subject:"SSL certificates"

Re: how to reload SSL certificates without restarting Tomcat

2024-03-11 Thread Christopher Schultz


Jerry,

On 3/11/24 14:51, Jerry Lin wrote:

Hi Chris,

There is also this:

https://tomcat.apache.org/presentations.html#latest-lets-encrypt

It's very LE-focused, but it shows you how to programmatically trigger a
reload.



Thanks for your presentation and script. We are using Let's Encrypt, so
your material is quite relevant.


If I were to present that material today, it would be a lot shorter. In 
fact, I was asked last-minute to fill-in for a missing speaker in 
Halifax and I updated that presentation a bit and made it more of a 
conversation with the audience.


I hadn't included anything about the automatic-update feature Tomcat has 
added since the previous staging of that presentation and afterwards I 
went in and removed something like 40% of the material in the presentation.


So it's all perfectly valid, but it's even easier to use LE with Tomcat, 
now.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: how to reload SSL certificates without restarting Tomcat

2024-03-11 Thread Jerry Lin

Hi Chris,

There is also this:
> https://tomcat.apache.org/presentations.html#latest-lets-encrypt
>
> It's very LE-focused, but it shows you how to programmatically trigger a
> reload.
>

Thanks for your presentation and script. We are using Let's Encrypt, so
your material is quite relevant.

Jerry

Re: how to reload SSL certificates without restarting Tomcat

2024-03-11 Thread Christopher Schultz


Jerry,

On 3/10/24 16:00, Jerry Lin wrote:

Hi Chuck,

Presumably, you mean “not behind https", since “Apache” refers to the

organization that develops and maintains a plethora of software products.



Yes, “not behind https" (I meant not behind an Apache HTTP server)



you can configure the TLS config listener:


https://tomcat.apache.org/tomcat-10.1-doc/config/listeners.html#TLS_configuration_reload_listener_-_org.apache.catalina.security.TLSCertificateReloadListener



Great, thanks! This is what I was looking for.


There is also this:
https://tomcat.apache.org/presentations.html#latest-lets-encrypt

It's very LE-focused, but it shows you how to programmatically trigger a 
reload.


Chuck's reference to the auto-reloading is even better if you don't mind 
the background process checking for you, instead of 
proactively-triggering the reload.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: how to reload SSL certificates without restarting Tomcat

2024-03-10 Thread Chuck Caldarale



> On Mar 10, 2024, at 15:00, Jerry Lin  wrote:
> 
> Hi Chuck,
> 
> Presumably, you mean “not behind https", since “Apache” refers to the
>> organization that develops and maintains a plethora of software products.
>> 
> 

Spell checker got me - I meant “httpd”, not “https”.

  - Chuck


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: how to reload SSL certificates without restarting Tomcat

2024-03-10 Thread Jerry Lin

Hi Chuck,

Presumably, you mean “not behind https", since “Apache” refers to the
> organization that develops and maintains a plethora of software products.
>

Yes, “not behind https" (I meant not behind an Apache HTTP server)


> you can configure the TLS config listener:
>
>
> https://tomcat.apache.org/tomcat-10.1-doc/config/listeners.html#TLS_configuration_reload_listener_-_org.apache.catalina.security.TLSCertificateReloadListener


Great, thanks! This is what I was looking for.

Regards,
Jerry

Re: how to reload SSL certificates without restarting Tomcat

2024-03-10 Thread Chuck Caldarale


> On Mar 10, 2024, at 12:39, Jerry Lin  wrote:
> 
> For those of us with a publicly accessible instance of Tomcat (e.g. not
> behind Apache), is there a good way of having a renewed SSL/HTTPS
> certificate take effect without restarting Tomcat?

Presumably, you mean “not behind https", since “Apache” refers to the 
organization that develops and maintains a plethora of software products.

If you’re running on a supported version of Tomcat (you didn’t tell us what 
level you’re using), you can configure the TLS config listener:

https://tomcat.apache.org/tomcat-10.1-doc/config/listeners.html#TLS_configuration_reload_listener_-_org.apache.catalina.security.TLSCertificateReloadListener

https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html#TLS_configuration_reload_listener_-_org.apache.catalina.security.TLSCertificateReloadListener

https://tomcat.apache.org/tomcat-8.5-doc/config/listeners.html#TLS_configuration_reload_listener_-_org.apache.catalina.security.TLSCertificateReloadListener


  - Chuck

AW: how to reload SSL certificates without restarting Tomcat

2024-03-10 Thread a.grubner

I would have several parallel productive instances, and renew them in sequence 
to be always online -> on connection will be interrupted with the customer.

Best
Alex

-Ursprüngliche Nachricht-
Von: Jerry Lin  
Gesendet: Sonntag, 10. März 2024 18:40
An: users@tomcat.apache.org
Betreff: how to reload SSL certificates without restarting Tomcat

Hello,

For those of us with a publicly accessible instance of Tomcat (e.g. not behind 
Apache), is there a good way of having a renewed SSL/HTTPS certificate take 
effect without restarting Tomcat?

Thank you,
Jerry


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

how to reload SSL certificates without restarting Tomcat

2024-03-10 Thread Jerry Lin

Hello,

For those of us with a publicly accessible instance of Tomcat (e.g. not
behind Apache), is there a good way of having a renewed SSL/HTTPS
certificate take effect without restarting Tomcat?

Thank you,
Jerry

Re: SSL Certificates and Tomcat 8.5.11

2018-05-17 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Laurie,

On 5/17/18 11:33 AM, Laurie Miller-Cook wrote:
> I am very new to Tomcat so please bear with me.

Welcome.

> I currently have a Thawte certificate that is installed within IIS 
> for our domain that is all managed by Rackspace.
> 
> I now have a new server set-up with Tomcat 8.5.11 installed and
> have created a keystore.
> 
> I have been supplied by Rackspace the following text a
> Certificate, Private Key and CA Bundle.

You should start over. If Rackspace supplied the private key, then you
have no control over your own security. You should generate your own
private key on a server you control and trust.

> So my question is, with the three text files from Rackspace can I 
> import these (in what order) into the Keystore to get SSL working 
> with our Domain or do I need something totally different.
> 
> Just as a sub-note we need to have the SSL certificate for the
> domain working on both IIS and Tomcat.

It is very difficult to import a private key into a Java keystore. You
usually have to go through a PKCS12 file, first, and OpenSSL is the
best tool IMO to manipulate those. JKS files are fortunately being
abandoned and PKCS12 files are directly-readable by Java, so it's a
one-step operation if you have OpenSSL handy:

openssl pkcs12 -export -in server.crt -inkey server.key -certfile
intermediate.crt -out keystore.p12 -chain

Now, you can configure your Tomcat to use keystore.p12 as the
keystore, and use whatever password you gave to OpenSSL when writing
the PKCS12 file.

I'd still highly recommend that you start over from scratch with
yourown private key, though. Generate a key, certificate signing
request (CSR), and send the CSR to Thawte. Once they sign it, import
any intermediate certs into your keystore first (top-most first) then
your server's signed certificate into your keystore and use the result
with Tomcat.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlr95eYACgkQHPApP6U8
pFj3PRAAlEHlY5czP+i7yHyqgWakieUufMJDcW98JpEZdq9fiv+fTtSKQzx0IKOV
Z588ikrZU7DdRhB5WNMiYFO9fDMtiV5d7KhGEBggSzuyAKEFDos1YXpk2uj42lPH
u3OSXS4igkgbWWiuxRxjSNlyMpTHoG+TSdhr7+W/hdF2rMnHSBz4VgEteQVymXeu
pHyjTeIp2CabKYmz9u2A86vF2pdmwLUQ2B4twvRkdCG6QNcr8uOom70itltvXGIG
T7vhtFgjYnJQ0MqV1+QJbBEfO0NVIE/+LKseuiGoGJN5oWWQY8MdW5yfH2mQcITk
bCAkDUkbBHTBnWgAl3U6Ly/k7mtfRa2FQfPOpPVyoefMgpwJGYPQ0U7IPr6YIROw
X6Rc/9FTerAmkwUgv9Ls2Hsyi31J5BqS1dhp4+kEYWoGEMq+Uu0Cy8GJqPvPJM75
sug6rQuLSaARB2b1inNkvwED3u2ju6HVCgp+5M4hyHDkLuYPajpRau+LC1gusHeN
UB/zaLLUZZL1Ujr9WvDHnEFSBj+UmpUCwLRiqeUZKIlX/JdmBZA2nlxdbMgBWztq
GPkdvhKCEO2SGJi1q5OJ6NiNtC4H93ZmNvbg1xtQGweRjmc8LfLIjgEiMAsCA2ns
7Wjr8lMO93t4ehWnmDQYk34uHL6I9ieWDfFkvmN2DD+SPsL9ibU=
=154L
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL Certificates and Tomcat 8.5.11

2018-05-17 Thread Pierre Chiu

Hi Laurie,

This is what I do. I don't use keystore.

I use this within SSLHostConfig section.





> On May 17, 2018, at 11:33 AM, Laurie Miller-Cook 
>  wrote:
> 
> Hi there,
> 
> I am very new to Tomcat so please bear with me.
> 
> I currently have a Thawte certificate that is installed within IIS for our 
> domain that is all managed by Rackspace.
> 
> I now have a new server set-up with Tomcat 8.5.11 installed and have created 
> a keystore.
> 
> I have been supplied by Rackspace the following text a Certificate, Private 
> Key and CA Bundle.
> 
> So my question is, with the three text files from Rackspace can I import 
> these (in what order) into the Keystore to get SSL working with our Domain or 
> do I need something totally different.
> 
> Just as a sub-note we need to have the SSL certificate for the domain working 
> on both IIS and Tomcat.
> 
> Best regards
> 
> Laurie


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

SSL Certificates and Tomcat 8.5.11

2018-05-17 Thread Laurie Miller-Cook

Hi there,

I am very new to Tomcat so please bear with me.

I currently have a Thawte certificate that is installed within IIS for our 
domain that is all managed by Rackspace.

I now have a new server set-up with Tomcat 8.5.11 installed and have created a 
keystore.

I have been supplied by Rackspace the following text a Certificate, Private Key 
and CA Bundle.

So my question is, with the three text files from Rackspace can I import these 
(in what order) into the Keystore to get SSL working with our Domain or do I 
need something totally different.

Just as a sub-note we need to have the SSL certificate for the domain working 
on both IIS and Tomcat.

Best regards

Laurie

Re: Tomcat8 - How to configure ssl certificates for both https and two-way authentication

2017-08-09 Thread Mark Thomas

On 09/08/17 12:24, Senthil Kumar wrote:
> Mark,
> 
> Tomcat version is 8.0.39.
> 
> I have to use both server certificate (.pfx) and service certificate as
> keystore. Do I need to convert PFX format certificate to JKS format. How to
> configure more than on private certificate in keystore.

The setenv.sh settings shouldn't interfere with the Tomcat connector but
to be sure I suggest the following:

- comment out the setenv.sh settings
- start Tomcat
- test https on port 443 and report and errors including those in the
  logs

Once port 443 is working then uncomment the settings in setenv and check
port 433 still works.

Mark

> 
> Senthil
> 
> On Wed, Aug 9, 2017 at 1:39 AM, Mark Thomas <ma...@apache.org> wrote:
> 
>> On 08/08/17 21:03, dsenthil...@gmail.com wrote:
>>>
>>>> Hello,
>>>>
>>>> I have configured ssl certificates for below requirements:
>>>>
>>>> 1. Tomcat server certificate configuration in 'server.xml' file to run
>> tomcat server on port 443 and https
>>>>
>>>>  > minSpareThreads="25"
>>>>maxSpareThreads="75" enableLookups="false"
>> disableUploadTimeout="true"
>>>>acceptCount="100" scheme="https" secure="true"
>> SSLEnabled="true" clientAuth="false"
>>>>sslProtocol="TLSv1.2" 
>>>> ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256"
>> keystoreFile="Tomcat.HostName.pfx" keystorePass="password"
>>>>keystoreType="PKCS12" />
>>>>
>>>> 2. Service certificate configuration in 'setenv.sh' file for the
>> two-way ssl authentication for the connection to MQ / Soap service servers.
>>>>
>>>> export JAVA_OPTS='-Djavax.net.ssl.keyStore=ServiceCertificate.p12
>> -Djavax.net.ssl.keyStorePassword=password 
>> -Djavax.net.ssl.trustStore=clienttruststore.jks
>> -Djavax.net.ssl.trustStorePassword=changeit'
>>>>
>>>>
>>>> But It looks like the service certificate configured (for the two-way
>> ssl handshake with MQ and Soap service servers) in 'setenv.sh' file is
>> overwriting the tomcat server ssl configuration configured in 'server.xml'
>> and subsequently tomcat server is down for https and port 443.
>>>>
>>>> Can someone recommend suitable tomcat config to fix this issue. The
>> tomcat config should support both https (port 443) and two-ways ssl
>> handshake with other servers.
>>
>> Tomcat version?
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat8 - How to configure ssl certificates for both https and two-way authentication

2017-08-09 Thread Senthil Kumar

Mark,

Tomcat version is 8.0.39.

I have to use both server certificate (.pfx) and service certificate as
keystore. Do I need to convert PFX format certificate to JKS format. How to
configure more than on private certificate in keystore.

Senthil

On Wed, Aug 9, 2017 at 1:39 AM, Mark Thomas <ma...@apache.org> wrote:

> On 08/08/17 21:03, dsenthil...@gmail.com wrote:
> >
> >> Hello,
> >>
> >> I have configured ssl certificates for below requirements:
> >>
> >> 1. Tomcat server certificate configuration in 'server.xml' file to run
> tomcat server on port 443 and https
> >>
> >>   minSpareThreads="25"
> >>maxSpareThreads="75" enableLookups="false"
> disableUploadTimeout="true"
> >>acceptCount="100" scheme="https" secure="true"
> SSLEnabled="true" clientAuth="false"
> >>sslProtocol="TLSv1.2" 
> >> ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256"
> keystoreFile="Tomcat.HostName.pfx" keystorePass="password"
> >>keystoreType="PKCS12" />
> >>
> >> 2. Service certificate configuration in 'setenv.sh' file for the
> two-way ssl authentication for the connection to MQ / Soap service servers.
> >>
> >> export JAVA_OPTS='-Djavax.net.ssl.keyStore=ServiceCertificate.p12
> -Djavax.net.ssl.keyStorePassword=password 
> -Djavax.net.ssl.trustStore=clienttruststore.jks
> -Djavax.net.ssl.trustStorePassword=changeit'
> >>
> >>
> >> But It looks like the service certificate configured (for the two-way
> ssl handshake with MQ and Soap service servers) in 'setenv.sh' file is
> overwriting the tomcat server ssl configuration configured in 'server.xml'
> and subsequently tomcat server is down for https and port 443.
> >>
> >> Can someone recommend suitable tomcat config to fix this issue. The
> tomcat config should support both https (port 443) and two-ways ssl
> handshake with other servers.
>
> Tomcat version?
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat8 - How to configure ssl certificates for both https and two-way authentication

2017-08-08 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Senthil,

On 8/8/17 4:03 PM, dsenthil...@gmail.com wrote:
> 
>> Hello,
>> 
>> I have configured ssl certificates for below requirements:
>> 
>> 1. Tomcat server certificate configuration in 'server.xml' file
>> to run tomcat server on port 443 and https
>> 
>> > minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
>> disableUploadTimeout="true" acceptCount="100" scheme="https"
>> secure="true" SSLEnabled="true" clientAuth="false" 
>> sslProtocol="TLSv1.2" ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256"
>> keystoreFile="Tomcat.HostName.pfx" keystorePass="password" 
>> keystoreType="PKCS12" />
>> 
>> 2. Service certificate configuration in 'setenv.sh' file for the
>> two-way ssl authentication for the connection to MQ / Soap
>> service servers.
>> 
>> export JAVA_OPTS='-Djavax.net.ssl.keyStore=ServiceCertificate.p12
>> -Djavax.net.ssl.keyStorePassword=password
>> -Djavax.net.ssl.trustStore=clienttruststore.jks
>> -Djavax.net.ssl.trustStorePassword=changeit'
>> 
>> 
>> But It looks like the service certificate configured (for the
>> two-way ssl handshake with MQ and Soap service servers) in
>> 'setenv.sh' file is overwriting the tomcat server ssl
>> configuration configured in 'server.xml' and subsequently tomcat
>> server is down for https and port 443.
>> 
>> Can someone recommend suitable tomcat config to fix this issue.
>> The tomcat config should support both https (port 443) and
>> two-ways ssl handshake with other servers.

Regardless of the actual problem and solution, here, I would always
highly recommend that you use explicit configuration for your
 for your truststore as well as our keystore. Using system
properties is very heavy-handed and ends up applying the same trust
store to a whole variety of components, not just the .

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlmKOlgACgkQHPApP6U8
pFiIvRAArbBwixXhAxxgegBWYIrCMxtqgg8KAccfRyvkmSIGOkQ/xMV+Z8sP+2Xr
KHEnK8P2vKDzgGKT7fjAaD0HCTbWK7j455OKRKYXxowZkOU5Qbz10xW1j25bHtUy
3mD2Vn5jmrv/vMEkr0sJ3AxB8QeyyZ/ZpK33Zy0bNMYB945H3QQ3QX5lX6d8k9El
0VSt4NKglYdLXvuYmI/YVBvIZw0rzt9hPjBAO9Mc0cIEGJfNJafMKjdYpFSfoUOs
b5TpvVEszEGwgsaaOU4Y7EyHg72EAyNtUzyeSIbn0s0VsvYWS3AqT7QiL5GUvQ4Z
glLdYL+34R1gfsB462fE0RFgVaUuGEBUFs/YxV3loh2FUkCe91MbJ02OTRK27Z/o
ipKXNzcwPJ6ASafMRc2qBR6Wt0Mwg+FC/tXIlMcIhVBbkCXNUuhs21n0lO13kdJM
7uK7XSWWTjHyXd38b1NhplidNmDygzTzJ2lcEs/7MDf1lzU0h4l46FbvWNbInDw7
OvvWjheDKH8mqmCNDgbj7iA+b3FMoSwE+Xv5qG54k1nwoStAWzeTFi4vjqHNMxEa
VzKQMcIa++31/Ytdp7UElixMeGwQfxSGJluWi2wnXmupC/+h2YXM3TwG3hgv3t1H
SHQeBUXtnsITpy5iSka1Y2efhEL26jIiApsPIl+TUOLcvumlTrc=
=Bz/F
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat8 - How to configure ssl certificates for both https and two-way authentication

2017-08-08 Thread Mark Thomas

On 08/08/17 21:03, dsenthil...@gmail.com wrote:
> 
>> Hello,
>>
>> I have configured ssl certificates for below requirements:
>>
>> 1. Tomcat server certificate configuration in 'server.xml' file to run 
>> tomcat server on port 443 and https
>>
>>  > minSpareThreads="25"
>>maxSpareThreads="75" enableLookups="false" 
>> disableUploadTimeout="true"
>>acceptCount="100" scheme="https" secure="true" 
>> SSLEnabled="true" clientAuth="false"
>>sslProtocol="TLSv1.2" 
>> ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256" keystoreFile="Tomcat.HostName.pfx" 
>> keystorePass="password"
>>keystoreType="PKCS12" />
>>
>> 2. Service certificate configuration in 'setenv.sh' file for the two-way ssl 
>> authentication for the connection to MQ / Soap service servers.
>>
>> export JAVA_OPTS='-Djavax.net.ssl.keyStore=ServiceCertificate.p12 
>> -Djavax.net.ssl.keyStorePassword=password 
>> -Djavax.net.ssl.trustStore=clienttruststore.jks 
>> -Djavax.net.ssl.trustStorePassword=changeit'
>>
>>
>> But It looks like the service certificate configured (for the two-way ssl 
>> handshake with MQ and Soap service servers) in 'setenv.sh' file is 
>> overwriting the tomcat server ssl configuration configured in 'server.xml' 
>> and subsequently tomcat server is down for https and port 443.
>>
>> Can someone recommend suitable tomcat config to fix this issue. The tomcat 
>> config should support both https (port 443) and two-ways ssl handshake with 
>> other servers.

Tomcat version?


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat8 - How to configure ssl certificates for both https and two-way authentication

2017-08-08 Thread dsenthil . in


> Hello,
> 
> I have configured ssl certificates for below requirements:
> 
> 1. Tomcat server certificate configuration in 'server.xml' file to run tomcat 
> server on port 443 and https
> 
>   minSpareThreads="25"
>maxSpareThreads="75" enableLookups="false" 
> disableUploadTimeout="true"
>acceptCount="100" scheme="https" secure="true" 
> SSLEnabled="true" clientAuth="false"
>sslProtocol="TLSv1.2" 
> ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256" keystoreFile="Tomcat.HostName.pfx" 
> keystorePass="password"
>keystoreType="PKCS12" />
> 
> 2. Service certificate configuration in 'setenv.sh' file for the two-way ssl 
> authentication for the connection to MQ / Soap service servers.
> 
> export JAVA_OPTS='-Djavax.net.ssl.keyStore=ServiceCertificate.p12 
> -Djavax.net.ssl.keyStorePassword=password 
> -Djavax.net.ssl.trustStore=clienttruststore.jks 
> -Djavax.net.ssl.trustStorePassword=changeit'
> 
> 
> But It looks like the service certificate configured (for the two-way ssl 
> handshake with MQ and Soap service servers) in 'setenv.sh' file is 
> overwriting the tomcat server ssl configuration configured in 'server.xml' 
> and subsequently tomcat server is down for https and port 443.
> 
> Can someone recommend suitable tomcat config to fix this issue. The tomcat 
> config should support both https (port 443) and two-ways ssl handshake with 
> other servers.
> 
> Thanks,
> Senthil
>  

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help to install GoDaddy's SSL certificates on Tomcat 8.0.32 (Amazon Linux)

2016-06-03 Thread Hardibo Pierre-Jean


there's the tuto :
https://fr.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239
use sha2 root and intermediate and for the last use my_certificate
here's the repo :

https://certs.godaddy.com/repository/

Le 04/06/2016 00:18, Hardibo Pierre-Jean a écrit :
gdig2.crt is intermediate my_certificate must be the last to configure 
so i think bundle may be the root.




Le 04/06/2016 00:13, Conor Skyler a écrit :

Hello Pierre,

Yes, I contacted the technical support at GoDaddy and then basically 
told

me that I'm on my own and that I should find someone that knows how to
handle the configuration -- that's all the aid they gave me.

I think that there two separate problems here.
First one, the mismatch between the files I receive zipped and the ones
referred in the website when it reads:

"The file names for your root and intermediate certificates depend on 
your

signature algorithm.

- SHA-1 root certificate: gd_class2_root.crt
- SHA-2 root certificate: gdroot-g2.crt
- SHA-1 intermediate certificate: gd.intermediate.crt
- SHA-2 intermediate certificate: gdig2.crt
- (*Java 6/7 only*) SHA-2 Root Certificate: gdroot-g2_cross.crt"

But the files I get when I unzip the downloaded archive are:

my_certificate.crt
gd_bundle-g2-g1.crt
gdig2.crt

So first thing here is that I don't how to use them when following the
instructions stated on the site (the only one I can identify is
my_certificate.crt).

With the second issue my guess is that it might be related to the 
KeyStore

file not holding the private key:
I wasn't given the original tomcat.keystore file (following the 
example on
GoDaddy's website) so here I'm starting from the scratch, generating 
a new

KeyStore.
What I have though is a PEM file from the person I presume the .csr 
request
file; is there a way to add it to the KeyStore file I create when 
following

the instructions on GoDaddy's site?

Thank you very much for stepping in!
-Conor



On Fri, Jun 3, 2016 at 6:09 PM, Hardibo Pierre-Jean 


wrote:


there's all here no ?

https://fr.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239 



Le 03/06/2016 22:37, Conor Skyler a écrit :


Hi again,

At this point I don't know what else to try: I carefully gone 
through the

process stated at GoDaddy's website once again trying different
combinations with the certificates (as the instructions provided by
GoDaddy
doesn't match the certificates you download)  but the result was 
the same

as before, it didn't work.

