain1/application1 https://domain2/application2 Again, both domains point to the same static IP, and yes, it is possible for someone to access either application from either domain. Normally, that is not an issue with the clients. However, I currently have only one SSL certificate on the server - this is for domain1. So if you use domain1 to access application1, it's all fine. The security cert comes up green and all that. BUT - if you try and access application2 via domain2, you get the red security cert (wrong domain / server name). I would like to purchase a second certificate for the second domain, and am wondering if this can be done, and how one would tell Tomcat (in server.xml) to acknowledge the second certificate. Currently the stuff in server.xml looks like this: Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 enableLookups=false scheme=https secure=true keystoreFile=./keys/.keystore keystorePass=myPassword clientAuth=false sslProtocol=TLS / I have a bad feeling it's not possible, but wanted to ask anyway. Thanks in advance. -R - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Multiple SSL certificates on same server
-Original Message- From: Richard Huntrods [mailto:huntr...@nucleus.com] Sent: Monday, March 08, 2010 18:46 To: users@tomcat.apache.org Subject: Multiple SSL certificates on same server Does anyone know if it is possible, or has anyone done this: I have two applications running on a single server. The applications use different domains and URLs, so the single Tomcat instance can easily tell them apart. (Note: this part is currently working just fine). https://domain1/application1 https://domain2/application2 No. The certificate is sent and SSL negotiated prior to the server receiving the Host header. Again, both domains point to the same static IP, and yes, it is possible for someone to access either application from either domain. Normally, that is not an issue with the clients. However, I currently have only one SSL certificate on the server - this is for domain1. So if you use domain1 to access application1, it's all fine. The security cert comes up green and all that. BUT - if you try and access application2 via domain2, you get the red security cert (wrong domain / server name). I would like to purchase a second certificate for the second domain, and am wondering if this can be done, and how one would tell Tomcat (in server.xml) to acknowledge the second certificate. Currently the stuff in server.xml looks like this: Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 enableLookups=false scheme=https secure=true keystoreFile=./keys/.keystore keystorePass=myPassword clientAuth=false sslProtocol=TLS / I have a bad feeling it's not possible, but wanted to ask anyway. Thanks in advance. -R - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Multiple SSL certificates on same server
On 03/08/2010 06:46 PM, Richard Huntrods wrote: Does anyone know if it is possible, or has anyone done this: I have two applications running on a single server. The applications use different domains and URLs, so the single Tomcat instance can easily tell them apart. (Note: this part is currently working just fine). https://domain1/application1 https://domain2/application2 Again, both domains point to the same static IP, and yes, it is possible for someone to access either application from either domain. Normally, that is not an issue with the clients. However, I currently have only one SSL certificate on the server - this is for domain1. So if you use domain1 to access application1, it's all fine. The security cert comes up green and all that. BUT - if you try and access application2 via domain2, you get the red security cert (wrong domain / server name). I would like to purchase a second certificate for the second domain, and am wondering if this can be done, and how one would tell Tomcat (in server.xml) to acknowledge the second certificate. Currently the stuff in server.xml looks like this: Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 enableLookups=false scheme=https secure=true keystoreFile=./keys/.keystore keystorePass=myPassword clientAuth=false sslProtocol=TLS / I have a bad feeling it's not possible, but wanted to ask anyway. Thanks in advance. -R Richard, It's possible. It doesn't appear that Tomcat or Java(SUN) support RFC 3546 just yet (For Server Name Indication) even though Apache httpd does. However Windows XP users of IE will not be able to take advantage of SNI at this time anyway (to further rain on your parade). Vista and greater do make use of SNI though. Gotta wait for XP to die I guess. :-P End result: Multi-Domain Certificate, separate ports, separate IPs or a load balancer that distributes the load to an internal IP based on FQDN, to which you could then use X amount of different SSL certs.(This last bit may be a wee bit complicated) Hope this helps - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org