Early today I found this post in StackOverflow:

http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-cr 

which somehow brought some hope to me as the title states literally 
the

issue I'm having: '

http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-crt 


'

Sadly after trying everything what's shown there and reading tons 
of stuff

I still can't make the KeyStore work with my Tomcat server.

Any help will be greatly appreciated.
-Conor



On Wed, Jun 1, 2016 at 6:12 PM, Conor Skyler 
wrote:

Hi Daniel,

Thank you very much for stepping in, I’m processing a new set of
certificates that I hope to try tomorrow.

Warm regards,
-Conor


On Tue, May 31, 2016 at 8:41 AM, Daniel Mikusa 
wrote:

On Mon, May 30, 2016 at 11:26 PM, Conor Skyler 


wrote:

Hello list,
I'm trying to install the certificates I bought from GoDaddy 
into my



Tomcat


server, however so far I've been unsuccessful to achieve this.

My system specs are:
OS: Amazon Linux (fully updated)
Tomcat version: 8.0.32, installed from the repos
Java version: $ java -version
openjdk version "1.8.0_91"
OpenJDK Runtime Environment (build 1.8.0_91-b14)
OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)

To install the certificates I followed this tutorial from GoDaddy


website:



https://ar.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239 



which explains how to create a KeyStore and configure the 


in
the server.xml file.

Follow these instructions.


Now, judging from the official Tomcat documentation in

https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html it's stated


that I


first need to conver the .crt files provided by GoDaddy to PKCS12


format --


I wonder then why the instructions in GoDaddy's website state other


thing!
There's more than one way to do this.  If you started out by 
following

the
GoDaddy instructions to generate your CSR, then continue to 
follow them

to
import your signed certificate.


But then I read this piece of documentation that left me completely

bewildered:
To import an existing certificate signed by your own CA into a 
PKCS12

keystore using OpenSSL you would execute a command like:

openssl pkcs12 -export -in mycert.crt -inkey mykey.key
 -out mycert.p12 -name tomcat

Re: Need help to install GoDaddy's SSL certificates on Tomcat 8.0.32 (Amazon Linux)

2016-06-03 Thread Hardibo Pierre-Jean


gdig2.crt is intermediate my_certificate must be the last to configure so i 
think bundle may be the root.



Le 04/06/2016 00:13, Conor Skyler a écrit :

Hello Pierre,

Yes, I contacted the technical support at GoDaddy and then basically told
me that I'm on my own and that I should find someone that knows how to
handle the configuration -- that's all the aid they gave me.

I think that there two separate problems here.
First one, the mismatch between the files I receive zipped and the ones
referred in the website when it reads:

"The file names for your root and intermediate certificates depend on your
signature algorithm.

- SHA-1 root certificate: gd_class2_root.crt
- SHA-2 root certificate: gdroot-g2.crt
- SHA-1 intermediate certificate: gd.intermediate.crt
- SHA-2 intermediate certificate: gdig2.crt
- (*Java 6/7 only*) SHA-2 Root Certificate: gdroot-g2_cross.crt"

But the files I get when I unzip the downloaded archive are:

my_certificate.crt
gd_bundle-g2-g1.crt
gdig2.crt

So first thing here is that I don't how to use them when following the
instructions stated on the site (the only one I can identify is
my_certificate.crt).

With the second issue my guess is that it might be related to the KeyStore
file not holding the private key:
I wasn't given the original tomcat.keystore file (following the example on
GoDaddy's website) so here I'm starting from the scratch, generating a new
KeyStore.
What I have though is a PEM file from the person I presume the .csr request
file; is there a way to add it to the KeyStore file I create when following
the instructions on GoDaddy's site?

Thank you very much for stepping in!
-Conor



On Fri, Jun 3, 2016 at 6:09 PM, Hardibo Pierre-Jean 
wrote:


there's all here no ?

https://fr.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239

Le 03/06/2016 22:37, Conor Skyler a écrit :


Hi again,

At this point I don't know what else to try: I carefully gone through the
process stated at GoDaddy's website once again trying different
combinations with the certificates (as the instructions provided by
GoDaddy
doesn't match the certificates you download)  but the result was the same
as before, it didn't work.

Early today I found this post in StackOverflow:

http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-cr
which somehow brought some hope to me as the title states literally the
issue I'm having: '

http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-crt
'

Sadly after trying everything what's shown there and reading tons of stuff
I still can't make the KeyStore work with my Tomcat server.

Any help will be greatly appreciated.
-Conor



On Wed, Jun 1, 2016 at 6:12 PM, Conor Skyler 
wrote:

Hi Daniel,

Thank you very much for stepping in, I’m processing a new set of
certificates that I hope to try tomorrow.

Warm regards,
-Conor


On Tue, May 31, 2016 at 8:41 AM, Daniel Mikusa 
wrote:

On Mon, May 30, 2016 at 11:26 PM, Conor Skyler 

wrote:

Hello list,

I'm trying to install the certificates I bought from GoDaddy into my


Tomcat


server, however so far I've been unsuccessful to achieve this.

My system specs are:
OS: Amazon Linux (fully updated)
Tomcat version: 8.0.32, installed from the repos
Java version: $ java -version
openjdk version "1.8.0_91"
OpenJDK Runtime Environment (build 1.8.0_91-b14)
OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)

To install the certificates I followed this tutorial from GoDaddy


website:




https://ar.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239


which explains how to create a KeyStore and configure the 
in
the server.xml file.

Follow these instructions.


Now, judging from the official Tomcat documentation in

https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html it's stated


that I


first need to conver the .crt files provided by GoDaddy to PKCS12


format --


I wonder then why the instructions in GoDaddy's website state other


thing!
There's more than one way to do this.  If you started out by following
the
GoDaddy instructions to generate your CSR, then continue to follow them
to
import your signed certificate.


But then I read this piece of documentation that left me completely

bewildered:
To import an existing certificate signed by your own CA into a PKCS12
keystore using OpenSSL you would execute a command like:

openssl pkcs12 -export -in mycert.crt -inkey mykey.key
 -out mycert.p12 -name tomcat -CAfile myCA.crt
 -caname root -chain

In this example there's a reference to a 'mykey.key' file that I don't
have a clue how to obtain it or from where it comes since when I
download the certificates provided by GoDaddy, there's no such .key
file: I can download several different types of

Re: Need help to install GoDaddy's SSL certificates on Tomcat 8.0.32 (Amazon Linux)

2016-06-03 Thread Conor Skyler

Hello Pierre,

Yes, I contacted the technical support at GoDaddy and then basically told
me that I'm on my own and that I should find someone that knows how to
handle the configuration -- that's all the aid they gave me.

I think that there two separate problems here.
First one, the mismatch between the files I receive zipped and the ones
referred in the website when it reads:

"The file names for your root and intermediate certificates depend on your
signature algorithm.

   - SHA-1 root certificate: gd_class2_root.crt
   - SHA-2 root certificate: gdroot-g2.crt
   - SHA-1 intermediate certificate: gd.intermediate.crt
   - SHA-2 intermediate certificate: gdig2.crt
   - (*Java 6/7 only*) SHA-2 Root Certificate: gdroot-g2_cross.crt"

But the files I get when I unzip the downloaded archive are:

my_certificate.crt
gd_bundle-g2-g1.crt
gdig2.crt

So first thing here is that I don't how to use them when following the
instructions stated on the site (the only one I can identify is
my_certificate.crt).

With the second issue my guess is that it might be related to the KeyStore
file not holding the private key:
I wasn't given the original tomcat.keystore file (following the example on
GoDaddy's website) so here I'm starting from the scratch, generating a new
KeyStore.
What I have though is a PEM file from the person I presume the .csr request
file; is there a way to add it to the KeyStore file I create when following
the instructions on GoDaddy's site?

Thank you very much for stepping in!
-Conor



On Fri, Jun 3, 2016 at 6:09 PM, Hardibo Pierre-Jean 
wrote:

> there's all here no ?
>
> https://fr.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239
>
> Le 03/06/2016 22:37, Conor Skyler a écrit :
>
>> Hi again,
>>
>> At this point I don't know what else to try: I carefully gone through the
>> process stated at GoDaddy's website once again trying different
>> combinations with the certificates (as the instructions provided by
>> GoDaddy
>> doesn't match the certificates you download)  but the result was the same
>> as before, it didn't work.
>>
>> Early today I found this post in StackOverflow:
>>
>> http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-cr
>> which somehow brought some hope to me as the title states literally the
>> issue I'm having: '
>>
>> http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-crt
>> '
>>
>> Sadly after trying everything what's shown there and reading tons of stuff
>> I still can't make the KeyStore work with my Tomcat server.
>>
>> Any help will be greatly appreciated.
>> -Conor
>>
>>
>>
>> On Wed, Jun 1, 2016 at 6:12 PM, Conor Skyler 
>> wrote:
>>
>> Hi Daniel,
>>>
>>> Thank you very much for stepping in, I’m processing a new set of
>>> certificates that I hope to try tomorrow.
>>>
>>> Warm regards,
>>> -Conor
>>>
>>>
>>> On Tue, May 31, 2016 at 8:41 AM, Daniel Mikusa 
>>> wrote:
>>>
>>> On Mon, May 30, 2016 at 11:26 PM, Conor Skyler 
 wrote:

 Hello list,
>
> I'm trying to install the certificates I bought from GoDaddy into my
>
 Tomcat

> server, however so far I've been unsuccessful to achieve this.
>
> My system specs are:
> OS: Amazon Linux (fully updated)
> Tomcat version: 8.0.32, installed from the repos
> Java version: $ java -version
> openjdk version "1.8.0_91"
> OpenJDK Runtime Environment (build 1.8.0_91-b14)
> OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)
>
> To install the certificates I followed this tutorial from GoDaddy
>
 website:

>
>
 https://ar.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239

> which explains how to create a KeyStore and configure the 
> in
> the server.xml file.
>
> Follow these instructions.


 Now, judging from the official Tomcat documentation in
> https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html it's stated
>
 that I

> first need to conver the .crt files provided by GoDaddy to PKCS12
>
 format --

> I wonder then why the instructions in GoDaddy's website state other
>
 thing!
 There's more than one way to do this.  If you started out by following
 the
 GoDaddy instructions to generate your CSR, then continue to follow them
 to
 import your signed certificate.


 But then I read this piece of documentation that left me completely
> bewildered:
> To import an existing certificate signed by your own CA into a PKCS12
> keystore using OpenSSL you would execute a command like:
>
> openssl pkcs12 -export -in mycert.crt -inkey mykey.key
> -out mycert.p12 -name tomcat -CAfile myCA.crt
>

Re: Need help to install GoDaddy's SSL certificates on Tomcat 8.0.32 (Amazon Linux)

2016-06-03 Thread Hardibo Pierre-Jean


there's all here no ?
https://fr.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239

Le 03/06/2016 22:37, Conor Skyler a écrit :

Hi again,

At this point I don't know what else to try: I carefully gone through the
process stated at GoDaddy's website once again trying different
combinations with the certificates (as the instructions provided by GoDaddy
doesn't match the certificates you download)  but the result was the same
as before, it didn't work.

Early today I found this post in StackOverflow:
http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-cr
which somehow brought some hope to me as the title states literally the
issue I'm having: '
http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-crt
'

Sadly after trying everything what's shown there and reading tons of stuff
I still can't make the KeyStore work with my Tomcat server.

Any help will be greatly appreciated.
-Conor



On Wed, Jun 1, 2016 at 6:12 PM, Conor Skyler  wrote:


Hi Daniel,

Thank you very much for stepping in, I’m processing a new set of
certificates that I hope to try tomorrow.

Warm regards,
-Conor


On Tue, May 31, 2016 at 8:41 AM, Daniel Mikusa  wrote:


On Mon, May 30, 2016 at 11:26 PM, Conor Skyler 
wrote:


Hello list,

I'm trying to install the certificates I bought from GoDaddy into my

Tomcat

server, however so far I've been unsuccessful to achieve this.

My system specs are:
OS: Amazon Linux (fully updated)
Tomcat version: 8.0.32, installed from the repos
Java version: $ java -version
openjdk version "1.8.0_91"
OpenJDK Runtime Environment (build 1.8.0_91-b14)
OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)

To install the certificates I followed this tutorial from GoDaddy

website:



https://ar.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239

which explains how to create a KeyStore and configure the  in
the server.xml file.


Follow these instructions.



Now, judging from the official Tomcat documentation in
https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html it's stated

that I

first need to conver the .crt files provided by GoDaddy to PKCS12

format --

I wonder then why the instructions in GoDaddy's website state other

thing!
There's more than one way to do this.  If you started out by following the
GoDaddy instructions to generate your CSR, then continue to follow them to
import your signed certificate.



But then I read this piece of documentation that left me completely
bewildered:
To import an existing certificate signed by your own CA into a PKCS12
keystore using OpenSSL you would execute a command like:

openssl pkcs12 -export -in mycert.crt -inkey mykey.key
-out mycert.p12 -name tomcat -CAfile myCA.crt
-caname root -chain

In this example there's a reference to a 'mykey.key' file that I don't
have a clue how to obtain it or from where it comes since when I
download the certificates provided by GoDaddy, there's no such .key
file: I can download several different types of certificates in .crt
format but there isn't any .key file to download.


This has to do with the way that you generated the CSR.  The GoDaddy
instructions have you using keytool and a keystore.  In this case, your
private key will exist in the keystore, so you won't have a .key file and
that's OK.



I tried contacting their support and well, they weren't any helpful at
all, they pointed me to the repository where all the certificates are
stored and told me to 'find someone that knows how to handle them' --
thanks for nothing :(

Finally I want to say that I have Tomcat running smooth at port 8080,
I even configured an administrator user to access the status page
which works perfectly, my problem is that I just can't find how to
properly install and configure the SSL.


Follow the GoDaddy instructions.  They should work.  If you get stuck on a
specific step, let us know.

Dan



What I'm not sure though is what part or steps I'm missing, I believe
this has to be much more simpler that it's been so far for me but
seriously I can't wrap my mind around it.

Thank you very much for taking the time to read this n00b's help scream.

Best regards,
-Conor






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help to install GoDaddy's SSL certificates on Tomcat 8.0.32 (Amazon Linux)

2016-06-03 Thread Hardibo Pierre-Jean


godaddy didn't give you instructions ?

Le 03/06/2016 22:37, Conor Skyler a écrit :

Hi again,

At this point I don't know what else to try: I carefully gone through the
process stated at GoDaddy's website once again trying different
combinations with the certificates (as the instructions provided by GoDaddy
doesn't match the certificates you download)  but the result was the same
as before, it didn't work.

Early today I found this post in StackOverflow:
http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-cr
which somehow brought some hope to me as the title states literally the
issue I'm having: '
http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-crt
'

Sadly after trying everything what's shown there and reading tons of stuff
I still can't make the KeyStore work with my Tomcat server.

Any help will be greatly appreciated.
-Conor



On Wed, Jun 1, 2016 at 6:12 PM, Conor Skyler  wrote:


Hi Daniel,

Thank you very much for stepping in, I’m processing a new set of
certificates that I hope to try tomorrow.

Warm regards,
-Conor


On Tue, May 31, 2016 at 8:41 AM, Daniel Mikusa  wrote:


On Mon, May 30, 2016 at 11:26 PM, Conor Skyler 
wrote:


Hello list,

I'm trying to install the certificates I bought from GoDaddy into my

Tomcat

server, however so far I've been unsuccessful to achieve this.

My system specs are:
OS: Amazon Linux (fully updated)
Tomcat version: 8.0.32, installed from the repos
Java version: $ java -version
openjdk version "1.8.0_91"
OpenJDK Runtime Environment (build 1.8.0_91-b14)
OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)

To install the certificates I followed this tutorial from GoDaddy

website:



https://ar.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239

which explains how to create a KeyStore and configure the  in
the server.xml file.


Follow these instructions.



Now, judging from the official Tomcat documentation in
https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html it's stated

that I

first need to conver the .crt files provided by GoDaddy to PKCS12

format --

I wonder then why the instructions in GoDaddy's website state other

thing!
There's more than one way to do this.  If you started out by following the
GoDaddy instructions to generate your CSR, then continue to follow them to
import your signed certificate.



But then I read this piece of documentation that left me completely
bewildered:
To import an existing certificate signed by your own CA into a PKCS12
keystore using OpenSSL you would execute a command like:

openssl pkcs12 -export -in mycert.crt -inkey mykey.key
-out mycert.p12 -name tomcat -CAfile myCA.crt
-caname root -chain

In this example there's a reference to a 'mykey.key' file that I don't
have a clue how to obtain it or from where it comes since when I
download the certificates provided by GoDaddy, there's no such .key
file: I can download several different types of certificates in .crt
format but there isn't any .key file to download.


This has to do with the way that you generated the CSR.  The GoDaddy
instructions have you using keytool and a keystore.  In this case, your
private key will exist in the keystore, so you won't have a .key file and
that's OK.



I tried contacting their support and well, they weren't any helpful at
all, they pointed me to the repository where all the certificates are
stored and told me to 'find someone that knows how to handle them' --
thanks for nothing :(

Finally I want to say that I have Tomcat running smooth at port 8080,
I even configured an administrator user to access the status page
which works perfectly, my problem is that I just can't find how to
properly install and configure the SSL.


Follow the GoDaddy instructions.  They should work.  If you get stuck on a
specific step, let us know.

Dan



What I'm not sure though is what part or steps I'm missing, I believe
this has to be much more simpler that it's been so far for me but
seriously I can't wrap my mind around it.

Thank you very much for taking the time to read this n00b's help scream.

Best regards,
-Conor






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help to install GoDaddy's SSL certificates on Tomcat 8.0.32 (Amazon Linux)

2016-06-03 Thread Conor Skyler

Hi again,

At this point I don't know what else to try: I carefully gone through the
process stated at GoDaddy's website once again trying different
combinations with the certificates (as the instructions provided by GoDaddy
doesn't match the certificates you download)  but the result was the same
as before, it didn't work.

Early today I found this post in StackOverflow:
http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-cr
which somehow brought some hope to me as the title states literally the
issue I'm having: '
http://stackoverflow.com/questions/24269293/how-to-import-godaddy-certificates-in-tomcat-given-gd-bundle-g2-g1-crt-gdig2-crt
'

Sadly after trying everything what's shown there and reading tons of stuff
I still can't make the KeyStore work with my Tomcat server.

Any help will be greatly appreciated.
-Conor



On Wed, Jun 1, 2016 at 6:12 PM, Conor Skyler  wrote:

> Hi Daniel,
>
> Thank you very much for stepping in, I’m processing a new set of
> certificates that I hope to try tomorrow.
>
> Warm regards,
> -Conor
>
>
> On Tue, May 31, 2016 at 8:41 AM, Daniel Mikusa  wrote:
>
>> On Mon, May 30, 2016 at 11:26 PM, Conor Skyler 
>> wrote:
>>
>> > Hello list,
>> >
>> > I'm trying to install the certificates I bought from GoDaddy into my
>> Tomcat
>> > server, however so far I've been unsuccessful to achieve this.
>> >
>> > My system specs are:
>> > OS: Amazon Linux (fully updated)
>> > Tomcat version: 8.0.32, installed from the repos
>> > Java version: $ java -version
>> > openjdk version "1.8.0_91"
>> > OpenJDK Runtime Environment (build 1.8.0_91-b14)
>> > OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)
>> >
>> > To install the certificates I followed this tutorial from GoDaddy
>> website:
>> >
>> >
>> https://ar.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239
>> > which explains how to create a KeyStore and configure the  in
>> > the server.xml file.
>> >
>>
>> Follow these instructions.
>>
>>
>> >
>> > Now, judging from the official Tomcat documentation in
>> > https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html it's stated
>> that I
>> > first need to conver the .crt files provided by GoDaddy to PKCS12
>> format --
>> > I wonder then why the instructions in GoDaddy's website state other
>> thing!
>> >
>>
>> There's more than one way to do this.  If you started out by following the
>> GoDaddy instructions to generate your CSR, then continue to follow them to
>> import your signed certificate.
>>
>>
>> >
>> > But then I read this piece of documentation that left me completely
>> > bewildered:
>> > To import an existing certificate signed by your own CA into a PKCS12
>> > keystore using OpenSSL you would execute a command like:
>> >
>> > openssl pkcs12 -export -in mycert.crt -inkey mykey.key
>> >-out mycert.p12 -name tomcat -CAfile myCA.crt
>> >-caname root -chain
>> >
>> > In this example there's a reference to a 'mykey.key' file that I don't
>> > have a clue how to obtain it or from where it comes since when I
>> > download the certificates provided by GoDaddy, there's no such .key
>> > file: I can download several different types of certificates in .crt
>> > format but there isn't any .key file to download.
>> >
>>
>> This has to do with the way that you generated the CSR.  The GoDaddy
>> instructions have you using keytool and a keystore.  In this case, your
>> private key will exist in the keystore, so you won't have a .key file and
>> that's OK.
>>
>>
>> >
>> > I tried contacting their support and well, they weren't any helpful at
>> > all, they pointed me to the repository where all the certificates are
>> > stored and told me to 'find someone that knows how to handle them' --
>> > thanks for nothing :(
>> >
>> > Finally I want to say that I have Tomcat running smooth at port 8080,
>> > I even configured an administrator user to access the status page
>> > which works perfectly, my problem is that I just can't find how to
>> > properly install and configure the SSL.
>> >
>>
>> Follow the GoDaddy instructions.  They should work.  If you get stuck on a
>> specific step, let us know.
>>
>> Dan
>>
>>
>> >
>> > What I'm not sure though is what part or steps I'm missing, I believe
>> > this has to be much more simpler that it's been so far for me but
>> > seriously I can't wrap my mind around it.
>> >
>> > Thank you very much for taking the time to read this n00b's help scream.
>> >
>> > Best regards,
>> > -Conor
>> >
>>
>
>

Re: Need help to install GoDaddy's SSL certificates on Tomcat 8.0.32 (Amazon Linux)

2016-06-01 Thread Conor Skyler

Hi Daniel,

Thank you very much for stepping in, I’m processing a new set of
certificates that I hope to try tomorrow.

Warm regards,
-Conor


On Tue, May 31, 2016 at 8:41 AM, Daniel Mikusa  wrote:

> On Mon, May 30, 2016 at 11:26 PM, Conor Skyler 
> wrote:
>
> > Hello list,
> >
> > I'm trying to install the certificates I bought from GoDaddy into my
> Tomcat
> > server, however so far I've been unsuccessful to achieve this.
> >
> > My system specs are:
> > OS: Amazon Linux (fully updated)
> > Tomcat version: 8.0.32, installed from the repos
> > Java version: $ java -version
> > openjdk version "1.8.0_91"
> > OpenJDK Runtime Environment (build 1.8.0_91-b14)
> > OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)
> >
> > To install the certificates I followed this tutorial from GoDaddy
> website:
> >
> >
> https://ar.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239
> > which explains how to create a KeyStore and configure the  in
> > the server.xml file.
> >
>
> Follow these instructions.
>
>
> >
> > Now, judging from the official Tomcat documentation in
> > https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html it's stated
> that I
> > first need to conver the .crt files provided by GoDaddy to PKCS12 format
> --
> > I wonder then why the instructions in GoDaddy's website state other
> thing!
> >
>
> There's more than one way to do this.  If you started out by following the
> GoDaddy instructions to generate your CSR, then continue to follow them to
> import your signed certificate.
>
>
> >
> > But then I read this piece of documentation that left me completely
> > bewildered:
> > To import an existing certificate signed by your own CA into a PKCS12
> > keystore using OpenSSL you would execute a command like:
> >
> > openssl pkcs12 -export -in mycert.crt -inkey mykey.key
> >-out mycert.p12 -name tomcat -CAfile myCA.crt
> >-caname root -chain
> >
> > In this example there's a reference to a 'mykey.key' file that I don't
> > have a clue how to obtain it or from where it comes since when I
> > download the certificates provided by GoDaddy, there's no such .key
> > file: I can download several different types of certificates in .crt
> > format but there isn't any .key file to download.
> >
>
> This has to do with the way that you generated the CSR.  The GoDaddy
> instructions have you using keytool and a keystore.  In this case, your
> private key will exist in the keystore, so you won't have a .key file and
> that's OK.
>
>
> >
> > I tried contacting their support and well, they weren't any helpful at
> > all, they pointed me to the repository where all the certificates are
> > stored and told me to 'find someone that knows how to handle them' --
> > thanks for nothing :(
> >
> > Finally I want to say that I have Tomcat running smooth at port 8080,
> > I even configured an administrator user to access the status page
> > which works perfectly, my problem is that I just can't find how to
> > properly install and configure the SSL.
> >
>
> Follow the GoDaddy instructions.  They should work.  If you get stuck on a
> specific step, let us know.
>
> Dan
>
>
> >
> > What I'm not sure though is what part or steps I'm missing, I believe
> > this has to be much more simpler that it's been so far for me but
> > seriously I can't wrap my mind around it.
> >
> > Thank you very much for taking the time to read this n00b's help scream.
> >
> > Best regards,
> > -Conor
> >
>

Re: using SSLHostConfig on tomcat 9 in order to get 2 SSL certificates

2016-06-01 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hardibo,

On 6/1/16 9:48 AM, Hardibo Pierre-Jean wrote:
> Hello, when i add the second, or i put only the second (tomcat2)
> browser doesn't reach the website but doesnt stop with error
> message.

If you connect with openssl s_client, can you see what certificate is
presented with the server handshake?

Depending upon your version of OpenSSL, it may or may not support the
- -servername option, which is the way to trigger the use of SNI.

- -chris

> Le 31/05/2016 18:52, Christopher Schultz a écrit : Hardibo,
> 
> On 5/31/16 10:33 AM, Hardibo Pierre-Jean wrote:
 Hello, i made two startSSL's certificates because i could
 only add 5 domains once.
> ??!
> 
 When i use SSLHostConfig for the domains of the first
 certificate all is working, but when i try to add other
 domains (2° certificate) websites are no more accessible,
 there's few documentation about that and no tutorial so i am
 blocked. Here is my connector (server.xml): >>> port="8443" 
 protocol="org.apache.coyote.http11.Http11NioProtocol" 
 maxThreads="150" SSLEnabled="true" >
> You'll also want to set secure="true" and scheme="https" on your 
> . This might be the only thing you are missing.
> 
> http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-
_S
>
> 
SLHostConfig
> 
  >>> certificateKeystoreFile="/opt/tomcat9/tomcat" 
 certificateKeystorePassword="" type="RSA"/>
  >>> hostName="www.tagdirectory.net"> >>> certificateKeystoreFile="/opt/tomcat9/tomcat" 
 certificateKeystorePassword="" type="RSA"/>
  >>> hostName="www.xn--kzako-bsa.com"> >>> certificateKeystoreFile="/opt/tomcat9/tomcat" 
 certificateKeystorePassword="" type="RSA"/>
  >>> hostName="www.xn--tltravail-b4ab.com"> >>> certificateKeystoreFile="/opt/tomcat9/tomcat" 
 certificateKeystorePassword="" type="RSA"/>
  >>> hostName="www.xn--changedeliens-9gb.com"> >>> certificateKeystoreFile="/opt/tomcat9/tomcat" 
 certificateKeystorePassword="" type="RSA"/>
  >>> hostName="en.tagdirectory.net"> >>> certificateKeystoreFile="/opt/tomcat9/tomcat2" 
 certificateKeystorePassword="" type="RSA"/>
  >>> hostName="www.retrogeekzone.com"> >>> certificateKeystoreFile="/opt/tomcat9/tomcat2" 
 certificateKeystorePassword="" type="RSA"/>
  >>> hostName="en.retrogeekzone.com"> >>> certificateKeystoreFile="/opt/tomcat9/tomcat2" 
 certificateKeystorePassword="" type="RSA"/>
  >>> hostName="www.troc-livres-informatique.com"> >>> certificateKeystoreFile="/opt/tomcat9/tomcat2" 
 certificateKeystorePassword="" type="RSA"/>
  
> Those all look okay to me. What are you using to test? With a
> single  can you establish a connection? When you add
> the second , how do things change?
> 
> -chris
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAldPFJ0ACgkQ9CaO5/Lv0PAF6ACfVcTBSYK14jmbTe8Ajs2JBvtT
ZLcAn350K2zMGeVOo8SmAoZgqDt6kGnf
=xtvv
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: using SSLHostConfig on tomcat 9 in order to get 2 SSL certificates

2016-06-01 Thread Hardibo Pierre-Jean

Hello, when i add the second, or i put only the second (tomcat2) browser 
doesn't reach the website but doesnt stop with error message.



Le 31/05/2016 18:52, Christopher Schultz a écrit :

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hardibo,

On 5/31/16 10:33 AM, Hardibo Pierre-Jean wrote:

Hello, i made two startSSL's certificates because i could only add
5 domains once.

??!


When i use SSLHostConfig for the domains of the first certificate
all is working, but when i try to add other domains (2°
certificate) websites are no more accessible, there's few
documentation about that and no tutorial so i am blocked. Here is
my connector (server.xml): 

You'll also want to set secure="true" and scheme="https" on your
. This might be the only thing you are missing.

http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_S
SLHostConfig


  
  
  
  

 
  
  
  

 


Those all look okay to me. What are you using to test? With a single
 can you establish a connection? When you add the
second , how do things change?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXTcFCAAoJEBzwKT+lPKRY0JkQAKoHkVmJJ5Gn52BwVolkvZIW
gnnxEmjIIB1+XmemEfpsIYvRNMdPQL4pd0tZcRUzN59yhxPm20XoZguYUlBTOjcg
ocuZN5/Q6otJ27eMOlcN5ZTWqqpuRbItjY103WX+q2fmC3ulGGrV/ZNyJcgbE2+y
2SWO/WAGB/KT1QzL+DNfDyk0zLyl8Poc9ax1NUrPmW/1eM/ubdrAOe+GOyAoY3Et
vZQkXNDfTp+l+yekvUY4YKSNAj3l/Rjd6XQSyLG97bmMRe+3q37pZmIjYyX/BI/7
vnx5WX+UWz8pCrXktgZCpG/CIJC5FLeSmbObmvYKyehUDBFo93AQBgU5SwgkDha2
Uy6apmjjJYqKtJlijz3fA7AFo9SoQntQH/gIu+zdReLidMa5R9Cuu4cTYUrAcCrl
vPE4elwVsfKAaWDg8UZk8CDevLNBG/9LYXFw6e2UVvo19hn9+7gf4YBsj0qHgU9m
lKFThhD3w/IawLpqS2ZS5sXJR+KMO1Yy2mektmWBsN+BaR1gcnUacrc678wtsHGw
3cJFn8mKQdomIhRy85TzNqt6vVjeLtZC8Md1vqOasPM73GiV7c4ijoSkioLZNwM1
uovy0J8v3sE9JpJOoDsRxVc3gsBbHhj84EWlVgYYVnomt7p/z0RS30oCU7l/u0j/
5umswB87kivFp2laHPu3
=jJvc
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: using SSLHostConfig on tomcat 9 in order to get 2 SSL certificates

2016-05-31 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hardibo,

On 5/31/16 10:33 AM, Hardibo Pierre-Jean wrote:
> Hello, i made two startSSL's certificates because i could only add
> 5 domains once.

??!

> When i use SSLHostConfig for the domains of the first certificate
> all is working, but when i try to add other domains (2°
> certificate) websites are no more accessible, there's few
> documentation about that and no tutorial so i am blocked. Here is
> my connector (server.xml):  protocol="org.apache.coyote.http11.Http11NioProtocol" 
> maxThreads="150" SSLEnabled="true" >

You'll also want to set secure="true" and scheme="https" on your
. This might be the only thing you are missing.

http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_S
SLHostConfig

>   certificateKeystoreFile="/opt/tomcat9/tomcat" 
> certificateKeystorePassword="" type="RSA"/>  
>   certificateKeystoreFile="/opt/tomcat9/tomcat" 
> certificateKeystorePassword="" type="RSA"/>  
>   certificateKeystoreFile="/opt/tomcat9/tomcat" 
> certificateKeystorePassword="" type="RSA"/>  
>   certificateKeystoreFile="/opt/tomcat9/tomcat" 
> certificateKeystorePassword="" type="RSA"/>  
>  
>  certificateKeystorePassword="" type="RSA"/>  
>   certificateKeystoreFile="/opt/tomcat9/tomcat2" 
> certificateKeystorePassword="" type="RSA"/>  
>   certificateKeystoreFile="/opt/tomcat9/tomcat2" 
> certificateKeystorePassword="" type="RSA"/>  
>   certificateKeystoreFile="/opt/tomcat9/tomcat2" 
> certificateKeystorePassword="" type="RSA"/>  
>  
>  certificateKeystorePassword="" type="RSA"/>  
> 

Those all look okay to me. What are you using to test? With a single
 can you establish a connection? When you add the
second , how do things change?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXTcFCAAoJEBzwKT+lPKRY0JkQAKoHkVmJJ5Gn52BwVolkvZIW
gnnxEmjIIB1+XmemEfpsIYvRNMdPQL4pd0tZcRUzN59yhxPm20XoZguYUlBTOjcg
ocuZN5/Q6otJ27eMOlcN5ZTWqqpuRbItjY103WX+q2fmC3ulGGrV/ZNyJcgbE2+y
2SWO/WAGB/KT1QzL+DNfDyk0zLyl8Poc9ax1NUrPmW/1eM/ubdrAOe+GOyAoY3Et
vZQkXNDfTp+l+yekvUY4YKSNAj3l/Rjd6XQSyLG97bmMRe+3q37pZmIjYyX/BI/7
vnx5WX+UWz8pCrXktgZCpG/CIJC5FLeSmbObmvYKyehUDBFo93AQBgU5SwgkDha2
Uy6apmjjJYqKtJlijz3fA7AFo9SoQntQH/gIu+zdReLidMa5R9Cuu4cTYUrAcCrl
vPE4elwVsfKAaWDg8UZk8CDevLNBG/9LYXFw6e2UVvo19hn9+7gf4YBsj0qHgU9m
lKFThhD3w/IawLpqS2ZS5sXJR+KMO1Yy2mektmWBsN+BaR1gcnUacrc678wtsHGw
3cJFn8mKQdomIhRy85TzNqt6vVjeLtZC8Md1vqOasPM73GiV7c4ijoSkioLZNwM1
uovy0J8v3sE9JpJOoDsRxVc3gsBbHhj84EWlVgYYVnomt7p/z0RS30oCU7l/u0j/
5umswB87kivFp2laHPu3
=jJvc
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

using SSLHostConfig on tomcat 9 in order to get 2 SSL certificates

2016-05-31 Thread Hardibo Pierre-Jean

Hello, i made two startSSL's certificates because i could only add 5 
domains once.
When i use SSLHostConfig for the domains of the first certificate all is 
working, but when i try to add other domains (2° certificate) websites 
are no more accessible, there's few documentation about that and no 
tutorial so i am blocked.

Here is my connector (server.xml):
protocol="org.apache.coyote.http11.Http11NioProtocol"

   maxThreads="150" SSLEnabled="true" >
 


























   

Thanks for your help !


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help to install GoDaddy's SSL certificates on Tomcat 8.0.32 (Amazon Linux)

2016-05-31 Thread Daniel Mikusa

On Mon, May 30, 2016 at 11:26 PM, Conor Skyler 
wrote:

> Hello list,
>
> I'm trying to install the certificates I bought from GoDaddy into my Tomcat
> server, however so far I've been unsuccessful to achieve this.
>
> My system specs are:
> OS: Amazon Linux (fully updated)
> Tomcat version: 8.0.32, installed from the repos
> Java version: $ java -version
> openjdk version "1.8.0_91"
> OpenJDK Runtime Environment (build 1.8.0_91-b14)
> OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)
>
> To install the certificates I followed this tutorial from GoDaddy website:
>
> https://ar.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239
> which explains how to create a KeyStore and configure the  in
> the server.xml file.
>

Follow these instructions.


>
> Now, judging from the official Tomcat documentation in
> https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html it's stated that I
> first need to conver the .crt files provided by GoDaddy to PKCS12 format --
> I wonder then why the instructions in GoDaddy's website state other thing!
>

There's more than one way to do this.  If you started out by following the
GoDaddy instructions to generate your CSR, then continue to follow them to
import your signed certificate.


>
> But then I read this piece of documentation that left me completely
> bewildered:
> To import an existing certificate signed by your own CA into a PKCS12
> keystore using OpenSSL you would execute a command like:
>
> openssl pkcs12 -export -in mycert.crt -inkey mykey.key
>-out mycert.p12 -name tomcat -CAfile myCA.crt
>-caname root -chain
>
> In this example there's a reference to a 'mykey.key' file that I don't
> have a clue how to obtain it or from where it comes since when I
> download the certificates provided by GoDaddy, there's no such .key
> file: I can download several different types of certificates in .crt
> format but there isn't any .key file to download.
>

This has to do with the way that you generated the CSR.  The GoDaddy
instructions have you using keytool and a keystore.  In this case, your
private key will exist in the keystore, so you won't have a .key file and
that's OK.


>
> I tried contacting their support and well, they weren't any helpful at
> all, they pointed me to the repository where all the certificates are
> stored and told me to 'find someone that knows how to handle them' --
> thanks for nothing :(
>
> Finally I want to say that I have Tomcat running smooth at port 8080,
> I even configured an administrator user to access the status page
> which works perfectly, my problem is that I just can't find how to
> properly install and configure the SSL.
>

Follow the GoDaddy instructions.  They should work.  If you get stuck on a
specific step, let us know.

Dan


>
> What I'm not sure though is what part or steps I'm missing, I believe
> this has to be much more simpler that it's been so far for me but
> seriously I can't wrap my mind around it.
>
> Thank you very much for taking the time to read this n00b's help scream.
>
> Best regards,
> -Conor
>

Need help to install GoDaddy's SSL certificates on Tomcat 8.0.32 (Amazon Linux)

2016-05-30 Thread Conor Skyler

Hello list,

I'm trying to install the certificates I bought from GoDaddy into my Tomcat
server, however so far I've been unsuccessful to achieve this.

My system specs are:
OS: Amazon Linux (fully updated)
Tomcat version: 8.0.32, installed from the repos
Java version: $ java -version
openjdk version "1.8.0_91"
OpenJDK Runtime Environment (build 1.8.0_91-b14)
OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)

To install the certificates I followed this tutorial from GoDaddy website:
https://ar.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239
which explains how to create a KeyStore and configure the  in
the server.xml file.

Now, judging from the official Tomcat documentation in
https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html it's stated that I
first need to conver the .crt files provided by GoDaddy to PKCS12 format --
I wonder then why the instructions in GoDaddy's website state other thing!

But then I read this piece of documentation that left me completely
bewildered:
To import an existing certificate signed by your own CA into a PKCS12
keystore using OpenSSL you would execute a command like:

openssl pkcs12 -export -in mycert.crt -inkey mykey.key
   -out mycert.p12 -name tomcat -CAfile myCA.crt
   -caname root -chain

In this example there's a reference to a 'mykey.key' file that I don't
have a clue how to obtain it or from where it comes since when I
download the certificates provided by GoDaddy, there's no such .key
file: I can download several different types of certificates in .crt
format but there isn't any .key file to download.

I tried contacting their support and well, they weren't any helpful at
all, they pointed me to the repository where all the certificates are
stored and told me to 'find someone that knows how to handle them' --
thanks for nothing :(

Finally I want to say that I have Tomcat running smooth at port 8080,
I even configured an administrator user to access the status page
which works perfectly, my problem is that I just can't find how to
properly install and configure the SSL.

What I'm not sure though is what part or steps I'm missing, I believe
this has to be much more simpler that it's been so far for me but
seriously I can't wrap my mind around it.

Thank you very much for taking the time to read this n00b's help scream.

Best regards,
-Conor

TC9: Configuring ProtocolHandler SSL certificates (SSLHostConfig) via JMX

2016-04-14 Thread Miroslav Šulc

Hi,

I am very new to JMX so maybe I miss an important piece that prevents me
from configuring SSL certificates in ProtocolHandler via JMX.

I just implemented modification of aliases property on Host via JMX
which seems to work fine. I would like to set for some of those aliases
SSL certificates via JMX aswell. I found out that ProtocolHandler has
methods findSslHostConfigs() for retrieval of existing SSL
configurations and addSslHostConfig() for adding new SSLHostConfig instance.

My web application is built on Apache Felix and consists of OSGi
bundles. I have no idea how to (and if ever I should) import
tomcat-coyote "bundle" so that I could create new instance of
SSLHostConfig to be able to add it to the ProtocolHandler. I suppose
there might also be issues with incompatible classes, different
classloaders etc so it does not sound like a good solution anyway. In my
opinion a clean way would be to provide a factory for creation of new
instances of SSLHostConfig (maybe just createSslHostConfig() or
newSslHostConfig() method on ProtocolHandler?) so these could be
instantiated by Tomcat code and classloader, configured (via reflection)
and added to the ProtocolHandler.

Or is there another way how to do this?

Thanks for any help.

Miroslav

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Updating SSL certificates

2016-02-19 Thread Mark Thomas

On 19/02/2016 15:23, Christopher Schultz wrote:
> Mark,
> 
> On 2/18/16 5:15 PM, Mark Thomas wrote:
>> On 18/02/2016 22:03, James H. H. Lampert wrote:
>>> Out of morbid curiosity, is there a way to make a certificate
>>> update take effect without restarting Tomcat?
> 
>> Sort of.
> 
>> Set bindOnInit on the connector to false.
> 
>> Modify the config via JMX.
> 
>> Then you should be able to use JMX to call stop() followed by
>> start() on the TLS connector which should re-initialise the TLS
>> settings from the in-memory config.
> 
> Theoretically, this should also allow re-loading of a CRL, right?

In theory yes. But this is entirely untested and based solely on code
inspection.

There will also be a small gap where requests could get rejected.

Mark


> 
> I keep meaning to write an auto-reloading CRL component for Tomcat,
> but I haven't gotten around to doing it, yet. :(
> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Updating SSL certificates

2016-02-19 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mark,

On 2/18/16 5:15 PM, Mark Thomas wrote:
> On 18/02/2016 22:03, James H. H. Lampert wrote:
>> Out of morbid curiosity, is there a way to make a certificate
>> update take effect without restarting Tomcat?
> 
> Sort of.
> 
> Set bindOnInit on the connector to false.
> 
> Modify the config via JMX.
> 
> Then you should be able to use JMX to call stop() followed by
> start() on the TLS connector which should re-initialise the TLS
> settings from the in-memory config.

Theoretically, this should also allow re-loading of a CRL, right?

I keep meaning to write an auto-reloading CRL component for Tomcat,
but I haven't gotten around to doing it, yet. :(

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlbHM4AACgkQ9CaO5/Lv0PBv8QCgrMC9QaSKDQIszBI0ZCMC3oMw
9IAAnRZT2ypQEqBAlG9HWp8/tS3LK+Ok
=cH+n
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Updating SSL certificates

2016-02-18 Thread Mark Thomas

On 18/02/2016 22:03, James H. H. Lampert wrote:
> Out of morbid curiosity, is there a way to make a certificate update
> take effect without restarting Tomcat?

Sort of.

Set bindOnInit on the connector to false.

Modify the config via JMX.

Then you should be able to use JMX to call stop() followed by start() on
the TLS connector which should re-initialise the TLS settings from the
in-memory config.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Updating SSL certificates

2016-02-18 Thread James H. H. Lampert

Out of morbid curiosity, is there a way to make a certificate update 
take effect without restarting Tomcat?


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Multiple SSL certificates on one Instance

2015-03-17 Thread Jeffrey Janner

 -Original Message-
 From: Rory Kelly [mailto:rory.ke...@fernsoftware.com]
 Sent: Monday, March 16, 2015 7:53 AM
 To: Tomcat Users List
 Subject: Multiple SSL certificates on one Instance

 Hey guys,

 I’ve a bad feeling what I’m trying to do is impossible, and I’m going to
 have to implement a different solution. Been hunting for an answer, but
 couldn’t find anything definite.

 I’m running Tomcat 8.0.18,

 Java 1.7.0_75-b13,

 Ubuntu 14.04.

 I have multiple sites running on Virtual Hosts on the instance. For a
 bit
 of background, I am intending on creating a 2-server load balanced
 system
 using nginx as a balancer on virtual servers (Best I can do, given our
 hosting/not possible to move away from it)

 I need each site to be protected by its own SSL certificate, provided by
 the client for each site.

 Can I actually have multiple SSL certs with Tomcat Virtual Hosts, or am
 I
 going to have to go learn nginx/httpd and provide it that way?

 Thanks,

 Rory

Rory -
The guys have all given some hints that this is probably coming, but not yet 
here. The rest of the answers depends on your ultimate requirements.
If you require that all the hosts are truly virtual, i.e. they all listen to 
the same IP-port combo, then it's definitely easier/better to terminate the SSL 
on your NGINX load-balancer, which presumably already has the needed support. 
There are some minor adjustments on the Tomcat connector config, but they are 
adequately explained in the Tomcat docs. Plus terminating on the load-balancer 
will save some processing cycles in Tomcat.
If you have the ability to assign multiple IP-port combo, then there's really 
only 1 way to do it on the Tomcat side: Create a unique Service tree for each 
host.  This tree will have its own Engine, Connector, Valve, Host, etc. 
entries, basically everything you might need that can't be put at the Global 
level. Be sure to specify both an HTTP and HTTPS connector so that TRANSPORT 
GUARANTEE will function properly.  Trying to do it all inside one Service 
tree is just asking for trouble.
If you go back in the archives a year or so, I think I posted a sample 
server.xml implementing the above.
Jeff

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Multiple SSL certificates on one Instance

2015-03-17 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Stefan,

On 3/16/15 5:03 PM, Stefan Frei wrote:
 2 points:
 
 configure the reverse proxy is simpler.

s/simpler/possible/

 tomcat may be harder to troubleshoot issues.

Tomcat can't even do SNI at this point.

 i would take the prxy to do that, in fact we use squid rev-proxy
 to solve exact the same problem.

It's nice not to have to introduce a reverse proxy unless it's
actually necessary. Tomcat should really support SNI.

- -chris

 2015-03-16 14:16 GMT+01:00 Mark Thomas ma...@apache.org:
 On 16/03/2015 12:53, Rory Kelly wrote:
 Hey guys,
 
 
 
 I’ve a bad feeling what I’m trying to do is impossible, and I’m
 going to have to implement a different solution. Been hunting
 for an answer, but couldn’t find anything definite.
 
 I’m running Tomcat 8.0.18,
 
 Java 1.7.0_75-b13,
 
 Ubuntu 14.04.
 
 
 
 I have multiple sites running on Virtual Hosts on the instance.
 For a bit of background, I am intending on creating a 2-server
 load balanced system using nginx as a balancer on virtual
 servers (Best I can do, given our hosting/not possible to move
 away from it)
 
 I need each site to be protected by its own SSL certificate,
 provided by the client for each site.
 
 
 
 Can I actually have multiple SSL certs with Tomcat Virtual
 Hosts, or am I going to have to go learn nginx/httpd and
 provide it that way?
 
 https://bz.apache.org/bugzilla/show_bug.cgi?id=57108
 
 Mark
 
 
 
 
 
 Thanks,
 
 Rory
 
 
 
 -

 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 -

 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVCFARAAoJEBzwKT+lPKRYnSoQAI7II/iU2t/GrKj9F7c8suPr
InjFD2BhHWIGqAzWiKQAOmoozgqLuGX6ME/Qmxd69eEoOLQelq0/ZJCA+VuH/Epk
C5hMBflHwQPD9UHb98nxRzQ3FaXW2Jdh6qk1weYa696Ol/2cHabEs4MYaTHVlQvq
E8dV6R0dhE4cU08tft0KCyk/i+OgTmyJpC6fxqxXjgoduauiLE9owzErywojWy7d
PR7M/twuM5XGJBYY59oFDHZO0zrshMBxzHWmw1xHIMde5eDtlyeQo+xVzA7PiDpt
LHGi9U0SX8MPR1+Vl9EZ0LdKxvIvpduFPleBDWub85iGKBdMUAiuYaknD2hZGCxF
4rDlOVpQpuHp9Sxk9TqTRG7vYMQR5wJpTtnvyBnZm7ls0VkBXaR9IiG9/LtUUHEh
eVHux1XjYmDnnZb83FQ+C5QX2xDsJ53zjvtEgagEucMDWwf+cQwXCl1VLLemBHeF
wem0sR225hGmD+FDDE7dqYvAQLzi4JbTXpOU6JZYBJVAvG+zg3stCcQJHdjp82GV
bxSUlmE8jr3AWqNBhpOUdVkNbb0h8Eb6GU0in4TilD3AxAPwi5UOtpfFRE9mIm/F
r2fN9Pzx3DQGikl1X2rRkjStLtZDh1PuB6IMg26Sq4HXtDD6ZABhGouxOWnb/oBz
4gSd0Em4+w8qkGr7bZBq
=thve
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Multiple SSL certificates on one Instance

2015-03-16 Thread Mark Thomas

On 16/03/2015 12:53, Rory Kelly wrote:
 Hey guys,
 
 
 
 I’ve a bad feeling what I’m trying to do is impossible, and I’m going to
 have to implement a different solution. Been hunting for an answer, but
 couldn’t find anything definite.
 
 I’m running Tomcat 8.0.18,
 
 Java 1.7.0_75-b13,
 
 Ubuntu 14.04.
 
 
 
 I have multiple sites running on Virtual Hosts on the instance. For a bit
 of background, I am intending on creating a 2-server load balanced system
 using nginx as a balancer on virtual servers (Best I can do, given our
 hosting/not possible to move away from it)
 
 I need each site to be protected by its own SSL certificate, provided by
 the client for each site.
 
 
 
 Can I actually have multiple SSL certs with Tomcat Virtual Hosts, or am I
 going to have to go learn nginx/httpd and provide it that way?

https://bz.apache.org/bugzilla/show_bug.cgi?id=57108

Mark


 
 
 
 Thanks,
 
 Rory
 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Multiple SSL certificates on one Instance

2015-03-16 Thread Rory Kelly

Hey guys,



I’ve a bad feeling what I’m trying to do is impossible, and I’m going to
have to implement a different solution. Been hunting for an answer, but
couldn’t find anything definite.

I’m running Tomcat 8.0.18,

Java 1.7.0_75-b13,

Ubuntu 14.04.



I have multiple sites running on Virtual Hosts on the instance. For a bit
of background, I am intending on creating a 2-server load balanced system
using nginx as a balancer on virtual servers (Best I can do, given our
hosting/not possible to move away from it)

I need each site to be protected by its own SSL certificate, provided by
the client for each site.



Can I actually have multiple SSL certs with Tomcat Virtual Hosts, or am I
going to have to go learn nginx/httpd and provide it that way?



Thanks,

Rory

Re: Multiple SSL certificates on one Instance

2015-03-16 Thread Stefan Frei

hi

2 points:

configure the reverse proxy is simpler.
tomcat may be harder to troubleshoot issues.

i would take the prxy to do that, in fact we use squid rev-proxy to
solve exact the same problem.

Regards

Stefan

2015-03-16 14:16 GMT+01:00 Mark Thomas ma...@apache.org:
 On 16/03/2015 12:53, Rory Kelly wrote:
 Hey guys,



 I’ve a bad feeling what I’m trying to do is impossible, and I’m going to
 have to implement a different solution. Been hunting for an answer, but
 couldn’t find anything definite.

 I’m running Tomcat 8.0.18,

 Java 1.7.0_75-b13,

 Ubuntu 14.04.



 I have multiple sites running on Virtual Hosts on the instance. For a bit
 of background, I am intending on creating a 2-server load balanced system
 using nginx as a balancer on virtual servers (Best I can do, given our
 hosting/not possible to move away from it)

 I need each site to be protected by its own SSL certificate, provided by
 the client for each site.



 Can I actually have multiple SSL certs with Tomcat Virtual Hosts, or am I
 going to have to go learn nginx/httpd and provide it that way?

 https://bz.apache.org/bugzilla/show_bug.cgi?id=57108

 Mark





 Thanks,

 Rory



 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Deploying .ca-bundle file .crt file as SSL certificates

2014-11-27 Thread Kernel freak

On Wed, Nov 26, 2014 at 7:21 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 To whom it may concern,

 On 11/26/14 12:00 PM, Kernel freak wrote:
  On Wed, Nov 26, 2014 at 5:33 PM, Christopher Schultz 
  ch...@christopherschultz.net wrote:
 
  To whom it may concern,
 
  On 11/26/14 9:03 AM, Kernel freak wrote:
  After arguing with the admins for all this time, I finally
  have the few files ready. I have the following files :
 
  keystore.p12
 
  That should contain your key. Can you confirm that with a 'keytool
  -list'?
 
  server.crt
 
  Is this the certificate that was signed by the CA?
 
  Yes, this is certificated signed by CA, but its a
  servercertificate, the domain certificate is below.

This server.crt is provided by the hosting guys. I told them I will need a
certificate for the server on which my domain is hosted, and i got this
file.


 I have no idea what a domain certificate is. A cert is a cert, and
 it's signed by another cert all the way up to a root cert, known as a
 CA who has widespread trust.

 Hi, Domaincertificate is the one which I want to deploy. It is the one
provided by CA authority.

  ssl-cert-snakeoil.key
 
  Uh, oh. That looks like one of OpenSSL's built-in CAs that are
  used for documentation and instructional purposes. I hope this
  isn't being used for anything at all.
 
  domainname.com.ca-bundle
 
  This should be the bundle of certificates for your domain, which
  may include intermediate certificates. Are you using your own
  internal CA or something?
 
  domainname.com.crt
 
  Which certificate is this?
 
  This is the SSL certificate which has to be deployed.
 
 
  domainname.com.csr
 
  Is this the CSR that you generated yourself?
 
  No, this is also provided by hosting guys

 So, did your hosting guys generate everything for you, then? It's
 customary to create your own key and CSR and then merely have the CA
 sign the CSR which results in your certificate. You import your
 certificate and, if necessary, any intermediate certificates your
 clients will require to form a trust chain from your server's cert up
 to the root that the client trusts.

 Hosting guys only generated the server.crt, and domainname.crt was
provided by trusted authority. Can you tell me why the commands you
provided/same on apache user guide are not working, showing me the error
that unable to load certificates?

  Thank you for your patience.

Re: Deploying .ca-bundle file .crt file as SSL certificates

2014-11-26 Thread Kernel freak

Hello,

After arguing with the admins for all this time, I finally have the few
files ready. I have the following files :

keystore.p12, server.crt, ssl-cert-snakeoil.key, domainname.com.ca-bundle,
domainname.com.crt domainname.com.csr domainname.com.key, vsftpd.pem.

I did the following as Christoph said:

root@domainname:/etc/ssl/private# openssl pkcs12 -export -in server.crt
-inkey ssl-cert-snakeoil.key -certfile domainname.com.crt -out keystore.p12
-chain  (pressed enter here)
unable to load certificates  // This is the error.

If i just plain import the .crt file like this :

keytool -import -alias tomcat -file domainname.com.crt -keystore
/root/.keystore,

Then firefox gives me this error :

An error occurred during a connection to domainname.com:8443. Cannot
communicate securely with peer: no common encryption algorithm(s). (Error
code: ssl_error_no_cypher_overlap)

The page you are trying to view cannot be shown because the
authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.





On Tue, Nov 25, 2014 at 10:24 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 To whom it may concern,

 On 11/25/14 3:32 AM, Kernel freak wrote:
  I don't have the server.key and server.crt. I have root access to
  server, I can generate my own if necessary. I only have .crt and
  .ca-bundle file. Can you tell me what to do. Thank you very much
  for your help.

 If you don't have the server's key but you have the server's
 certificate, then you must start all over again because the key is
 half of a paired key.

 Did you generate the CSR yourself? With what key did you generate that
 CSR? If someone else generated the CSR, go ask them where the key is
 that they used.

 If you have lost the key then you must redo the whole process,
 starting with generating a new key and CSR, then get the CSR signed.
 Then, import the signed certificate back into the same keystore. Then,
 configure Tomcat to use that keystore.

 The instructions on the Tomcat users' guide are fairly straightforward
 even if they don't explain the intricacies of public key
 infrastructure -- that's outside the scope of the users' guide.

 Thanks,
 - -chris

  On Mon, Nov 24, 2014 at 7:48 PM, Christopher Schultz 
  ch...@christopherschultz.net wrote:
 
  Niranjan,
 
  On 11/24/14 10:51 AM, Niranjan Babu Bommu wrote:
  I think you have create a keystore from the cert, please
  follow these instruction and ket me know.
 
  Create store with temporary key inside:
 
  keytool -genkey -alias alias name -keystore
  yourkeystore.jks -storepass Hello1 Then delete existing
  entry:
 
  keytool -delete -alias temp -keystore yourkeystore.jks
  -storepass Hello1 Now you've got empty store. You can check
  that it's empty:
 
  keytool -list -keystore yourkeystore.jks -storepass Hello1
  Then import your certificate to the store:
 
  keytool -import -alias alias name  -file cert_file.crt
  -keypass
  keypass
  -keystore yourkeystore.jks -storepass Hello1
 
  Nope: the existing key *and* cert need to be imported
  simultaneously into the keystore. If the OP already has a cert,
  he's already got a key, too.
 
  The problem is that you probably started with OpenSSL to generate
  your keys and stuff. Here is the proper procedure to import your
  key, certificate, and CA bundle into a Java keystore.
 
  You'll need these files:
 
  server.key (this is your server's secret key) server.crt (this is
  your server's certificate, signed by the CA) ca.crt (this is your
  CA's certificate)
 
  Here is the incantation:
 
  $ openssl pkcs12 -export -in server.crt -inkey server.key \
  -certfile ca.crt -out keystore.p12 -chain
 
  $ $JAVA_HOME/bin/keytool -importkeystore -srckeystore keystore.p12
  \ -srcstoretype pkcs12 \ -destkeystore keystore.jks
 
  Now, use keystore.jks in Tomcat's server.xml.
 
  If you already had created your key and cert request using Java's
  'keytool', then you can instead just import the signed certificate
  into your keystore:
 
  $ $JAVA_HOME/bin/keytool -importcert -file server.crt \ -keystore
  keystore.jks \ -alias [alias]
 
  If you used an alias to create the certificate signing request
  (CSR), then use the same alias in the above command.
 
  -chris
 
  -
 
 
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org

 iQIcBAEBCAAGBQJUdPOpAAoJEBzwKT+lPKRYVikP/jrxPiejAjwm9B9T4nGDASyZ
 BeweTPhXLd1Fg8e95r8K6xBFfZy921Ax+NimRLqTUfU2cCen9YsHB2Xdp0a6xiw4
 oC8+e2JlyZhGFhJY2TsgYRpRoqIhhJeluSUpukUYZz73Pq10LHUnetDhsEHwJEtE
 uz2ekNcXH1Vr+Fy4k+O+PpFJnl8N5QprjO6PX/WlflrFihFa7bC7l+8FqF4QQ7U1
 gw0nKt/0VcYOPepyDfV6VKGD7gBurNmlqrx9GxkYss0YVKghyCDFllNuX9tSw7j7

Re: Deploying .ca-bundle file .crt file as SSL certificates

2014-11-26 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

To whom it may concern,

On 11/26/14 9:03 AM, Kernel freak wrote:
 After arguing with the admins for all this time, I finally have the
 few files ready. I have the following files :
 
 keystore.p12

That should contain your key. Can you confirm that with a 'keytool -list'?

 server.crt

Is this the certificate that was signed by the CA?

 ssl-cert-snakeoil.key

Uh, oh. That looks like one of OpenSSL's built-in CAs that are used
for documentation and instructional purposes. I hope this isn't being
used for anything at all.

 domainname.com.ca-bundle

This should be the bundle of certificates for your domain, which may
include intermediate certificates. Are you using your own internal CA
or something?

 domainname.com.crt

Which certificate is this?

 domainname.com.csr

Is this the CSR that you generated yourself?

 domainname.com.key

Weird. Okay, I would expect domainname.com.key to have the key that
was used to generate domainname.com.csr, and that domainname.com.crt
is a signed version of that CSR. That should be all you need... I'm
not sure what all the other stuff is.

 vsftpd.pem.

What is this?

 I did the following as Christoph said:
 
 root@domainname:/etc/ssl/private# openssl pkcs12 -export -in
 server.crt -inkey ssl-cert-snakeoil.key -certfile
 domainname.com.crt -out keystore.p12 -chain  (pressed enter here) 
 unable to load certificates  // This is the error.

I think you might want to do this:

$ openssl pkcs12 -export -in domainname.com.crt \
  -inkey domainname.com.key \
   -certfile domainname.com.ca-bundle \
-out keystore.p21 -chain

$ keytool -importkeystore -srckeystore keystore.p12 \
  -srcstoretype pkcs12 \
  -destkeystore keystore.jks

You are supposed to be able to use PKCS12 keystores directly with
Tomcat, but IIRC it's a pain and a bit more finicky than with just a
normal JKS-format keystore.

 If i just plain import the .crt file like this :
 
 keytool -import -alias tomcat -file domainname.com.crt -keystore 
 /root/.keystore

A couple of things:

1. Don't run as root. Not for anything. Not even to run keytool.
2. Don't store your keystore under /root/.keystore, or you'll (likely)
have to run Tomcat as root. You can put your keystore anywhere you
want and point Tomcat to it explicitly.
3. If you import a certificate into a keystore and there is nothing
else in it (the keystore), then you can't perform a handshake because
the key is required for secure communication.

 Then firefox gives me this error :
 
 An error occurred during a connection to domainname.com:8443.
 Cannot communicate securely with peer: no common encryption
 algorithm(s). (Error code: ssl_error_no_cypher_overlap)
 
 The page you are trying to view cannot be shown because the 
 authenticity of the received data could not be verified. Please
 contact the website owners to inform them of this problem.

The no_cipher_overlap error is likely to be incorrect... the real
problem is that the server can't decrypt the client's handshake
because the key is unavailable.

I think you might need to get some help with this from someone else at
your organization... someone who is a bit more versed in PKI and
configuring TLS for web servers.

- -chris

 On Tue, Nov 25, 2014 at 10:24 PM, Christopher Schultz  
 ch...@christopherschultz.net wrote:
 
 To whom it may concern,
 
 On 11/25/14 3:32 AM, Kernel freak wrote:
 I don't have the server.key and server.crt. I have root
 access to server, I can generate my own if necessary. I only
 have .crt and .ca-bundle file. Can you tell me what to do.
 Thank you very much for your help.
 
 If you don't have the server's key but you have the server's 
 certificate, then you must start all over again because the key is 
 half of a paired key.
 
 Did you generate the CSR yourself? With what key did you generate
 that CSR? If someone else generated the CSR, go ask them where the
 key is that they used.
 
 If you have lost the key then you must redo the whole process, 
 starting with generating a new key and CSR, then get the CSR
 signed. Then, import the signed certificate back into the same
 keystore. Then, configure Tomcat to use that keystore.
 
 The instructions on the Tomcat users' guide are fairly
 straightforward even if they don't explain the intricacies of
 public key infrastructure -- that's outside the scope of the users'
 guide.
 
 Thanks, -chris
 
 On Mon, Nov 24, 2014 at 7:48 PM, Christopher Schultz  
 ch...@christopherschultz.net wrote:
 
 Niranjan,
 
 On 11/24/14 10:51 AM, Niranjan Babu Bommu wrote:
 I think you have create a keystore from the cert,
 please follow these instruction and ket me know.
 
 Create store with temporary key inside:
 
 keytool -genkey -alias alias name -keystore 
 yourkeystore.jks -storepass Hello1 Then delete
 existing entry:
 
 keytool -delete -alias temp -keystore yourkeystore.jks 
 -storepass Hello1 Now you've got empty

Re: Deploying .ca-bundle file .crt file as SSL certificates

2014-11-26 Thread Kernel freak

On Wed, Nov 26, 2014 at 5:33 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 To whom it may concern,

 On 11/26/14 9:03 AM, Kernel freak wrote:
  After arguing with the admins for all this time, I finally have the
  few files ready. I have the following files :
 
  keystore.p12

 That should contain your key. Can you confirm that with a 'keytool -list'?

  server.crt

 Is this the certificate that was signed by the CA?

Yes, this is certificated signed by CA, but its a servercertificate, the
domain certificate is below.


  ssl-cert-snakeoil.key

 Uh, oh. That looks like one of OpenSSL's built-in CAs that are used
 for documentation and instructional purposes. I hope this isn't being
 used for anything at all.

  domainname.com.ca-bundle

 This should be the bundle of certificates for your domain, which may
 include intermediate certificates. Are you using your own internal CA
 or something?

  domainname.com.crt

 Which certificate is this?

This is the SSL certificate which has to be deployed.


  domainname.com.csr

 Is this the CSR that you generated yourself?

No, this is also provided by hosting guys


  domainname.com.key



 Weird. Okay, I would expect domainname.com.key to have the key that
 was used to generate domainname.com.csr, and that domainname.com.crt
 is a signed version of that CSR. That should be all you need... I'm
 not sure what all the other stuff is.

  vsftpd.pem.

 What is this?

  I did the following as Christoph said:
 
  root@domainname:/etc/ssl/private# openssl pkcs12 -export -in
  server.crt -inkey ssl-cert-snakeoil.key -certfile
  domainname.com.crt -out keystore.p12 -chain  (pressed enter here)
  unable to load certificates  // This is the error.

 I think you might want to do this:

 $ openssl pkcs12 -export -in domainname.com.crt \
   -inkey domainname.com.key \
-certfile domainname.com.ca-bundle \
 -out keystore.p21 -chain

 $ keytool -importkeystore -srckeystore keystore.p12 \
   -srcstoretype pkcs12 \
   -destkeystore keystore.jks

 You are supposed to be able to use PKCS12 keystores directly with
 Tomcat, but IIRC it's a pain and a bit more finicky than with just a
 normal JKS-format keystore.

  If i just plain import the .crt file like this :
 
  keytool -import -alias tomcat -file domainname.com.crt -keystore
  /root/.keystore

 A couple of things:

 1. Don't run as root. Not for anything. Not even to run keytool.
 2. Don't store your keystore under /root/.keystore, or you'll (likely)
 have to run Tomcat as root. You can put your keystore anywhere you
 want and point Tomcat to it explicitly.
 3. If you import a certificate into a keystore and there is nothing
 else in it (the keystore), then you can't perform a handshake because
 the key is required for secure communication.

  Then firefox gives me this error :
 
  An error occurred during a connection to domainname.com:8443.
  Cannot communicate securely with peer: no common encryption
  algorithm(s). (Error code: ssl_error_no_cypher_overlap)
 
  The page you are trying to view cannot be shown because the
  authenticity of the received data could not be verified. Please
  contact the website owners to inform them of this problem.

 The no_cipher_overlap error is likely to be incorrect... the real
 problem is that the server can't decrypt the client's handshake
 because the key is unavailable.

 I think you might need to get some help with this from someone else at
 your organization... someone who is a bit more versed in PKI and
 configuring TLS for web servers.


I have told you what key is for what, can you give me the updated commands
please, unfortunately there is no one here who knows this.


 - -chris

  On Tue, Nov 25, 2014 at 10:24 PM, Christopher Schultz 
  ch...@christopherschultz.net wrote:
 
  To whom it may concern,
 
  On 11/25/14 3:32 AM, Kernel freak wrote:
  I don't have the server.key and server.crt. I have root
  access to server, I can generate my own if necessary. I only
  have .crt and .ca-bundle file. Can you tell me what to do.
  Thank you very much for your help.
 
  If you don't have the server's key but you have the server's
  certificate, then you must start all over again because the key is
  half of a paired key.
 
  Did you generate the CSR yourself? With what key did you generate
  that CSR? If someone else generated the CSR, go ask them where the
  key is that they used.
 
  If you have lost the key then you must redo the whole process,
  starting with generating a new key and CSR, then get the CSR
  signed. Then, import the signed certificate back into the same
  keystore. Then, configure Tomcat to use that keystore.
 
  The instructions on the Tomcat users' guide are fairly
  straightforward even if they don't explain the intricacies of
  public key infrastructure -- that's outside the scope of the users'
  guide.
 
  Thanks, -chris

Re: Deploying .ca-bundle file .crt file as SSL certificates

2014-11-26 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

To whom it may concern,

On 11/26/14 12:00 PM, Kernel freak wrote:
 On Wed, Nov 26, 2014 at 5:33 PM, Christopher Schultz  
 ch...@christopherschultz.net wrote:
 
 To whom it may concern,
 
 On 11/26/14 9:03 AM, Kernel freak wrote:
 After arguing with the admins for all this time, I finally
 have the few files ready. I have the following files :
 
 keystore.p12
 
 That should contain your key. Can you confirm that with a 'keytool
 -list'?
 
 server.crt
 
 Is this the certificate that was signed by the CA?
 
 Yes, this is certificated signed by CA, but its a
 servercertificate, the domain certificate is below.

I have no idea what a domain certificate is. A cert is a cert, and
it's signed by another cert all the way up to a root cert, known as a
CA who has widespread trust.

 ssl-cert-snakeoil.key
 
 Uh, oh. That looks like one of OpenSSL's built-in CAs that are
 used for documentation and instructional purposes. I hope this
 isn't being used for anything at all.
 
 domainname.com.ca-bundle
 
 This should be the bundle of certificates for your domain, which
 may include intermediate certificates. Are you using your own
 internal CA or something?
 
 domainname.com.crt
 
 Which certificate is this?
 
 This is the SSL certificate which has to be deployed.
 
 
 domainname.com.csr
 
 Is this the CSR that you generated yourself?
 
 No, this is also provided by hosting guys

So, did your hosting guys generate everything for you, then? It's
customary to create your own key and CSR and then merely have the CA
sign the CSR which results in your certificate. You import your
certificate and, if necessary, any intermediate certificates your
clients will require to form a trust chain from your server's cert up
to the root that the client trusts.

 domainname.com.key
 
 
 
 Weird. Okay, I would expect domainname.com.key to have the key
 that was used to generate domainname.com.csr, and that
 domainname.com.crt is a signed version of that CSR. That should be
 all you need... I'm not sure what all the other stuff is.
 
 vsftpd.pem.
 
 What is this?
 
 I did the following as Christoph said:
 
 root@domainname:/etc/ssl/private# openssl pkcs12 -export -in 
 server.crt -inkey ssl-cert-snakeoil.key -certfile 
 domainname.com.crt -out keystore.p12 -chain  (pressed enter
 here) unable to load certificates  // This is the error.
 
 I think you might want to do this:
 
 $ openssl pkcs12 -export -in domainname.com.crt \ -inkey
 domainname.com.key \ -certfile domainname.com.ca-bundle \ -out
 keystore.p21 -chain
 
 $ keytool -importkeystore -srckeystore keystore.p12 \ -srcstoretype
 pkcs12 \ -destkeystore keystore.jks
 
 You are supposed to be able to use PKCS12 keystores directly with 
 Tomcat, but IIRC it's a pain and a bit more finicky than with just
 a normal JKS-format keystore.
 
 If i just plain import the .crt file like this :
 
 keytool -import -alias tomcat -file domainname.com.crt
 -keystore /root/.keystore
 
 A couple of things:
 
 1. Don't run as root. Not for anything. Not even to run keytool. 2.
 Don't store your keystore under /root/.keystore, or you'll
 (likely) have to run Tomcat as root. You can put your keystore
 anywhere you want and point Tomcat to it explicitly. 3. If you
 import a certificate into a keystore and there is nothing else in
 it (the keystore), then you can't perform a handshake because the
 key is required for secure communication.
 
 Then firefox gives me this error :
 
 An error occurred during a connection to
 domainname.com:8443. Cannot communicate securely with peer:
 no common encryption algorithm(s). (Error code:
 ssl_error_no_cypher_overlap)
 
 The page you are trying to view cannot be shown because the 
 authenticity of the received data could not be verified.
 Please contact the website owners to inform them of this
 problem.
 
 The no_cipher_overlap error is likely to be incorrect... the real 
 problem is that the server can't decrypt the client's handshake 
 because the key is unavailable.
 
 I think you might need to get some help with this from someone else
 at your organization... someone who is a bit more versed in PKI
 and configuring TLS for web servers.
 
 
 I have told you what key is for what, can you give me the updated
 commands please, unfortunately there is no one here who knows
 this.

I can't understand something on your behalf: you have to understand it
yourself. Once you understand what is going on, these commands will
make sense and you should be able to execute them without guessing.

If you can't figure it out, hire someone who already knows.

The only weird part about Java keystores is the use of an alias
which allows you to pack a keystore full of all kinds of goodies and
then refer to specific items by their names (I don't know why CN isn't
a good enough identifier, but I guess keystore wonks thought it would
be a good idea). It's not a bad idea to give every item in your
keystore (key, certificate, etc.) an alias so

Re: Deploying .ca-bundle file .crt file as SSL certificates

2014-11-25 Thread Kernel freak

Hello Christopher,

I don't have the server.key and server.crt. I have root access to server, I
can generate my own if necessary. I only have .crt and .ca-bundle file. Can
you tell me what to do. Thank you very much for your help.

On Mon, Nov 24, 2014 at 7:48 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Niranjan,

 On 11/24/14 10:51 AM, Niranjan Babu Bommu wrote:
  I think you have create a keystore from the cert, please follow
  these instruction and ket me know.
 
  Create store with temporary key inside:
 
  keytool -genkey -alias alias name -keystore yourkeystore.jks
  -storepass Hello1 Then delete existing entry:
 
  keytool -delete -alias temp -keystore yourkeystore.jks -storepass
  Hello1 Now you've got empty store. You can check that it's empty:
 
  keytool -list -keystore yourkeystore.jks -storepass Hello1 Then
  import your certificate to the store:
 
  keytool -import -alias alias name  -file cert_file.crt -keypass
 keypass
  -keystore yourkeystore.jks -storepass Hello1

 Nope: the existing key *and* cert need to be imported simultaneously
 into the keystore. If the OP already has a cert, he's already got a
 key, too.

 The problem is that you probably started with OpenSSL to generate your
 keys and stuff. Here is the proper procedure to import your key,
 certificate, and CA bundle into a Java keystore.

 You'll need these files:

 server.key (this is your server's secret key)
 server.crt (this is your server's certificate, signed by the CA)
 ca.crt (this is your CA's certificate)

 Here is the incantation:

 $ openssl pkcs12 -export -in server.crt -inkey server.key \
-certfile ca.crt -out keystore.p12 -chain

 $ $JAVA_HOME/bin/keytool -importkeystore -srckeystore keystore.p12 \
  -srcstoretype pkcs12 \
  -destkeystore keystore.jks

 Now, use keystore.jks in Tomcat's server.xml.

 If you already had created your key and cert request using Java's
 'keytool', then you can instead just import the signed certificate
 into your keystore:

 $ $JAVA_HOME/bin/keytool -importcert -file server.crt \
  -keystore keystore.jks \
  -alias [alias]

 If you used an alias to create the certificate signing request (CSR),
 then use the same alias in the above command.

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org

 iQIcBAEBCAAGBQJUc32WAAoJEBzwKT+lPKRYn5UP/RynvOjSw2UlMn4wwPlvWIQC
 EiyfUjHaSK3YSCniGK9yiDuwEshXjAE88aEFptmnhcgZnJpJ1o0ybbdw5xZLk+Vv
 68XDqnuD1klYsmufnDKETKTEpQk4aMke8jHUdbLtx4/TtK0aKZirEKzmDrXFlBDI
 YvEdlBvhH494Q/fvm0ARBdV1I8nwSt33DQ8WPcAMNVdgJzla7BcgAqupkBiMCpD4
 49BDOyDZmiulFzL0Co6d2bEx/yWHECx1Zu/gfH6NXjeJ/UgZNkn9aABS8RsO+sa5
 Oq/AJvXTgcKGUUQpBPOVcmhOrjgG9jYyMd9TfYZHllNQDqbBL7MgpkmXiSEGusAg
 zvsfiksWEhDj4xremuQHVstCV4FZYqyLKjfBbiYABfZ50mOoYgF4J+sN97/CVo8F
 pp29hiDN7YnqPCJzlWFi0DRPOFjJX2CFXyzoxkDvx/5gXhn8ZoPwU7i6gGxmcMg1
 52xPXjEPBbf/q+MbwxUfRRBvNTzXB+b3hU5aN5HHpflqxodasNod+kW7VWnZZZI/
 aCq5kKdXX7VQFfsEtWJnPYDe2yCj/KHzLCDAJMJA8iLpMUrN1Xb8jEOOe0vq5h60
 vFUiFMrEyWOv7BPVszsnDx1EO8tDpDZS766/AigtYxGJzAF0DS8wNX9awCGYknxB
 zSoDIu3mfw1r3546epjF
 =IeMh
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Deploying .ca-bundle file .crt file as SSL certificates

2014-11-25 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

To whom it may concern,

On 11/25/14 3:32 AM, Kernel freak wrote:
 I don't have the server.key and server.crt. I have root access to
 server, I can generate my own if necessary. I only have .crt and
 .ca-bundle file. Can you tell me what to do. Thank you very much
 for your help.

If you don't have the server's key but you have the server's
certificate, then you must start all over again because the key is
half of a paired key.

Did you generate the CSR yourself? With what key did you generate that
CSR? If someone else generated the CSR, go ask them where the key is
that they used.

If you have lost the key then you must redo the whole process,
starting with generating a new key and CSR, then get the CSR signed.
Then, import the signed certificate back into the same keystore. Then,
configure Tomcat to use that keystore.

The instructions on the Tomcat users' guide are fairly straightforward
even if they don't explain the intricacies of public key
infrastructure -- that's outside the scope of the users' guide.

Thanks,
- -chris

 On Mon, Nov 24, 2014 at 7:48 PM, Christopher Schultz  
 ch...@christopherschultz.net wrote:
 
 Niranjan,
 
 On 11/24/14 10:51 AM, Niranjan Babu Bommu wrote:
 I think you have create a keystore from the cert, please
 follow these instruction and ket me know.
 
 Create store with temporary key inside:
 
 keytool -genkey -alias alias name -keystore
 yourkeystore.jks -storepass Hello1 Then delete existing
 entry:
 
 keytool -delete -alias temp -keystore yourkeystore.jks
 -storepass Hello1 Now you've got empty store. You can check
 that it's empty:
 
 keytool -list -keystore yourkeystore.jks -storepass Hello1
 Then import your certificate to the store:
 
 keytool -import -alias alias name  -file cert_file.crt
 -keypass
 keypass
 -keystore yourkeystore.jks -storepass Hello1
 
 Nope: the existing key *and* cert need to be imported
 simultaneously into the keystore. If the OP already has a cert,
 he's already got a key, too.
 
 The problem is that you probably started with OpenSSL to generate
 your keys and stuff. Here is the proper procedure to import your
 key, certificate, and CA bundle into a Java keystore.
 
 You'll need these files:
 
 server.key (this is your server's secret key) server.crt (this is
 your server's certificate, signed by the CA) ca.crt (this is your
 CA's certificate)
 
 Here is the incantation:
 
 $ openssl pkcs12 -export -in server.crt -inkey server.key \ 
 -certfile ca.crt -out keystore.p12 -chain
 
 $ $JAVA_HOME/bin/keytool -importkeystore -srckeystore keystore.p12
 \ -srcstoretype pkcs12 \ -destkeystore keystore.jks
 
 Now, use keystore.jks in Tomcat's server.xml.
 
 If you already had created your key and cert request using Java's 
 'keytool', then you can instead just import the signed certificate 
 into your keystore:
 
 $ $JAVA_HOME/bin/keytool -importcert -file server.crt \ -keystore
 keystore.jks \ -alias [alias]
 
 If you used an alias to create the certificate signing request
 (CSR), then use the same alias in the above command.
 
 -chris
 
 -

 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUdPOpAAoJEBzwKT+lPKRYVikP/jrxPiejAjwm9B9T4nGDASyZ
BeweTPhXLd1Fg8e95r8K6xBFfZy921Ax+NimRLqTUfU2cCen9YsHB2Xdp0a6xiw4
oC8+e2JlyZhGFhJY2TsgYRpRoqIhhJeluSUpukUYZz73Pq10LHUnetDhsEHwJEtE
uz2ekNcXH1Vr+Fy4k+O+PpFJnl8N5QprjO6PX/WlflrFihFa7bC7l+8FqF4QQ7U1
gw0nKt/0VcYOPepyDfV6VKGD7gBurNmlqrx9GxkYss0YVKghyCDFllNuX9tSw7j7
3PcQu/cmEc6u7CePAY4VCXpMSPNO9Ggn+AnLZxj6FWL09fuUfb3bL/I0kufn4xqE
qeEs/Kb9p8PaGCXOofF9nOsoz1krV5ttS3ei8Ayjt84MgXgge3q3n//ZC/s6EMMd
/zPlPbI3azTi658+R9sCL/jJwRbxzjnpMj/q/ae1jDawkZHYndijiWt6BSVMrfuo
awCDxrzissptgKrgokyeQocHWSyGWpEuYEIRDoS6KzgRQ40iCbaCOYTlJg11yS0Z
0ItdSYURh4b4nPtlwFzvTZ8pzxnO3dDod16NVEScIjEIMAGLFrCpfy+xF3/e+Hof
QXFDzE4XX5WtGIJdSN0g8mRlf3KymkJ+Z4ZnamUprD9NDC7vwCw1nhyBJLGkTHF4
+KKT8HNKTnW71IzKhPai
=WH38
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Deploying .ca-bundle file .crt file as SSL certificates

2014-11-24 Thread Kernel freak

Hello friends,

I am using apache tomcat and I would like to deploy a Spring-MVC
application which I am working on. In that, via Spring-Security I have
specified to use https which requires to install the SSL certificate on the
server.
I am running a Debian Wheezy server, and I have certificate files with
extension as .crt and .ca-bundle. Unfortunately I cannot find any resources
which mention where and how to install these files. What I found was these
files are meant for webserver. Is that correct? If yes, can I use them to
deploy these 2 files? Kindly let me know. Also if anyone can help me with
one more problem I have posted on StackOverflow  :
http://stackoverflow.com/questions/27106983/configuring-apache-tomcat-to-start-webapp-by-default

Regards,
Kernel

Re: Deploying .ca-bundle file .crt file as SSL certificates

2014-11-24 Thread Niranjan Babu Bommu

Hi Kernel,

I think you have create a keystore from the cert, please follow these
instruction and ket me know.

Create store with temporary key inside:

keytool -genkey -alias alias name -keystore yourkeystore.jks -storepass
Hello1
Then delete existing entry:

keytool -delete -alias temp -keystore yourkeystore.jks -storepass Hello1
Now you've got empty store. You can check that it's empty:

keytool -list -keystore yourkeystore.jks -storepass Hello1
Then import your certificate to the store:

keytool -import -alias alias name  -file cert_file.crt -keypass keypass
-keystore yourkeystore.jks -storepass Hello1


Thanks
Niranjan


On Mon, Nov 24, 2014 at 10:13 AM, Kernel freak kernelfr...@gmail.com
wrote:

 Hello friends,

 I am using apache tomcat and I would like to deploy a Spring-MVC
 application which I am working on. In that, via Spring-Security I have
 specified to use https which requires to install the SSL certificate on the
 server.
 I am running a Debian Wheezy server, and I have certificate files with
 extension as .crt and .ca-bundle. Unfortunately I cannot find any resources
 which mention where and how to install these files. What I found was these
 files are meant for webserver. Is that correct? If yes, can I use them to
 deploy these 2 files? Kindly let me know. Also if anyone can help me with
 one more problem I have posted on StackOverflow  :

 http://stackoverflow.com/questions/27106983/configuring-apache-tomcat-to-start-webapp-by-default

 Regards,
 Kernel




-- 
*Thanks*
*Niranjan*
*+1 781.956.6900*

Re: Deploying .ca-bundle file .crt file as SSL certificates

2014-11-24 Thread Kernel freak

Thank you, and what about the CA-Bundle file? Did you got a chance to look
at the question I have posted on Stackoverflow mentioned in the original
question?

On Mon, Nov 24, 2014 at 4:51 PM, Niranjan Babu Bommu 
niranjan.bo...@gmail.com wrote:

 Hi Kernel,

 I think you have create a keystore from the cert, please follow these
 instruction and ket me know.

 Create store with temporary key inside:

 keytool -genkey -alias alias name -keystore yourkeystore.jks -storepass
 Hello1
 Then delete existing entry:

 keytool -delete -alias temp -keystore yourkeystore.jks -storepass Hello1
 Now you've got empty store. You can check that it's empty:

 keytool -list -keystore yourkeystore.jks -storepass Hello1
 Then import your certificate to the store:

 keytool -import -alias alias name  -file cert_file.crt -keypass keypass
 -keystore yourkeystore.jks -storepass Hello1


 Thanks
 Niranjan


 On Mon, Nov 24, 2014 at 10:13 AM, Kernel freak kernelfr...@gmail.com
 wrote:

  Hello friends,
 
  I am using apache tomcat and I would like to deploy a Spring-MVC
  application which I am working on. In that, via Spring-Security I have
  specified to use https which requires to install the SSL certificate on
 the
  server.
  I am running a Debian Wheezy server, and I have certificate files with
  extension as .crt and .ca-bundle. Unfortunately I cannot find any
 resources
  which mention where and how to install these files. What I found was
 these
  files are meant for webserver. Is that correct? If yes, can I use them to
  deploy these 2 files? Kindly let me know. Also if anyone can help me with
  one more problem I have posted on StackOverflow  :
 
 
 http://stackoverflow.com/questions/27106983/configuring-apache-tomcat-to-start-webapp-by-default
 
  Regards,
  Kernel
 



 --
 *Thanks*
 *Niranjan*
 *+1 781.956.6900*

Re: Deploying .ca-bundle file .crt file as SSL certificates

2014-11-24 Thread Niranjan Babu Bommu

Sorry, I did not notice that.


   - *Import a root or intermediate CA certificate to an existing Java
   keystore*

   keytool -import -trustcacerts -alias root -file *ca.crt* -keystore
   *yourkeystore.jks*


On Mon, Nov 24, 2014 at 11:02 AM, Kernel freak kernelfr...@gmail.com
wrote:

 Thank you, and what about the CA-Bundle file? Did you got a chance to look
 at the question I have posted on Stackoverflow mentioned in the original
 question?

 On Mon, Nov 24, 2014 at 4:51 PM, Niranjan Babu Bommu 
 niranjan.bo...@gmail.com wrote:

  Hi Kernel,
 
  I think you have create a keystore from the cert, please follow these
  instruction and ket me know.
 
  Create store with temporary key inside:
 
  keytool -genkey -alias alias name -keystore yourkeystore.jks -storepass
  Hello1
  Then delete existing entry:
 
  keytool -delete -alias temp -keystore yourkeystore.jks -storepass Hello1
  Now you've got empty store. You can check that it's empty:
 
  keytool -list -keystore yourkeystore.jks -storepass Hello1
  Then import your certificate to the store:
 
  keytool -import -alias alias name  -file cert_file.crt -keypass keypass
  -keystore yourkeystore.jks -storepass Hello1
 
 
  Thanks
  Niranjan
 
 
  On Mon, Nov 24, 2014 at 10:13 AM, Kernel freak kernelfr...@gmail.com
  wrote:
 
   Hello friends,
  
   I am using apache tomcat and I would like to deploy a Spring-MVC
   application which I am working on. In that, via Spring-Security I have
   specified to use https which requires to install the SSL certificate on
  the
   server.
   I am running a Debian Wheezy server, and I have certificate files with
   extension as .crt and .ca-bundle. Unfortunately I cannot find any
  resources
   which mention where and how to install these files. What I found was
  these
   files are meant for webserver. Is that correct? If yes, can I use them
 to
   deploy these 2 files? Kindly let me know. Also if anyone can help me
 with
   one more problem I have posted on StackOverflow  :
  
  
 
 http://stackoverflow.com/questions/27106983/configuring-apache-tomcat-to-start-webapp-by-default
  
   Regards,
   Kernel
  
 
 
 
  --
  *Thanks*
  *Niranjan*
  *+1 781.956.6900*
 




-- 
*Thanks*
*Niranjan*
*+1 781.956.6900*

Re: Deploying .ca-bundle file .crt file as SSL certificates

2014-11-24 Thread Kernel freak

I have added the certificate. I modified the server.xml code to add the
following lines :
 Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true
maxThreads=150
   scheme=https secure=true clientAuth=false
sslProtocol=TLS
   keystoreFile=/root/.keystore keystorepass=password for
keystore /

Now when I open the application, it redirects to https, but it says unable
to connect, your connection to this website maynotbe encrypted. What am I
doing wrong?



On Mon, Nov 24, 2014 at 5:20 PM, Niranjan Babu Bommu 
niranjan.bo...@gmail.com wrote:

 Sorry, I did not notice that.


- *Import a root or intermediate CA certificate to an existing Java
keystore*

keytool -import -trustcacerts -alias root -file *ca.crt* -keystore
*yourkeystore.jks*


 On Mon, Nov 24, 2014 at 11:02 AM, Kernel freak kernelfr...@gmail.com
 wrote:

  Thank you, and what about the CA-Bundle file? Did you got a chance to
 look
  at the question I have posted on Stackoverflow mentioned in the original
  question?
 
  On Mon, Nov 24, 2014 at 4:51 PM, Niranjan Babu Bommu 
  niranjan.bo...@gmail.com wrote:
 
   Hi Kernel,
  
   I think you have create a keystore from the cert, please follow these
   instruction and ket me know.
  
   Create store with temporary key inside:
  
   keytool -genkey -alias alias name -keystore yourkeystore.jks
 -storepass
   Hello1
   Then delete existing entry:
  
   keytool -delete -alias temp -keystore yourkeystore.jks -storepass
 Hello1
   Now you've got empty store. You can check that it's empty:
  
   keytool -list -keystore yourkeystore.jks -storepass Hello1
   Then import your certificate to the store:
  
   keytool -import -alias alias name  -file cert_file.crt -keypass
 keypass
   -keystore yourkeystore.jks -storepass Hello1
  
  
   Thanks
   Niranjan
  
  
   On Mon, Nov 24, 2014 at 10:13 AM, Kernel freak kernelfr...@gmail.com
   wrote:
  
Hello friends,
   
I am using apache tomcat and I would like to deploy a Spring-MVC
application which I am working on. In that, via Spring-Security I
 have
specified to use https which requires to install the SSL certificate
 on
   the
server.
I am running a Debian Wheezy server, and I have certificate files
 with
extension as .crt and .ca-bundle. Unfortunately I cannot find any
   resources
which mention where and how to install these files. What I found was
   these
files are meant for webserver. Is that correct? If yes, can I use
 them
  to
deploy these 2 files? Kindly let me know. Also if anyone can help me
  with
one more problem I have posted on StackOverflow  :
   
   
  
 
 http://stackoverflow.com/questions/27106983/configuring-apache-tomcat-to-start-webapp-by-default
   
Regards,
Kernel
   
  
  
  
   --
   *Thanks*
   *Niranjan*
   *+1 781.956.6900*
  
 



 --
 *Thanks*
 *Niranjan*
 *+1 781.956.6900*

Re: Deploying .ca-bundle file .crt file as SSL certificates

2014-11-24 Thread Niranjan Babu Bommu

Are you able to see the 8443 port listening?

nc -z ipaddress 8443

On Mon, Nov 24, 2014 at 11:25 AM, Kernel freak kernelfr...@gmail.com
wrote:

 I have added the certificate. I modified the server.xml code to add the
 following lines :
  Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true
 maxThreads=150
scheme=https secure=true clientAuth=false
 sslProtocol=TLS
keystoreFile=/root/.keystore keystorepass=password for
 keystore /

 Now when I open the application, it redirects to https, but it says unable
 to connect, your connection to this website maynotbe encrypted. What am I
 doing wrong?



 On Mon, Nov 24, 2014 at 5:20 PM, Niranjan Babu Bommu 
 niranjan.bo...@gmail.com wrote:

  Sorry, I did not notice that.
 
 
 - *Import a root or intermediate CA certificate to an existing Java
 keystore*
 
 keytool -import -trustcacerts -alias root -file *ca.crt* -keystore
 *yourkeystore.jks*
 
 
  On Mon, Nov 24, 2014 at 11:02 AM, Kernel freak kernelfr...@gmail.com
  wrote:
 
   Thank you, and what about the CA-Bundle file? Did you got a chance to
  look
   at the question I have posted on Stackoverflow mentioned in the
 original
   question?
  
   On Mon, Nov 24, 2014 at 4:51 PM, Niranjan Babu Bommu 
   niranjan.bo...@gmail.com wrote:
  
Hi Kernel,
   
I think you have create a keystore from the cert, please follow these
instruction and ket me know.
   
Create store with temporary key inside:
   
keytool -genkey -alias alias name -keystore yourkeystore.jks
  -storepass
Hello1
Then delete existing entry:
   
keytool -delete -alias temp -keystore yourkeystore.jks -storepass
  Hello1
Now you've got empty store. You can check that it's empty:
   
keytool -list -keystore yourkeystore.jks -storepass Hello1
Then import your certificate to the store:
   
keytool -import -alias alias name  -file cert_file.crt -keypass
  keypass
-keystore yourkeystore.jks -storepass Hello1
   
   
Thanks
Niranjan
   
   
On Mon, Nov 24, 2014 at 10:13 AM, Kernel freak 
 kernelfr...@gmail.com
wrote:
   
 Hello friends,

 I am using apache tomcat and I would like to deploy a Spring-MVC
 application which I am working on. In that, via Spring-Security I
  have
 specified to use https which requires to install the SSL
 certificate
  on
the
 server.
 I am running a Debian Wheezy server, and I have certificate files
  with
 extension as .crt and .ca-bundle. Unfortunately I cannot find any
resources
 which mention where and how to install these files. What I found
 was
these
 files are meant for webserver. Is that correct? If yes, can I use
  them
   to
 deploy these 2 files? Kindly let me know. Also if anyone can help
 me
   with
 one more problem I have posted on StackOverflow  :


   
  
 
 http://stackoverflow.com/questions/27106983/configuring-apache-tomcat-to-start-webapp-by-default

 Regards,
 Kernel

   
   
   
--
*Thanks*
*Niranjan*
*+1 781.956.6900*
   
  
 
 
 
  --
  *Thanks*
  *Niranjan*
  *+1 781.956.6900*
 




-- 
*Thanks*
*Niranjan*
*+1 781.956.6900*

Re: Deploying .ca-bundle file .crt file as SSL certificates

2014-11-24 Thread Niranjan Babu Bommu

it works for me with this conf.

 Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true
   address=IPADDRESS
   executor=THREADNAME scheme=https secure=true
   keystoreFile=PATH of keystore file
   keystorePass=PASSWRD
sslProtocol=TLSv1 /


On Mon, Nov 24, 2014 at 11:27 AM, Niranjan Babu Bommu 
niranjan.bo...@gmail.com wrote:

 Are you able to see the 8443 port listening?

 nc -z ipaddress 8443

 On Mon, Nov 24, 2014 at 11:25 AM, Kernel freak kernelfr...@gmail.com
 wrote:

 I have added the certificate. I modified the server.xml code to add the
 following lines :
  Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true
 maxThreads=150
scheme=https secure=true clientAuth=false
 sslProtocol=TLS
keystoreFile=/root/.keystore keystorepass=password for
 keystore /

 Now when I open the application, it redirects to https, but it says unable
 to connect, your connection to this website maynotbe encrypted. What am I
 doing wrong?



 On Mon, Nov 24, 2014 at 5:20 PM, Niranjan Babu Bommu 
 niranjan.bo...@gmail.com wrote:

  Sorry, I did not notice that.
 
 
 - *Import a root or intermediate CA certificate to an existing Java
 keystore*
 
 keytool -import -trustcacerts -alias root -file *ca.crt* -keystore
 *yourkeystore.jks*
 
 
  On Mon, Nov 24, 2014 at 11:02 AM, Kernel freak kernelfr...@gmail.com
  wrote:
 
   Thank you, and what about the CA-Bundle file? Did you got a chance to
  look
   at the question I have posted on Stackoverflow mentioned in the
 original
   question?
  
   On Mon, Nov 24, 2014 at 4:51 PM, Niranjan Babu Bommu 
   niranjan.bo...@gmail.com wrote:
  
Hi Kernel,
   
I think you have create a keystore from the cert, please follow
 these
instruction and ket me know.
   
Create store with temporary key inside:
   
keytool -genkey -alias alias name -keystore yourkeystore.jks
  -storepass
Hello1
Then delete existing entry:
   
keytool -delete -alias temp -keystore yourkeystore.jks -storepass
  Hello1
Now you've got empty store. You can check that it's empty:
   
keytool -list -keystore yourkeystore.jks -storepass Hello1
Then import your certificate to the store:
   
keytool -import -alias alias name  -file cert_file.crt -keypass
  keypass
-keystore yourkeystore.jks -storepass Hello1
   
   
Thanks
Niranjan
   
   
On Mon, Nov 24, 2014 at 10:13 AM, Kernel freak 
 kernelfr...@gmail.com
wrote:
   
 Hello friends,

 I am using apache tomcat and I would like to deploy a Spring-MVC
 application which I am working on. In that, via Spring-Security I
  have
 specified to use https which requires to install the SSL
 certificate
  on
the
 server.
 I am running a Debian Wheezy server, and I have certificate files
  with
 extension as .crt and .ca-bundle. Unfortunately I cannot find any
resources
 which mention where and how to install these files. What I found
 was
these
 files are meant for webserver. Is that correct? If yes, can I use
  them
   to
 deploy these 2 files? Kindly let me know. Also if anyone can help
 me
   with
 one more problem I have posted on StackOverflow  :


   
  
 
 http://stackoverflow.com/questions/27106983/configuring-apache-tomcat-to-start-webapp-by-default

 Regards,
 Kernel

   
   
   
--
*Thanks*
*Niranjan*
*+1 781.956.6900*
   
  
 
 
 
  --
  *Thanks*
  *Niranjan*
  *+1 781.956.6900*
 




 --
 *Thanks*
 *Niranjan*
 *+1 781.956.6900 %2B1%20781.956.6900*




-- 
*Thanks*
*Niranjan*
*+1 781.956.6900*

Re: Deploying .ca-bundle file .crt file as SSL certificates

2014-11-24 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Niranjan,

On 11/24/14 10:51 AM, Niranjan Babu Bommu wrote:
 I think you have create a keystore from the cert, please follow
 these instruction and ket me know.
 
 Create store with temporary key inside:
 
 keytool -genkey -alias alias name -keystore yourkeystore.jks
 -storepass Hello1 Then delete existing entry:
 
 keytool -delete -alias temp -keystore yourkeystore.jks -storepass
 Hello1 Now you've got empty store. You can check that it's empty:
 
 keytool -list -keystore yourkeystore.jks -storepass Hello1 Then
 import your certificate to the store:
 
 keytool -import -alias alias name  -file cert_file.crt -keypass
keypass
 -keystore yourkeystore.jks -storepass Hello1

Nope: the existing key *and* cert need to be imported simultaneously
into the keystore. If the OP already has a cert, he's already got a
key, too.

The problem is that you probably started with OpenSSL to generate your
keys and stuff. Here is the proper procedure to import your key,
certificate, and CA bundle into a Java keystore.

You'll need these files:

server.key (this is your server's secret key)
server.crt (this is your server's certificate, signed by the CA)
ca.crt (this is your CA's certificate)

Here is the incantation:

$ openssl pkcs12 -export -in server.crt -inkey server.key \
   -certfile ca.crt -out keystore.p12 -chain

$ $JAVA_HOME/bin/keytool -importkeystore -srckeystore keystore.p12 \
 -srcstoretype pkcs12 \
 -destkeystore keystore.jks

Now, use keystore.jks in Tomcat's server.xml.

If you already had created your key and cert request using Java's
'keytool', then you can instead just import the signed certificate
into your keystore:

$ $JAVA_HOME/bin/keytool -importcert -file server.crt \
 -keystore keystore.jks \
 -alias [alias]

If you used an alias to create the certificate signing request (CSR),
then use the same alias in the above command.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUc32WAAoJEBzwKT+lPKRYn5UP/RynvOjSw2UlMn4wwPlvWIQC
EiyfUjHaSK3YSCniGK9yiDuwEshXjAE88aEFptmnhcgZnJpJ1o0ybbdw5xZLk+Vv
68XDqnuD1klYsmufnDKETKTEpQk4aMke8jHUdbLtx4/TtK0aKZirEKzmDrXFlBDI
YvEdlBvhH494Q/fvm0ARBdV1I8nwSt33DQ8WPcAMNVdgJzla7BcgAqupkBiMCpD4
49BDOyDZmiulFzL0Co6d2bEx/yWHECx1Zu/gfH6NXjeJ/UgZNkn9aABS8RsO+sa5
Oq/AJvXTgcKGUUQpBPOVcmhOrjgG9jYyMd9TfYZHllNQDqbBL7MgpkmXiSEGusAg
zvsfiksWEhDj4xremuQHVstCV4FZYqyLKjfBbiYABfZ50mOoYgF4J+sN97/CVo8F
pp29hiDN7YnqPCJzlWFi0DRPOFjJX2CFXyzoxkDvx/5gXhn8ZoPwU7i6gGxmcMg1
52xPXjEPBbf/q+MbwxUfRRBvNTzXB+b3hU5aN5HHpflqxodasNod+kW7VWnZZZI/
aCq5kKdXX7VQFfsEtWJnPYDe2yCj/KHzLCDAJMJA8iLpMUrN1Xb8jEOOe0vq5h60
vFUiFMrEyWOv7BPVszsnDx1EO8tDpDZS766/AigtYxGJzAF0DS8wNX9awCGYknxB
zSoDIu3mfw1r3546epjF
=IeMh
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: SSL Certificates

2014-04-01 Thread Bomma, Nithun

Thanks Chris!

I want to get public  private keys from WebSphere and import into Tomcat.

We have WebSphere certificates (Signed by Verisign) until 2015 and we want to 
use the same in tomcat.

When I create a keystore (keytool -genkey -alias tomcat -keyalg RSA -keystore 
/opt/tomcat/SSL/tomcat.keystore), a keystore is getting created. But I'm unable 
to import the certificates into it.

Is there any document or documentation which might be helpful? Could you please 
let me know?

Thanks.


-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Monday, March 31, 2014 2:58 PM
To: Tomcat Users List
Subject: Re: SSL Certificates

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ninthun,

On 3/31/14, 10:19 AM, Bomma, Nithun wrote:
 Hello,
 
 We are using WebSphere v6.1 for SSO and we are moving to ForgeRock and 
 it uses Apache Tomcat (v7.0.37)
 
 We are trying to import the certificates (Verisign) including the 
 chain certificates from WebSphere to Tomcat.
 
 Have any of you did this before? If yes, could you help us out?

Websphere probably should be using Java keystores. You should just be able to 
use the same keystore, although something might need to be re-named or 
something.

Save yourself a huge headache and use Portecle:
http://portecle.sourceforge.net/

You should be able to take your server key and issued certificate and create a 
new Java Keystore to use with the BIO or NIO connectors. If you are using APR, 
then you will have to export your key and certificate to individual files and 
configure them appropriately.

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTObq8AAoJEBzwKT+lPKRY99sQAKdQryt76EFPHD42vk72o/pJ
vgBaWBsLL57rK+6LgsUSuNneTviGaBkDY6kBVjnGzA1w3I9MJn4XnhX8Pm/Z1ZQd
rpYDk3/E+CI2Gh5C6HTkgcXE/hffQ8xKAhS/CZj4riJu6S3YSIPFtX6H3vTkQD1A
tWlUE8fEWm0Wo529izbiPPPseZTBdAU1Sbv4z4AEjZolrxyvE6Bm0GSyvSYTu5cm
g0oxv7hoSl8IxKHaI6mxmRFLCrBSRBmIHp6vSB7OHzmx0pi6UuZzWnhjL9N1VhZ6
zA3vxlQlicXxjMdWOY2dsy6GLxzK+CmOK61Fk52uJMRJgEz1Dzdb2hyuypdt1aVC
F160wtePQpbYkjnXusjsfE8PsiZxFyiFOBbfVnoni6yY7DiVSID5lglbvXPjnveA
jMCHKTjDrGZAeou7Tuu1aUMqvg9kaSOlCGAstK5G5wuAV8GSvGoqAfuZ70EbrTdj
pqK4xGl+uFKaJfw0bkFzD6seSWevk8CiWCZ46h3JVISM42VWqtiWnfKkTNjFSUVx
ECFll3YGmEwWbwo9cTDHD/GJYMqi878vhA34v/YmOVFLV6dVy0hOjudC6NXeu9/t
Hk2AGm82Fi5mgP3ZWT8K35/GcH1ezd77M+jFmikFjCZC6btZw26ir2A9i2xbdZ//
In71YEw3kQauMHA6UsgL
=BbUU
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL Certificates

2014-04-01 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Nithun,

On 4/1/14, 4:02 PM, Bomma, Nithun wrote:
 I want to get public  private keys from WebSphere and import into
 Tomcat.
 
 We have WebSphere certificates (Signed by Verisign) until 2015 and
we  want to use the same in tomcat.

Where are the keys, now? Are they in a keystore? If so, open that
keystore and export the key and certificate. Then, import them into
another keystore for use with Tomcat.

 When I create a keystore (keytool -genkey -alias tomcat -keyalg RSA
 -keystore /opt/tomcat/SSL/tomcat.keystore), a keystore is getting
 created. But I'm unable to import the certificates into it.

You don't want to use genkey because that will create a new key. You
already have a key. You want to import from an existing keystore into
a new one.

 Is there any document or documentation which might be helpful?
 Could you please let me know?

Did you try Googling for export websphere certificate into tomcat?
We don't exactly document that procedure in the Tomcat documentation.

You can probably go back to VeriSign and ask for the certificate
again, then import that into your keystore. As for the server key,
you're going to have to get that from wherever Websphere keeps it.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTOyrKAAoJEBzwKT+lPKRYfaMP/Rw7EpCb/aesr9LxS+ZIV1cU
IvsQgM0CKgVR03YwGk/+6lPwi/596xXfVMXmFI/Ekzen6jx1H/GgXvAUYtEnnqJc
nf+TgVGAZ7JIZ1zcffX24Rv86xecPdMpuvxekyOdrBDITCnDCGCt3jkA/VozrACL
0FfiGNVJTJEuQSIuPkA3jWFE5Ci98RFvMRTo7YEsBmOmQm9pNHw9zUFrV8Con4Yt
TYGCvVHFJ2DypS0z0f0DvJ0BkZ8QIYAbGp2Tx9YREOSbQzYzqmrjJIXlw3QixHkV
qcAN+xnhu4OPk/5HKGPPMenHhaj+a2Ukg08MnvPoLD8Ml24+i4KNBFbapgR9cUOz
M/c91EH8TLr/WXSlR+7YTGVlm1plwWkancEBsBImTQeRmW4TFJg9/lohV0pSum7D
tLi5UbgE4JrwT++OukDJ553Cavg+Pv5v5awM1aL/SKlwtBPZG19ppjBjqkAsudmE
1Wf+ZPr77Fb9AhzU182DzhHcoIFT4EaQ8EdqZAOpl7idgNsRnHN25YWNp1O8wsJk
QFvqOcsGddIhZ6AdZ1nN+TLCk4hTazhttWToHwB3MHIY9tDXDnj9yjOM9ZLmVz4f
U2pyfitJ6UlplCvhzWZSZ+tq8nmWPeYkXHyZf4L0FO9PlxkCn0Jl6pt7f9KBbV/x
DYsBY1XNqiEg6TQgRGj5
=JmZE
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

SSL Certificates

2014-03-31 Thread Bomma, Nithun

Hello,

We are using WebSphere v6.1 for SSO and we are moving to ForgeRock and it uses 
Apache Tomcat (v7.0.37)

We are trying to import the certificates (Verisign) including the chain 
certificates from WebSphere to Tomcat.

Have any of you did this before? If yes, could you help us out?

Thanks,
Nithun

Re: SSL Certificates

2014-03-31 Thread Leo Donahue

On Mon, Mar 31, 2014 at 7:19 AM, Bomma, Nithun nithun.bo...@amtrak.comwrote:

 Hello,

 We are using WebSphere v6.1 for SSO and we are moving to ForgeRock and it
 uses Apache Tomcat (v7.0.37)

 We are trying to import the certificates (Verisign) including the chain
 certificates from WebSphere to Tomcat.

 Have any of you did this before? If yes, could you help us out?

 Thanks,
 Nithun


It's all right here:
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Installing_a_Certificate_from_a_Certificate_Authority

Where do you need help specifically?

RE: SSL Certificates

2014-03-31 Thread Bomma, Nithun

Thanks Leo!

I don't want to create a new CSR, since the certificate with WebSphere exists 
until 2015.

I just want to export the certificate with chain from WebSphere and import into 
Tomcat directly.

Any thoughts?

Thanks,
Nithun Bomma
WebSphere Administrator
Amtrak - Information Technology (Operations)
AIM: nithunbomma 
EMAIL: nithun.bo...@amtrak.com
Desk: 215-349-2065; ATS: 728-2065; Cell: 215-704-4981
-Original Message-
From: Leo Donahue [mailto:donahu...@gmail.com] 
Sent: Monday, March 31, 2014 10:39 AM
To: Tomcat Users List
Subject: Re: SSL Certificates

On Mon, Mar 31, 2014 at 7:19 AM, Bomma, Nithun nithun.bo...@amtrak.comwrote:

 Hello,

 We are using WebSphere v6.1 for SSO and we are moving to ForgeRock and 
 it uses Apache Tomcat (v7.0.37)

 We are trying to import the certificates (Verisign) including the 
 chain certificates from WebSphere to Tomcat.

 Have any of you did this before? If yes, could you help us out?

 Thanks,
 Nithun


It's all right here:
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Installing_a_Certificate_from_a_Certificate_Authority

Where do you need help specifically?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL Certificates

2014-03-31 Thread Blume Wolfgang

Hi,
If your certificate need not be changed,
then you need not create a new Certificate Signing Request (CSR) to get a
new certificate,
but only do the Importing the Certificate part of the description:
Import chain certificate, then your existing certificate.
Wolfgang



2014-03-31 16:45 GMT+02:00 Bomma, Nithun nithun.bo...@amtrak.com:

 Thanks Leo!

 I don't want to create a new CSR, since the certificate with WebSphere
 exists until 2015.

 I just want to export the certificate with chain from WebSphere and import
 into Tomcat directly.

 Any thoughts?

 Thanks,
 Nithun Bomma
 WebSphere Administrator
 Amtrak - Information Technology (Operations)
 AIM: nithunbomma
 EMAIL: nithun.bo...@amtrak.com
 Desk: 215-349-2065; ATS: 728-2065; Cell: 215-704-4981
 -Original Message-
 From: Leo Donahue [mailto:donahu...@gmail.com]
 Sent: Monday, March 31, 2014 10:39 AM
 To: Tomcat Users List
 Subject: Re: SSL Certificates

 On Mon, Mar 31, 2014 at 7:19 AM, Bomma, Nithun nithun.bo...@amtrak.com
 wrote:

  Hello,
 
  We are using WebSphere v6.1 for SSO and we are moving to ForgeRock and
  it uses Apache Tomcat (v7.0.37)
 
  We are trying to import the certificates (Verisign) including the
  chain certificates from WebSphere to Tomcat.
 
  Have any of you did this before? If yes, could you help us out?
 
  Thanks,
  Nithun
 

 It's all right here:

 http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Installing_a_Certificate_from_a_Certificate_Authority

 Where do you need help specifically?

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL Certificates

2014-03-31 Thread James H. H. Lampert


On 3/31/14 10:32 AM, Blume Wolfgang wrote:

Hi,
If your certificate need not be changed,
then you need not create a new Certificate Signing Request (CSR) to get a
new certificate,
but only do the Importing the Certificate part of the description:
Import chain certificate, then your existing certificate.


Of course, that presupposes that you can export the certificate in a 
format that Tomcat can use.


If we're talking WebSphere on an AS/400, it probably uses DCM. And if 
we're talking Tomcat on an AS/400, the only option I'm aware of is a 
Java keystore. And if there's a way to get from the former to the 
latter, I wouldn't mind knowing about it myself: we've had customers 
jump the gun, and generate DCM-compatible certificates, not knowing that 
Tomcat didn't use them.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL Certificates

2014-03-31 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ninthun,

On 3/31/14, 10:19 AM, Bomma, Nithun wrote:
 Hello,
 
 We are using WebSphere v6.1 for SSO and we are moving to ForgeRock 
 and it uses Apache Tomcat (v7.0.37)
 
 We are trying to import the certificates (Verisign) including the 
 chain certificates from WebSphere to Tomcat.
 
 Have any of you did this before? If yes, could you help us out?

Websphere probably should be using Java keystores. You should just be
able to use the same keystore, although something might need to be
re-named or something.

Save yourself a huge headache and use Portecle:
http://portecle.sourceforge.net/

You should be able to take your server key and issued certificate and
create a new Java Keystore to use with the BIO or NIO connectors. If
you are using APR, then you will have to export your key and
certificate to individual files and configure them appropriately.

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTObq8AAoJEBzwKT+lPKRY99sQAKdQryt76EFPHD42vk72o/pJ
vgBaWBsLL57rK+6LgsUSuNneTviGaBkDY6kBVjnGzA1w3I9MJn4XnhX8Pm/Z1ZQd
rpYDk3/E+CI2Gh5C6HTkgcXE/hffQ8xKAhS/CZj4riJu6S3YSIPFtX6H3vTkQD1A
tWlUE8fEWm0Wo529izbiPPPseZTBdAU1Sbv4z4AEjZolrxyvE6Bm0GSyvSYTu5cm
g0oxv7hoSl8IxKHaI6mxmRFLCrBSRBmIHp6vSB7OHzmx0pi6UuZzWnhjL9N1VhZ6
zA3vxlQlicXxjMdWOY2dsy6GLxzK+CmOK61Fk52uJMRJgEz1Dzdb2hyuypdt1aVC
F160wtePQpbYkjnXusjsfE8PsiZxFyiFOBbfVnoni6yY7DiVSID5lglbvXPjnveA
jMCHKTjDrGZAeou7Tuu1aUMqvg9kaSOlCGAstK5G5wuAV8GSvGoqAfuZ70EbrTdj
pqK4xGl+uFKaJfw0bkFzD6seSWevk8CiWCZ46h3JVISM42VWqtiWnfKkTNjFSUVx
ECFll3YGmEwWbwo9cTDHD/GJYMqi878vhA34v/YmOVFLV6dVy0hOjudC6NXeu9/t
Hk2AGm82Fi5mgP3ZWT8K35/GcH1ezd77M+jFmikFjCZC6btZw26ir2A9i2xbdZ//
In71YEw3kQauMHA6UsgL
=BbUU
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL certificates

2014-01-17 Thread Miten Mehta

Hi James,

Thanks a lot.  I followed your steps but seems I am getting different error
as if the signed certificate is not dns based.  The original self signed
certificate was able to work fine in dns based format for keytool when I
imported it into client keystore.

below I created the self signed cert and csr for signing:


keytool -genkey -keyalg RSA -alias tomcat -keystore
${prefix}_keystore_dns.jks -storepass $storepw  -keysize 1024 -ext
san=dns:$host $setup$machine
keytool -certreq -keyalg RSA -alias tomcat -file certreq${prefix}_dns.csr
-keystore ${prefix}_keystore_dns.jks $storepw

The $host has been set to mhoodws.ril.local

I suppose that during certreq I do not have to use -ext san=dns:$host.

Below are keytsore entries after I imported as per your instructions.
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

mhoodws.ril.local, Jan 17, 2014, trustedCertEntry,
Certificate fingerprint (SHA1):
1E:C9:5E:FB:2F:6A:0B:27:BA:36:14:76:8B:5A:48:F7:4D:02:60:73
root, Jan 17, 2014, trustedCertEntry,
Certificate fingerprint (SHA1):
42:38:43:DA:10:D5:E2:C9:20:69:6B:9D:98:4D:9D:B6:38:88:44:CE
tomcat, Dec 25, 2013, PrivateKeyEntry,
Certificate fingerprint (SHA1):
E0:58:FD:D8:0B:9E:FE:B5:9B:37:71:3E:00:59:2B:24:EC:27:C6:15

The catalina.out complaines with SSL handshake stating No Name matching
mhoodws.ril.local found.

I have defined that mhoodws.ril.local entry in /etc/hots too.

could it be that the signing step done by CA also needs to do dns entry
like I did ?

Regards,

Miten.



On Thu, Jan 16, 2014 at 10:37 PM, James H. H. Lampert 
jam...@touchtonecorp.com wrote:

 On 1/16/14 9:01 AM, Miten Mehta wrote:

 Hi,

 I am understanding SSL for tomcat using
 http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html.
 1)I create jks using self signed certificate using keytool.
 2) I generate CSR from that keystore/certificate.
 3) I get it signed by CA who gives me root certificate and signed
 certificate.


 So far, so good.


  4) I need to delete the existing certificate from keystore and then import
 root and signed one ?


 NO! ABSOLUTELY NOT!

 You import the signed certificate into THE SAME KEYSTORE, UNDER THE SAME
 ALIAS, *ON TOP OF* THE UNSIGNED CERTIFICATE!

 Not only will it not complain; it is the ONLY way to apply the CSR reply.

 --
 James H. H. Lampert
 Touchtone Corporation


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL certificates

2014-01-17 Thread Ognjen Blagojevic


Miten,

On 17.1.2014 14:33, Miten Mehta wrote:

The catalina.out complaines with SSL handshake stating No Name matching
mhoodws.ril.local found.


For security reasons, CA shouldn't sign any certificate containing 
internal server name (either as CN, or subjectAltName):


As of July 1, 2012, all CAs were required to notify customers applying 
for internal name certificates that the use of such certificates has 
been deprecated by the CA / Browser Forum and that the practice will be 
eliminated by October 2016.


https://cabforum.org/internal-names/

So, I guess your CA removed subjectAltName while signing the 
certificate, and also missed to notify you about the removal.


-Ognjen


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL certificates

2014-01-17 Thread Miten Mehta

What's the alternative to using subjectAltName? I thought it was flexible
to make certificate portable across our development environments. Should I
use IP (internal instead)? - Miten.
 On Jan 17, 2014 7:31 PM, Ognjen Blagojevic ognjen.d.blagoje...@gmail.com
wrote:

 Miten,

 On 17.1.2014 14:33, Miten Mehta wrote:

 The catalina.out complaines with SSL handshake stating No Name matching
 mhoodws.ril.local found.


 For security reasons, CA shouldn't sign any certificate containing
 internal server name (either as CN, or subjectAltName):

 As of July 1, 2012, all CAs were required to notify customers applying
 for internal name certificates that the use of such certificates has been
 deprecated by the CA / Browser Forum and that the practice will be
 eliminated by October 2016.

 https://cabforum.org/internal-names/

 So, I guess your CA removed subjectAltName while signing the certificate,
 and also missed to notify you about the removal.

 -Ognjen


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL certificates

2014-01-17 Thread Miten Mehta

If I remove internal /etc/hosts lookup entry should it resolve or you mean
CA just dropped subjectAltName even though I included. - miten
On Jan 17, 2014 7:31 PM, Ognjen Blagojevic ognjen.d.blagoje...@gmail.com
wrote:

 Miten,

 On 17.1.2014 14:33, Miten Mehta wrote:

 The catalina.out complaines with SSL handshake stating No Name matching
 mhoodws.ril.local found.


 For security reasons, CA shouldn't sign any certificate containing
 internal server name (either as CN, or subjectAltName):

 As of July 1, 2012, all CAs were required to notify customers applying
 for internal name certificates that the use of such certificates has been
 deprecated by the CA / Browser Forum and that the practice will be
 eliminated by October 2016.

 https://cabforum.org/internal-names/

 So, I guess your CA removed subjectAltName while signing the certificate,
 and also missed to notify you about the removal.

 -Ognjen


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL certificates

2014-01-17 Thread Miten Mehta

Hi Ognjen,

Reading the pdf link you provided it seems that I should use ip based
certificates and for each different ip which needs certificate I will have
to request one.

I should use -ext san=ip:$ip instead of -ext san=dns:$host.
Then CA will not drop the details.

Regards,

Miten.



On Fri, Jan 17, 2014 at 7:30 PM, Ognjen Blagojevic 
ognjen.d.blagoje...@gmail.com wrote:

 Miten,


 On 17.1.2014 14:33, Miten Mehta wrote:

 The catalina.out complaines with SSL handshake stating No Name matching
 mhoodws.ril.local found.


 For security reasons, CA shouldn't sign any certificate containing
 internal server name (either as CN, or subjectAltName):

 As of July 1, 2012, all CAs were required to notify customers applying
 for internal name certificates that the use of such certificates has been
 deprecated by the CA / Browser Forum and that the practice will be
 eliminated by October 2016.

 https://cabforum.org/internal-names/

 So, I guess your CA removed subjectAltName while signing the certificate,
 and also missed to notify you about the removal.

 -Ognjen



 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL certificates

2014-01-17 Thread James H. H. Lampert

At this point, if you haven't already done so, I would strongly suggest 
getting your CA's tech support in on this.


Of course, your latest posts also beg the question of why you would be 
spending good money on a signed SSL certificate for an internal web 
site, or why you'd be using an internal URL for a web site that's 
visible to the outside, but I don't know your exact situation, so I'm 
certainly not denying that you have a reason.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL certificates

2014-01-17 Thread Ognjen Blagojevic


On 17.1.2014 19:14, James H. H. Lampert wrote:

At this point, if you haven't already done so, I would strongly suggest
getting your CA's tech support in on this.


+1

Reserved IP addresses and internal server names are not unique on the 
Internet, so the certificates for them may be reused in different 
places, which is a security problem. Imagine you get a certificate for 
IP 192.168.0.1 or for internal server name server.local, or worse, 
wildcard certificate *.local. That certificate may be reused on any 
local network that uses that same IP address or server name, for e.g. 
man-in-the-middle attack. The user of such network will hardly notice 
that the certificate is from completely different network.


Therefore I believe that it is reasonable for any CA to treat internal 
server names and reserved IP addresses as two faces of the same problem.


However, on second reading I noticed that Baseline Requirements say that 
CAs shall sign the certificate with either or both of them, but that 
certificate must expire before 1 November 2015. So check your CSR 
expiration date and, as James recommends, your CA's policy on that matter.


-Ognjen

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

SSL certificates

2014-01-16 Thread Miten Mehta

Hi,

I am understanding SSL for tomcat using
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html.
1)I create jks using self signed certificate using keytool.
2) I generate CSR from that keystore/certificate.
3) I get it signed by CA who gives me root certificate and signed
certificate.
4) I need to delete the existing certificate from keystore and then import
root and signed one ?

The docs do not mention to delete the existing certificate then if I import
it for same alias will not it complain ?
Do I need to keep existing certificate and import new one under new alias ?
will existing become redundant ?

Regards,

Miten

Re: SSL certificates

2014-01-16 Thread James H. H. Lampert


On 1/16/14 9:01 AM, Miten Mehta wrote:

Hi,

I am understanding SSL for tomcat using
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html.
1)I create jks using self signed certificate using keytool.
2) I generate CSR from that keystore/certificate.
3) I get it signed by CA who gives me root certificate and signed
certificate.


So far, so good.


4) I need to delete the existing certificate from keystore and then import
root and signed one ?


NO! ABSOLUTELY NOT!

You import the signed certificate into THE SAME KEYSTORE, UNDER THE SAME 
ALIAS, *ON TOP OF* THE UNSIGNED CERTIFICATE!


Not only will it not complain; it is the ONLY way to apply the CSR reply.

--
James H. H. Lampert
Touchtone Corporation


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL certificates

2014-01-16 Thread Miten Mehta

Hi,

Adding more clarification for ease below.

1) create keystore.jks with self signed cert (alias tomcat).
2) generate old.csr and send for signing to CA
3) get back new.cer (signed certificate) and root.cer (root certificate)
4) delete existing cert from keystore.jks (alias tomcat)
5) import root cert (alias root)
6) import new cert (alias tomcat)

From server.xml now in connector entry for ssl use alias tomcat to refer to
it.  Earlier when there was only tomcat (no root) the alias might not have
been needed but now since there are two cert we need alias.

Regards,

Miten.


On Thu, Jan 16, 2014 at 10:31 PM, Miten Mehta indiami...@gmail.com wrote:

 Hi,

 I am understanding SSL for tomcat using
 http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html.
 1)I create jks using self signed certificate using keytool.
 2) I generate CSR from that keystore/certificate.
 3) I get it signed by CA who gives me root certificate and signed
 certificate.
 4) I need to delete the existing certificate from keystore and then import
 root and signed one ?

 The docs do not mention to delete the existing certificate then if I
 import it for same alias will not it complain ?
 Do I need to keep existing certificate and import new one under new alias
 ? will existing become redundant ?

 Regards,

 Miten

Re: SSL certificates

2014-01-16 Thread Ike Ikonne

Hi,

Step #4 is not correct; if you delete the existing certificate you would
have lost everything.  Please follow the instruction  given by James H. H. 
Lampert.

Thanks,

Ike




From:   Miten Mehta indiami...@gmail.com
To: users@tomcat.apache.org, 
Date:   01/16/2014 11:09 AM
Subject:Re: SSL certificates



Hi,

Adding more clarification for ease below.

1) create keystore.jks with self signed cert (alias tomcat).
2) generate old.csr and send for signing to CA
3) get back new.cer (signed certificate) and root.cer (root certificate)
4) delete existing cert from keystore.jks (alias tomcat)
5) import root cert (alias root)
6) import new cert (alias tomcat)

From server.xml now in connector entry for ssl use alias tomcat to refer 
to
it.  Earlier when there was only tomcat (no root) the alias might not have
been needed but now since there are two cert we need alias.

Regards,

Miten.


On Thu, Jan 16, 2014 at 10:31 PM, Miten Mehta indiami...@gmail.com 
wrote:

 Hi,

 I am understanding SSL for tomcat using
 http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html.
 1)I create jks using self signed certificate using keytool.
 2) I generate CSR from that keystore/certificate.
 3) I get it signed by CA who gives me root certificate and signed
 certificate.
 4) I need to delete the existing certificate from keystore and then 
import
 root and signed one ?

 The docs do not mention to delete the existing certificate then if I
 import it for same alias will not it complain ?
 Do I need to keep existing certificate and import new one under new 
alias
 ? will existing become redundant ?

 Regards,

 Miten

Re: SSL certificates

2014-01-16 Thread James H. H. Lampert


? will existing become redundant ?


NO, the SIGNED certificate will, at least in effect, be MERGED with the 
original certificate.


Deleting the original certificate from the keystore before importing the 
signed one will render the signed certificate WORTHLESS.


--
James H. H. Lampert

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL certificates

2014-01-16 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Miten,

On 1/16/14, 12:09 PM, Miten Mehta wrote:
 Hi,
 
 Adding more clarification for ease below.
 
 1) create keystore.jks with self signed cert (alias tomcat).

Why are you self-signing a certificate if you are going to get it
signed by a CA?

 2) generate old.csr and send for signing to CA 3) get back new.cer
 (signed certificate) and root.cer (root certificate) 4) delete
 existing cert from keystore.jks (alias tomcat) 5) import root cert
 (alias root) 6) import new cert (alias tomcat)

You should be able to create a server key, then a CSR. I happen to
hate keytool (and Java key stores in general) so I avoid it whenever
possible but I'd be surprised if you couldn't create a CSR without
creating a self-signing certificate in the process.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJS2FQDAAoJEBzwKT+lPKRY/cwP/jQc9t1QkhKwyzUxw2yZNVjx
fk0fHIucw+EkxMRa9Xue/DouZPpGRbdvzMRVn8Jr7wzBPIqUNmNITfCSYduJVNWu
8atVHG9CwRK0HVLnN/CESjm1Ex46jOn9BiAzH9n1AZ9UfY+a3MS6z/9XjS/NMxmJ
yhRkkltYUHdtjHEoFCehhormbHcS44CAR9uxkPXW+MeJCwWu2JXL0dxu/BGVY/Rj
7niOd9kk5ziKcN1NfYWXSClOV81AuxlW6vJnaP8+ZzW9JZRE/9Od1Hx3Ie+WmxG+
9y+x2j4WwS7xyN4nD1Sfg5bK0lUFe4HFsexmnMEbUcsY4SbvgjhaTuBaqam+JZgx
31e9hTcZKaQ0042qRk8dOYNM9vi7Wje9pYuUca3yIOPDorIXBSU2dK2rW9hF5ZJ7
HiBhLHRa88b9tWX79y3hOAOuYnTxBVttrXXlGs4U+iiheynwhGYUrx+vpPyMY1mm
GyZEln8RiTOZhpMOzcYAsHvG4pUjHFs7sSPBOjA3sMTVC7/6EH5AHzsPgLyIXUHZ
00XoQgsWs4LNQ4NyfekChtotX8VeIJR2KZRNlVU++sTpkGdkYx03LMnFC201th0K
A+1VH1lE6ii6mfVCH6impeN0P1GFMLHn+bqVREvPgEnMT9lIS0xBak7gvnDOd0dN
qDg299ebMIvnMMDsi483
=0XWS
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL certificates

2014-01-16 Thread James H. H. Lampert


On 1/16/14 1:49 PM, Christopher Schultz wrote:

Why are you self-signing a certificate if you are going to get it
signed by a CA?


A newly-created keypair in a Java keystore is, by definition, a 
self-signed certificate. And you can't create a CSR without having a 
keypair from which to create it.


One suggestion:

If you haven't done this dozens of times, or don't do it several times a 
year, or haven't done it for a particular CA,


MAKE AT LEAST ONE BACKUP COPY OF YOUR KEYSTORE BEFORE YOU SUBMIT YOUR 
CSR TO THE CA!


That way (and I've been there a number of times) if you screw up your 
keystore while trying to install the signed certificate, you can try again.


You really don't want to pay the fee to the CA, and then find out you've 
screwed up something that you have no way of unscrewing.


Also: if by any chance you're running Tomcat on an AS/400, you want to 
do this whole process on something else entirely, and then FTP your 
keystore into place on the 400. Keytool does NOT work well on AS/400s, 
and I haven't the slightest idea why.


--
James H. H. Lampert

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL certificates

2014-01-16 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

James,

On 1/16/14, 5:04 PM, James H. H. Lampert wrote:
 On 1/16/14 1:49 PM, Christopher Schultz wrote:
 Why are you self-signing a certificate if you are going to get
 it signed by a CA?
 
 A newly-created keypair in a Java keystore is, by definition, a 
 self-signed certificate.

That's probably one of the reasons I'm continually confused by using
keytool... generating an RSA key pair should never require the
creation of a certificate. *shrugs*

 And you can't create a CSR without having a keypair from which to
 create it.

That is always true. But you don't need a certificate to create a CSR.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJS2FuBAAoJEBzwKT+lPKRYSq8QALpnk2BWQnxBN1ouVZY4B3RJ
Xvx7kQOtgk6hhduwpWtvGbnEH6qjjWFo1rexoFZ/9XM0ig5zgIZ9dxnD1H3G20KU
eNrmnVEx6t6wREDXJdbVQ6xYfcx2iQwGcoa4fcA9/SwUb3T17fnOVeFDcaR8wexF
z04FgoQkRWY0bfD0N1mwmsqgqsjGFYrrWxryRM8SaiHkouJb2a0Ly+xLMIHa5/4d
GAqb5/MVGL3NzBUU5S+8K4k0/AtQ7D0wj4tvH+LYpgvNtfWT6D4lXVBk3JVgBOWE
k1Znkx2kjE45NcB9Oq/lknv1yixwsSMojTuimKYtjWLGgUNFMxt5wPM30NdQG+0d
245GkrBc873onHufIJtqiPzLXMx9SqCCsXVVn5ArVhuJ26Zd/qAVGXvxIhFmkjZD
0OvtgWzNoPrGAVyUXGbwXuDIF7UVotjwePcA7V2aUtOI3QntK9TcJ5icxp4rEbj/
SXxkZ4iDQduL5UFWtfTilK9eZ76BvcJWeU68NsLXm6oA44gYdXO73dDIpsUPtJRh
q0q502GtUgZkpVqDoo0V75R8nZhVoIf7hW/Z1lIh38q4e2V5o+ndfEvMYTWGpyH8
HQ3Cj8Jc/wByt7ub5h+HFj47M8ysLwcF9U1fh4EuiqG5rdtP0ejMnPdsYDIBk8uG
k9Bw/gOfegL5SM4yMA48
=ifdp
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL certificates

2014-01-16 Thread James H. H. Lampert


Christopher Schultz wrote:

That is always true. But you don't need a certificate to create a CSR.

shrug
If Keytool and the Java Keystore format even recognize any difference 
between the concepts of keypair and self-signed certificate, it 
would be news to me.

shrug

Speaking of one who regularly installs (and secures) Tomcat on AS/400s 
(in fact, that's the only platform I can recall EVER personally 
installing it on, because I have colleagues who know how to do it on 
other platforms): The messes people can make for themselves by 
misunderstanding the subtleties of Keytool are nothing, compared to the 
mess people can make for themselves trying to use IBM's Digital 
Certificate Manager to secure Tomcat on their 400s (hint: DCM and Tomcat 
are completely incompatible with each other).


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL certificates

2014-01-16 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

James,

On 1/16/14, 6:18 PM, James H. H. Lampert wrote:
 Christopher Schultz wrote:
 That is always true. But you don't need a certificate to create a
 CSR.
 shrug If Keytool and the Java Keystore format even recognize any
 difference between the concepts of keypair and self-signed
 certificate, it would be news to me. shrug
 
 Speaking of one who regularly installs (and secures) Tomcat on
 AS/400s (in fact, that's the only platform I can recall EVER
 personally installing it on, because I have colleagues who know how
 to do it on other platforms): The messes people can make for
 themselves by misunderstanding the subtleties of Keytool are
 nothing, compared to the mess people can make for themselves trying
 to use IBM's Digital Certificate Manager to secure Tomcat on their
 400s (hint: DCM and Tomcat are completely incompatible with each
 other).

:)

Give me OpenSSL any day of the week. ;)

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJS2GrbAAoJEBzwKT+lPKRYe4AP/i12by+gfG8QzkITOr/Pr5My
kKLSmXad3+Cw0Fl1gRjei6hRsZnX7gdvye4MBAVW//z8JhzejXFp20KJmdUDsNE4
EFn/oT7SOTF/Dmga28u/qte8212KIktkxziIMCigoXiXVbQ9Ym4eBdBxlqEtiouc
5lMuGuLfCshGP9xd8NigghLtWS4B06YG6Rc9I8BWPeXj1aPAB8naaHeLlrQvAGeb
/urAPZn9R+3Kow0Hs06OqIC06FN4VCIujq6aZ2pIBCe2apQkUC2ftBP50xYkwN5e
f9PohTuhE9Sk2H9VzxZqCumy6vEIfTfZtrjw0gbF8e/x9brUOfZ1clIoyyYrjNCa
A4a84uGBFrX4wHwLQRT/0biXYz9X61AaMmRBOF3Dvargf5Q+u99PYXBcTWcUTPJA
byv8OpywtCBaRcR5DbSSN999JFf8kYOn6DFzcj8xEN/auWQ0AJdLZLZdeNEszwZi
WcnDHH9MAFPj4a042sue3en9JAtFT/GA2zlgpx9UW/hzv//MvTxE5UO8Ap7GDw/0
1sHsOk+1yNt21o2LQ/bS3Zn0e9Ad76hiTbdWeoBj80eUpsOH1h6xd+vZ7glYd617
CBlexfEMdifTcVh320gYM2b+NUuN+jtPspp+f9KQSZtti5OnWqQylrBMXVbvUIWE
keGqbCCKZlqfQfe485Bf
=OZem
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL certificates

2014-01-16 Thread James H. H. Lampert


Christopher Schultz wrote:

:)

Give me OpenSSL any day of the week. ;)


Dunno. Can't recall ever having any experience with it at all. Just DCM 
(for securing IBM-proprietary servers, like their Secured Telnet [NOT 
ssh] server and their various proprietary web-serving products), and 
Keytool (for securing Tomcat, and [if I remember right] for prepping 
jar-signing keys).


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Error configuring tomcat with ssl certificates

2013-03-06 Thread Siddhi Borkar

Thanks Brijesh,

The certificate that I am using is RSA based certificate,  I tried listing the 
RSA based ciphers in the server the xml, however it still gave me the same 
error.
Connector port=443 protocol=HTTP/1.1 SSLEnabled=true
 maxThreads=150  scheme=https secure=true 
keystoreFile=/tmp/.keystore  keystorePass=changeit enableLookups=false  
ciphers=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
  clientAuth=false sslProtocol=TLS /

Any idea what else could be going wrong?
Thanks,
Siddhi

-Original Message-
From: Brijesh Deo [mailto:b...@sonicwall.com]
Sent: Wednesday, March 06, 2013 12:25 PM
To: Tomcat Users List
Subject: RE: Error configuring tomcat with ssl certificates


-Original Message-
From: Siddhi Borkar [mailto:siddhi_bor...@persistent.co.in]
Sent: 06 March 2013 12:15
To: users@tomcat.apache.org
Subject: Error configuring tomcat with ssl certificates



Hi,

I need help configuring tomcat 6 will ssl certificates. I have been provided 
with the following
cacert.pem
prvkey.key
and sslcert.crt

I tried the following steps:

1)  Generated a keystore using java keytool and the certificate file using 
the following command.

keytool -import -trustcacerts -alias tomcatcert -file sslcert.crt -keystore 
keystore

2)  Added the .pem file to the keystore
  keytool -import -trustcacerts -alias root -file 
cacert.pem-keystore keystore

3)  Start the tomcat server

4)  After starting the server, the following error was seen in the logs.



Mar 4, 2013 10:52:22 PM org.apache.coyote.http11.Http11Protocol start

SEVERE: Error starting endpoint

java.io.IOException: jsse.invalid_ssl_conf

at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:755)

at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:460)

at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)

at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)

at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)

at 
org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)

at org.apache.catalina.connector.Connector.start(Connector.java:1107)

at 
org.apache.catalina.core.StandardService.start(StandardService.java:531)

at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)

at org.apache.catalina.startup.Catalina.start(Catalina.java:593)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:616)

at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)

at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)

Caused by: javax.net.ssl.SSLException: No available certificate or key 
corresponds to the SSL cipher suites which are enabled.

at 
sun.security.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:327)

at 
sun.security.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:272)

at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:751)

... 15 more



Can someone help on this?
Thanks


Siddhi,
You might want to check your ciphers attribute value in the Connector 
definition in server.xml file. Generally, the list of ciphers that you include 
here are based upon the type of your certificate. If you have RSA based 
certificate, you need to enlist RSA based ciphers (ones with _RSA in the cipher 
suite name) and similarly for DSA based certificate you should have 
corresponding cipher suites (ones with _DSS in the cipher suite names). May be 
you have this mismatched and that is the problem.

The other way round would be to generate or use a certificate based upon the 
cipher suites that you want or are supported in your ciphers attribute value.

Brijesh Deo
Dell | SonicWALL


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


DISCLAIMER
==
This e-mail may contain privileged and confidential information which is the 
property of Persistent Systems Ltd. It is intended only for the use of the 
individual or entity to which it is addressed. If you are not the intended 
recipient, you are not authorized to read, retain, copy

Re: Error configuring tomcat with ssl certificates

2013-03-06 Thread Ognjen Blagojevic


Siddhi,

On 6.3.2013 10:41, Siddhi Borkar wrote:

The certificate that I am using is RSA based certificate,  I tried listing the 
RSA based ciphers in the server the xml, however it still gave me the same 
error.
Connector port=443 protocol=HTTP/1.1 SSLEnabled=true
  maxThreads=150  scheme=https secure=true keystoreFile=/tmp/.keystore  keystorePass=changeit 
enableLookups=false  
ciphers=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
  clientAuth=false sslProtocol=TLS /

Any idea what else could be going wrong?


You didn't import your private key into Java keystore.

Use openssl to create PKCS#12 keystore containing your private key 
(prvkey.key), your certificate (sslcert.crt) and sertificate chain 
(cacert.pem).


Then, import PKCS#12 keystore to Java keystore using keytool.

Verify Java keystore with:

  keytool -list -keystore /tmp/.keystore -v

You should see one PrivateKeyEntry, with certificate chain to trusted CA.

-Ognjen

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Error configuring tomcat with ssl certificates

2013-03-06 Thread Brijesh Deo

-Original Message-
From: Siddhi Borkar [mailto:siddhi_bor...@persistent.co.in] 
Sent: 06 March 2013 15:12
To: Tomcat Users List
Subject: RE: Error configuring tomcat with ssl certificates

Thanks Brijesh,

The certificate that I am using is RSA based certificate,  I tried listing the 
RSA based ciphers in the server the xml, however it still gave me the same 
error.
Connector port=443 protocol=HTTP/1.1 SSLEnabled=true
 maxThreads=150  scheme=https secure=true 
keystoreFile=/tmp/.keystore  keystorePass=changeit enableLookups=false  
ciphers=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
  clientAuth=false sslProtocol=TLS /

Any idea what else could be going wrong?
Thanks,
Siddhi

Hi Siddhi,
You can check your keystore type. If it is not JKS, then you need to specify 
the keyStoreType also in the connector definition.

-Brijesh

-Original Message-
From: Brijesh Deo [mailto:b...@sonicwall.com] 
Sent: Wednesday, March 06, 2013 12:25 PM
To: Tomcat Users List
Subject: RE: Error configuring tomcat with ssl certificates

-Original Message-
From: Siddhi Borkar [mailto:siddhi_bor...@persistent.co.in] 
Sent: 06 March 2013 12:15
To: users@tomcat.apache.org
Subject: Error configuring tomcat with ssl certificates

Hi,

I need help configuring tomcat 6 will ssl certificates. I have been provided 
with the following
cacert.pem
prvkey.key
and sslcert.crt

I tried the following steps:

1)  Generated a keystore using java keytool and the certificate file using 
the following command.

keytool -import -trustcacerts -alias tomcatcert -file sslcert.crt -keystore 
keystore

2)  Added the .pem file to the keystore
  keytool -import -trustcacerts -alias root -file 
cacert.pem-keystore keystore

3)  Start the tomcat server

4)  After starting the server, the following error was seen in the logs.

Mar 4, 2013 10:52:22 PM org.apache.coyote.http11.Http11Protocol start

SEVERE: Error starting endpoint

java.io.IOException: jsse.invalid_ssl_conf

at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:755)

at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:460)

at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)

at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)

at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)

at 
org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)

at org.apache.catalina.connector.Connector.start(Connector.java:1107)

at 
org.apache.catalina.core.StandardService.start(StandardService.java:531)

at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)

at org.apache.catalina.startup.Catalina.start(Catalina.java:593)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:616)

at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)

at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)

Caused by: javax.net.ssl.SSLException: No available certificate or key 
corresponds to the SSL cipher suites which are enabled.

at 
sun.security.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:327)

at 
sun.security.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:272)

at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:751)

... 15 more

Can someone help on this?
Thanks

Siddhi,
You might want to check your ciphers attribute value in the Connector 
definition in server.xml file. Generally, the list of ciphers that you include 
here are based upon the type of your certificate. If you have RSA based 
certificate, you need to enlist RSA based ciphers (ones with _RSA in the cipher 
suite name) and similarly for DSA based certificate you should have 
corresponding cipher suites (ones with _DSS in the cipher suite names). May be 
you have this mismatched and that is the problem.

The other way round would be to generate or use a certificate based upon the 
cipher suites that you want or are supported in your ciphers attribute value.

Brijesh Deo
Dell | SonicWALL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands

RE: Error configuring tomcat with ssl certificates

2013-03-06 Thread Siddhi Borkar

Thanks a lot Ognjen, The solution you provided worked very well. 

-Original Message-
From: Ognjen Blagojevic [mailto:ognjen.d.blagoje...@gmail.com] 
Sent: Wednesday, March 06, 2013 3:31 PM
To: Tomcat Users List
Subject: Re: Error configuring tomcat with ssl certificates

Siddhi,

On 6.3.2013 10:41, Siddhi Borkar wrote:
 The certificate that I am using is RSA based certificate,  I tried listing 
 the RSA based ciphers in the server the xml, however it still gave me the 
 same error.
 Connector port=443 protocol=HTTP/1.1 SSLEnabled=true
   maxThreads=150  scheme=https secure=true 
 keystoreFile=/tmp/.keystore  keystorePass=changeit 
 enableLookups=false  
 ciphers=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WIT
 H_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_E
 DE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,
 SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EX
 PORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA  
 clientAuth=false sslProtocol=TLS /

 Any idea what else could be going wrong?

You didn't import your private key into Java keystore.

Use openssl to create PKCS#12 keystore containing your private key 
(prvkey.key), your certificate (sslcert.crt) and sertificate chain (cacert.pem).

Then, import PKCS#12 keystore to Java keystore using keytool.

Verify Java keystore with:

   keytool -list -keystore /tmp/.keystore -v

You should see one PrivateKeyEntry, with certificate chain to trusted CA.

-Ognjen

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

DISCLAIMER
==
This e-mail may contain privileged and confidential information which is the 
property of Persistent Systems Ltd. It is intended only for the use of the 
individual or entity to which it is addressed. If you are not the intended 
recipient, you are not authorized to read, retain, copy, print, distribute or 
use this message. If you have received this communication in error, please 
notify the sender and delete all copies of this message. Persistent Systems 
Ltd. does not accept any liability for virus infected mails.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Error configuring tomcat with ssl certificates

2013-03-05 Thread Siddhi Borkar



Hi,

I need help configuring tomcat 6 will ssl certificates. I have been provided 
with the following
cacert.pem
prvkey.key
and sslcert.crt

I tried the following steps:

1)  Generated a keystore using java keytool and the certificate file using 
the following command.

keytool -import -trustcacerts -alias tomcatcert -file sslcert.crt -keystore 
keystore

2)  Added the .pem file to the keystore
  keytool -import -trustcacerts -alias root -file 
cacert.pem-keystore keystore

3)  Start the tomcat server

4)  After starting the server, the following error was seen in the logs.



Mar 4, 2013 10:52:22 PM org.apache.coyote.http11.Http11Protocol start

SEVERE: Error starting endpoint

java.io.IOException: jsse.invalid_ssl_conf

at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:755)

at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:460)

at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)

at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)

at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)

at 
org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)

at org.apache.catalina.connector.Connector.start(Connector.java:1107)

at 
org.apache.catalina.core.StandardService.start(StandardService.java:531)

at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)

at org.apache.catalina.startup.Catalina.start(Catalina.java:593)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:616)

at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)

at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)

Caused by: javax.net.ssl.SSLException: No available certificate or key 
corresponds to the SSL cipher suites which are enabled.

at 
sun.security.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:327)

at 
sun.security.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:272)

at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:751)

... 15 more



Can someone help on this?
Thanks



DISCLAIMER
==
This e-mail may contain privileged and confidential information which is the 
property of Persistent Systems Ltd. It is intended only for the use of the 
individual or entity to which it is addressed. If you are not the intended 
recipient, you are not authorized to read, retain, copy, print, distribute or 
use this message. If you have received this communication in error, please 
notify the sender and delete all copies of this message. Persistent Systems 
Ltd. does not accept any liability for virus infected mails.

RE: Error configuring tomcat with ssl certificates

2013-03-05 Thread Brijesh Deo

-Original Message-
From: Siddhi Borkar [mailto:siddhi_bor...@persistent.co.in] 
Sent: 06 March 2013 12:15
To: users@tomcat.apache.org
Subject: Error configuring tomcat with ssl certificates

Hi,

I need help configuring tomcat 6 will ssl certificates. I have been provided 
with the following
cacert.pem
prvkey.key
and sslcert.crt

I tried the following steps:

1)  Generated a keystore using java keytool and the certificate file using 
the following command.

keytool -import -trustcacerts -alias tomcatcert -file sslcert.crt -keystore 
keystore

2)  Added the .pem file to the keystore
  keytool -import -trustcacerts -alias root -file 
cacert.pem-keystore keystore

3)  Start the tomcat server

4)  After starting the server, the following error was seen in the logs.

Mar 4, 2013 10:52:22 PM org.apache.coyote.http11.Http11Protocol start

SEVERE: Error starting endpoint

java.io.IOException: jsse.invalid_ssl_conf

at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:755)

at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:460)

at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)

at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)

at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)

at 
org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)

at org.apache.catalina.connector.Connector.start(Connector.java:1107)

at 
org.apache.catalina.core.StandardService.start(StandardService.java:531)

at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)

at org.apache.catalina.startup.Catalina.start(Catalina.java:593)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:616)

at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)

at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)

Caused by: javax.net.ssl.SSLException: No available certificate or key 
corresponds to the SSL cipher suites which are enabled.

at 
sun.security.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:327)

at 
sun.security.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:272)

at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:751)

... 15 more

Can someone help on this?
Thanks

Siddhi,
You might want to check your ciphers attribute value in the Connector 
definition in server.xml file. Generally, the list of ciphers that you include 
here are based upon the type of your certificate. If you have RSA based 
certificate, you need to enlist RSA based ciphers (ones with _RSA in the cipher 
suite name) and similarly for DSA based certificate you should have 
corresponding cipher suites (ones with _DSS in the cipher suite names). May be 
you have this mismatched and that is the problem.

The other way round would be to generate or use a certificate based upon the 
cipher suites that you want or are supported in your ciphers attribute value.

Brijesh Deo
Dell | SonicWALL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Web app calls JMS over SSL - certificates

2012-02-07 Thread Peter Kleczka

I am using ActiveMQ and its activemq.xml file has a section where the
keystore and truststore point to those files. So I assume that means that
there is a way to set these at runtime. Still leaves me with the question
of whether I can set these at runtime from my app on Tomcat.

On Mon, Feb 6, 2012 at 11:50 PM, Pid * p...@pidster.com wrote:

 On 6 Feb 2012, at 23:10, Peter Kleczka pklec...@gmail.com wrote:

  Hello
 
  I have a web app on Tomcat 6.0.24. The app needs to call a JMS app on
  another server over SSL. I installed the keystore/truststore files in
  $CatalinaHome/conf/certs and set VM arguments so that the JVM knows where
  to find the certs. The server administrator says that I should
 encapsulate
  these certs within the WAR file and that we should not have to set the VM
  arguments.
 
  The documentation that I have read so far seems to only discuss how to
 set
  up SSL on Tomcat.
 
  Is there a way that Tomcat or my web app can automatically load the certs
  without setting VM arguments?

 How are you configuring JMS now?

 Which JMS provider/lib are you using?


 p



 
  Thanks kindly in advance.

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Web app calls JMS over SSL - certificates

2012-02-07 Thread Caldarale, Charles R

 From: Peter Kleczka [mailto:pklec...@gmail.com] 
 Subject: Re: Web app calls JMS over SSL - certificates

 I am using ActiveMQ and its activemq.xml file has a section where the
 keystore and truststore point to those files. So I assume that means that
 there is a way to set these at runtime.

That would be a topic for the ActiveMQ group; nothing to do with Tomcat.

 - Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Web app calls JMS over SSL - certificates

2012-02-07 Thread Peter Kleczka

Chuck

Thanks, but my question really does have to do with Tomcat. The ActiveMQ is
actually on another server and my application hosted on Tomcat needs to
pull messages off of ActiveMQ over SSL.  What I would like to do is tell my
application where my keystore files are located rather than load them
through the JVM. Another list member asked me how the message broker loads
its keystore files, perhaps as a general hint to how I might load them from
my web app. My Tomcat specific question then is, will the Tomcat container
let me do that from the app level, and if not, can I configure it on the
Tomcat server other than setting the keystore properties in the JVM VM
startup parameters.

On Tue, Feb 7, 2012 at 9:10 AM, Caldarale, Charles R 
chuck.caldar...@unisys.com wrote:

  From: Peter Kleczka [mailto:pklec...@gmail.com]
  Subject: Re: Web app calls JMS over SSL - certificates

  I am using ActiveMQ and its activemq.xml file has a section where the
  keystore and truststore point to those files. So I assume that means that
  there is a way to set these at runtime.

 That would be a topic for the ActiveMQ group; nothing to do with Tomcat.

  - Chuck


 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail and
 its attachments from all computers.


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Web app calls JMS over SSL - certificates

2012-02-07 Thread Caldarale, Charles R

 From: Peter Kleczka [mailto:pklec...@gmail.com] 
 Subject: Re: Web app calls JMS over SSL - certificates

 What I would like to do is tell my application where my keystore 
 files are located rather than load them through the JVM.

So what stops you from doing that?  There are numerous ways to communicate 
configuration information to a webapp; read the servlet spec and the Tomcat doc 
for the Context element.

 My Tomcat specific question then is, will the Tomcat container
 let me do that from the app level

Let you do what, exactly?  You have too many potential antecedents of that to 
figure out what you're referring to.

 - Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Web app calls JMS over SSL - certificates

2012-02-06 Thread Pid *

On 6 Feb 2012, at 23:10, Peter Kleczka pklec...@gmail.com wrote:

 Hello

 I have a web app on Tomcat 6.0.24. The app needs to call a JMS app on
 another server over SSL. I installed the keystore/truststore files in
 $CatalinaHome/conf/certs and set VM arguments so that the JVM knows where
 to find the certs. The server administrator says that I should encapsulate
 these certs within the WAR file and that we should not have to set the VM
 arguments.

 The documentation that I have read so far seems to only discuss how to set
 up SSL on Tomcat.

 Is there a way that Tomcat or my web app can automatically load the certs
 without setting VM arguments?

How are you configuring JMS now?

Which JMS provider/lib are you using?


p




 Thanks kindly in advance.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Generating SSL certificates

2011-08-12 Thread Pid

On 12/08/2011 02:26, Darryl Lewis wrote:
 Our certificates are about to expire and I need to generate new ones for 
 tomcat. I'm using keytool, but getting a strange error.

Please start an entirely new thread, rather than replying to an existing
email  just editing the subject  body (which is called thread hijacking).


p


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Generating SSL certificates

2011-08-11 Thread Darryl Lewis

Our certificates are about to expire and I need to generate new ones for 
tomcat. I'm using keytool, but getting a strange error.

[root]# keytool -genkey -alias tomcat -keyalg RSA -keysize 2048  -keystore 
keystore
Enter keystore password:
keytool error: java.lang.Exception: Key pair not generated, alias tomcat 
already exists

ok, fair enough, so I try and delete it and I get this:

[roots]# keytool -delete -alias tomcat
keytool error: java.io.EOFException

failing being able to do it in keytool, is it possible to delete the entire 
keychain and start from scratch? If so how?

Thanks.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Multiple SSL certificates on same server

2010-03-10 Thread Steffen Heil

Hi

 I'm not using XP, but a Unix server OS, and my domains are radically
different - so the wildcard cert won't work either. sigh

This is not about the OS the tomcat is running on, but about the OS the
client browser is using...
There are certificates with multiple names (even radically different ones)
however, they will work for you.

Regards,
   Steffen



smime.p7s
Description: S/MIME cryptographic signature

RE: Multiple SSL certificates on same server

2010-03-09 Thread Martin Gainty


Good Morning Richard

david is right
each keystore is bound to one certificate
each cert will work on only one IP, one domain and one set of credentials (the 
same credentials used for the keystore)

you may want to consider domain2 aliasing (to the working SSL connector on 
domain1) ..your hosting provider can help e.g.
http://support.hostgator.com/articles/plesk/how-to-setup-a-domain-alias-windows-dedicated

HTH
Martin Gainty 
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
 
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.




 Date: Tue, 9 Mar 2010 08:38:40 -0500
 From: d...@cornell.edu
 To: users@tomcat.apache.org
 Subject: Re: Multiple SSL certificates on same server
 
 On 3/8/2010 6:46 PM, Richard Huntrods wrote:
  Does anyone know if it is possible, or has anyone done this:
 
  I have two applications running on a single server. The applications
  use different domains and URLs, so the single Tomcat instance can
  easily tell them apart. (Note: this part is currently working just fine).
 
  https://domain1/application1
  https://domain2/application2
 
  Again, both domains point to the same static IP, and yes, it is
  possible for someone to access either application from either domain.
  Normally, that is not an issue with the clients.
 
  However, I currently have only one SSL certificate on the server -
  this is for domain1. So if you use domain1 to access application1,
  it's all fine. The security cert comes up green and all that.
 
  BUT - if you try and access application2 via domain2, you get the red
  security cert (wrong domain / server name). I would like to purchase a
  second certificate for the second domain, and am wondering if this can
  be done, and how one would tell Tomcat (in server.xml) to acknowledge
  the second certificate.
 
  Currently the stuff in server.xml looks like this:
 
Connector port=443 protocol=HTTP/1.1 SSLEnabled=true
maxThreads=150 enableLookups=false scheme=https
  secure=true
keystoreFile=./keys/.keystore keystorePass=myPassword
clientAuth=false sslProtocol=TLS /
 
 
  I have a bad feeling it's not possible, but wanted to ask anyway.
 
  Thanks in advance.
 
  -R
 
 Seems like you should be able to get another certificate and have two
 Connector elements, each configured with a different ssl cert (diff.
 keystore?).  Each will also have to have an address attribute to bind it
 to a specific IP.  I've never actually ever messed with SSL on tomcat so
 you may want to look at the tomcat docs and howtos on the subject.
 
 --David
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  
_
Hotmail: Trusted email with powerful SPAM protection.
http://clk.atdmt.com/GBL/go/201469227/direct/01/

Re: Multiple SSL certificates on same server

2010-03-09 Thread David Smith

On 3/8/2010 6:46 PM, Richard Huntrods wrote:
 Does anyone know if it is possible, or has anyone done this:

 I have two applications running on a single server. The applications
 use different domains and URLs, so the single Tomcat instance can
 easily tell them apart. (Note: this part is currently working just fine).

 https://domain1/application1
 https://domain2/application2

 Again, both domains point to the same static IP, and yes, it is
 possible for someone to access either application from either domain.
 Normally, that is not an issue with the clients.

 However, I currently have only one SSL certificate on the server -
 this is for domain1. So if you use domain1 to access application1,
 it's all fine. The security cert comes up green and all that.

 BUT - if you try and access application2 via domain2, you get the red
 security cert (wrong domain / server name). I would like to purchase a
 second certificate for the second domain, and am wondering if this can
 be done, and how one would tell Tomcat (in server.xml) to acknowledge
 the second certificate.

 Currently the stuff in server.xml looks like this:

   Connector port=443 protocol=HTTP/1.1 SSLEnabled=true
   maxThreads=150 enableLookups=false scheme=https
 secure=true
   keystoreFile=./keys/.keystore keystorePass=myPassword
   clientAuth=false sslProtocol=TLS /


 I have a bad feeling it's not possible, but wanted to ask anyway.

 Thanks in advance.

 -R

Seems like you should be able to get another certificate and have two
Connector elements, each configured with a different ssl cert (diff.
keystore?).  Each will also have to have an address attribute to bind it
to a specific IP.  I've never actually ever messed with SSL on tomcat so
you may want to look at the tomcat docs and howtos on the subject.

--David


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Multiple SSL certificates on same server

2010-03-09 Thread Richard Huntrods


On 03/08/2010 06:46 PM, Richard Huntrods wrote:

Does anyone know if it is possible, or has anyone done this:

I have two applications running on a single server. The applications 
use different domains and URLs, so the single Tomcat instance can 
easily tell them apart. (Note: this part is currently working just fine).


https://domain1/application1
https://domain2/application2

Again, both domains point to the same static IP, and yes, it is 
possible for someone to access either application from either domain. 
Normally, that is not an issue with the clients.


However, I currently have only one SSL certificate on the server - 
this is for domain1. So if you use domain1 to access application1, 
it's all fine. The security cert comes up green and all that.


BUT - if you try and access application2 via domain2, you get the red 
security cert (wrong domain / server name). I would like to purchase a 
second certificate for the second domain, and am wondering if this can 
be done, and how one would tell Tomcat (in server.xml) to acknowledge 
the second certificate.


Currently the stuff in server.xml looks like this:

Connector port=443 protocol=HTTP/1.1 SSLEnabled=true
  maxThreads=150 enableLookups=false scheme=https 
secure=true

  keystoreFile=./keys/.keystore keystorePass=myPassword
  clientAuth=false sslProtocol=TLS /


I have a bad feeling it's not possible, but wanted to ask anyway.

Thanks in advance.

-R


~~~

No. 


The certificate is sent and SSL negotiated prior to the server receiving the 
Host header.

~~~

Richard,

It's possible.

It doesn't appear that Tomcat or Java(SUN) support RFC 3546 just yet 
(For Server Name Indication) even though Apache httpd does. However 
Windows XP users of IE will not be able to take advantage of SNI at this 
time anyway (to further rain on your parade). Vista and greater do make 
use of SNI though. Gotta wait for XP to die I guess. :-P


End result: Multi-Domain Certificate, separate ports, separate IPs or a 
load balancer that distributes the load to an internal IP based on FQDN, 
to which you could then use X amount of different SSL certs.(This last 
bit may be a wee bit complicated)


Hope this helps

~~

Hi,


Here's an idea for you:
You can use wildcard when generating your certificate, like *.domain.com,
assuming your servers using same domain.com.

Regards,
Leon Kolchinsky


~~~
Thanks to all of you for your replies.

I fear that Jason is correct for my case.

I'm not using XP, but a Unix server OS, and my domains are radically 
different - so the wildcard cert won't work either. sigh


Cheers,

-R

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Multiple SSL certificates on same server

2010-03-08 Thread Richard Huntrods


Does anyone know if it is possible, or has anyone done this:

I have two applications running on a single server. The applications use 
different domains and URLs, so the single Tomcat instance can easily 
tell them apart. (Note: this part is currently working just fine).


https://domain1/application1
https://domain2/application2

Again, both domains point to the same static IP, and yes, it is possible 
for someone to access either application from either domain. Normally, 
that is not an issue with the clients.


However, I currently have only one SSL certificate on the server - this 
is for domain1. So if you use domain1 to access application1, it's all 
fine. The security cert comes up green and all that.


BUT - if you try and access application2 via domain2, you get the red 
security cert (wrong domain / server name). I would like to purchase a 
second certificate for the second domain, and am wondering if this can 
be done, and how one would tell Tomcat (in server.xml) to acknowledge 
the second certificate.


Currently the stuff in server.xml looks like this:

  Connector port=443 protocol=HTTP/1.1 SSLEnabled=true
  maxThreads=150 enableLookups=false scheme=https 
secure=true

  keystoreFile=./keys/.keystore keystorePass=myPassword
  clientAuth=false sslProtocol=TLS /


I have a bad feeling it's not possible, but wanted to ask anyway.

Thanks in advance.

-R

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Multiple SSL certificates on same server

2010-03-08 Thread Jason Pyeron

 -Original Message-
 From: Richard Huntrods [mailto:huntr...@nucleus.com] 
 Sent: Monday, March 08, 2010 18:46
 To: users@tomcat.apache.org
 Subject: Multiple SSL certificates on same server

 Does anyone know if it is possible, or has anyone done this:

 I have two applications running on a single server. The 
 applications use different domains and URLs, so the single 
 Tomcat instance can easily tell them apart. (Note: this part 
 is currently working just fine).

 https://domain1/application1
 https://domain2/application2

No. 

The certificate is sent and SSL negotiated prior to the server receiving the
Host header.

 Again, both domains point to the same static IP, and yes, it 
 is possible for someone to access either application from 
 either domain. Normally, that is not an issue with the clients.

 However, I currently have only one SSL certificate on the 
 server - this is for domain1. So if you use domain1 to access 
 application1, it's all fine. The security cert comes up green 
 and all that.

 BUT - if you try and access application2 via domain2, you get 
 the red security cert (wrong domain / server name). I would 
 like to purchase a second certificate for the second domain, 
 and am wondering if this can be done, and how one would tell 
 Tomcat (in server.xml) to acknowledge the second certificate.

 Currently the stuff in server.xml looks like this:

Connector port=443 protocol=HTTP/1.1 SSLEnabled=true
maxThreads=150 enableLookups=false scheme=https 
 secure=true
keystoreFile=./keys/.keystore 
 keystorePass=myPassword
clientAuth=false sslProtocol=TLS /

 I have a bad feeling it's not possible, but wanted to ask anyway.

 Thanks in advance.

 -R

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-   -
- Jason Pyeron  PD Inc. http://www.pdinc.us -
- Principal Consultant  10 West 24th Street #100-
- +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
-   -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Multiple SSL certificates on same server

2010-03-08 Thread Crypto Sal


On 03/08/2010 06:46 PM, Richard Huntrods wrote:

Does anyone know if it is possible, or has anyone done this:

I have two applications running on a single server. The applications 
use different domains and URLs, so the single Tomcat instance can 
easily tell them apart. (Note: this part is currently working just fine).


https://domain1/application1
https://domain2/application2

Again, both domains point to the same static IP, and yes, it is 
possible for someone to access either application from either domain. 
Normally, that is not an issue with the clients.


However, I currently have only one SSL certificate on the server - 
this is for domain1. So if you use domain1 to access application1, 
it's all fine. The security cert comes up green and all that.


BUT - if you try and access application2 via domain2, you get the red 
security cert (wrong domain / server name). I would like to purchase a 
second certificate for the second domain, and am wondering if this can 
be done, and how one would tell Tomcat (in server.xml) to acknowledge 
the second certificate.


Currently the stuff in server.xml looks like this:

Connector port=443 protocol=HTTP/1.1 SSLEnabled=true
  maxThreads=150 enableLookups=false scheme=https 
secure=true

  keystoreFile=./keys/.keystore keystorePass=myPassword
  clientAuth=false sslProtocol=TLS /


I have a bad feeling it's not possible, but wanted to ask anyway.

Thanks in advance.

-R



Richard,

It's possible.

It doesn't appear that Tomcat or Java(SUN) support RFC 3546 just yet 
(For Server Name Indication) even though Apache httpd does. However 
Windows XP users of IE will not be able to take advantage of SNI at this 
time anyway (to further rain on your parade). Vista and greater do make 
use of SNI though. Gotta wait for XP to die I guess. :-P


End result: Multi-Domain Certificate, separate ports, separate IPs or a 
load balancer that distributes the load to an internal IP based on FQDN, 
to which you could then use X amount of different SSL certs.(This last 
bit may be a wee bit complicated)


Hope this helps




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

1 2 >

1 - 100 of 153 matches

Mail list logo