Symantec SSL cert in tomcat 6

2014-01-03 Thread Gene Matthews 
Hi,

We have a working tomcat 6 installation with a self-signed cert.  We have 
received a certificate from Symantec (x509) and are trying to get it working in 
our tomcat 6 installation.  So far, I’ve had no luck.

What I have done so far:

1) Followed instructions from 
https://knowledge.verisign.com/support/mpki-for-ssl-support/index?page=contentactp=CROSSLINKid=AR124
 
- downloaded primary  secondary intermediate CA from Symantec
- imported into a brand new keystone using
keytool -import -trustcacerts -alias primaryIntermediate -keystore 
geneKeystore -file priimary_inter.cer
keytool -import -trustcacerts -alias secondaryIntermediate -keystore 
geneKeystore -file secondary_inter.cer

keystore didn’t exist prior to the first import above but it seemed top 
create it ok and prompt for passwords.

- install the SSL cert from Symantec
keytool -import -trustcacerts -alias myalias -keystore geneKeystore 
-file ssl_cert.cer

- verify contents of keystone
keytool -list -v -keystore geneKeystore

Thie symantec instructions say to ensure the alias for the ssl cert has 
an Entry Type of PrivateKeyEntry.  Mine DOES NOT.  Instructions say if it does 
not, to please import the certificate in the “Private Key” alias.  I’m not sure 
what that means.  I’m assuming it does not mean to import the cert using the 
alias of ‘PrivateKey” as I believe the alias has to match what was in the CSR?? 
 It also says to ensure the Certificate chain length is 4.  The Symantec 
example shows sample output the above command with the “Certificate chain 
length: 4’ in the output but I don’t get that in mine.  My keystone type is JKS 
and provider is SUN as in their example though.  I do see four extensions 
listed under the ‘myalias’ alias; not sure if that would imply a chain length 
of four.  As you can already guess, I’m no SSL expert (or even tomcat expert 
for that matter).  Since I wasn’t sure what to do here I left his alone and 
moved on.

2) edit server.xml

Connector port=“8443”
maxHttpHeaderSize=“8192”
maxThreads=“150”
minSpareThreads=“25”
maxSpareThreads=“75”
enableLookups=“false”
disableUploadTimeout=“true”
acceptCount=“100”
scheme=“https”
secure=“true”
SSLEnabled=“true”
clientAuth=“false”
sslProtocol=“TLS”
keyAlias=“myalias”
keystoreFile=“/usr/share/tomcat6/certs/gene/geneKeystore”
keypass=“mypassword”
/

3) restart tomcat

-verified tomcat is running
-verified something listening on port 8443 (netstat -an |grep 8443)
-catalina.out contents below:

Jan 03, 2014 8:43:43 AM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal 
performance in production environments was not found on the java.library.path: 
:/usr/share/tomcat6/lib:/usr/share/tomcat6/lib:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
Jan 03, 2014 8:43:43 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'minSpareThreads' to '25' did not find a matching property.
Jan 03, 2014 8:43:43 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'maxSpareThreads' to '75' did not find a matching property.
Jan 03, 2014 8:43:43 AM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Jan 03, 2014 8:43:44 AM org.apache.tomcat.util.net.NioSelectorPool 
getSharedSelector
INFO: Using a shared selector for servlet write/read
Jan 03, 2014 8:43:44 AM org.apache.coyote.http11.Http11NioProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443
Jan 03, 2014 8:43:44 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1217 ms
Jan 03, 2014 8:43:44 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Jan 03, 2014 8:43:44 AM org.apache.catalina.core.StandardEngine start
...
Jan 03, 2014 8:43:53 AM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Jan 03, 2014 8:43:53 AM org.apache.coyote.http11.Http11NioProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8443
Jan 03, 2014 8:43:53 AM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Jan 03, 2014 8:43:53 AM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/49  config=null
Jan 03, 2014 8:43:53 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 9583 ms


I’m not doing something correctly but I’m not sure what that is.  If anyone can 
point me in the right direction I would appreciate it.

Thanks,

Gene

PS:  How does one search the archives of this list?  When I browse the archive 
site I don’t see a search field anywhere.  So I’ve been googling without coming 
up with a solution. it is probably out there but I don’t know

Re: Symantec SSL cert in tomcat 6

2014-01-03 Thread Ognjen Blagojevic 

Gene,

On 3.1.2014 14:55, Gene Matthews wrote:

Thie symantec instructions say to ensure the alias for the ssl cert has an 
Entry Type of PrivateKeyEntry.  Mine DOES NOT.  Instructions say if it does 
not, to please import the certificate in the “Private Key” alias.


With JKS keystore you must keep private key and certificates in the same 
keystore. Therefore, you shouldn't import server certificate and inter. 
certificates into brand new keystore, but into the old keystore -- the 
one you used to create key pair, and to generate CSR.


I find it strange that Symantec/Verisign didn't mention that explicitly 
in their documentation.




It also says to ensure the Certificate chain length is 4.


Once you import certificates into the right keystore, check that again.



PS:  How does one search the archives of this list?  When I browse the archive 
site I don’t see a search field anywhere.  So I’ve been googling without coming 
up with a solution. it is probably out there but I don’t know enough to 
recognize it :-(


http://tomcat.apache.org/lists.html

Search for Archives.

-Ognjen

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Symantec SSL cert in tomcat 6

2014-01-03 Thread Martin Gainty 
MGOngnjen
 Gene,
 
 On 3.1.2014 14:55, Gene Matthews wrote:
  Thie symantec instructions say to ensure the alias for the ssl cert has an 
  Entry Type of PrivateKeyEntry.  Mine DOES NOT.  Instructions say if it does 
  not, to please import the certificate in the “Private Key” alias.
 
 With JKS keystore you must keep private key and certificates in the same 
 keystore.
MGSince A pfx that Verisign provides contains key and cert
MGWindows servers use .pfx files to contain the public key files (your SSL
 Certificate files, provided by DigiCert) and MGthe associated private key
 file (generated by your server as part of the CSR).

MGperhaps you are referring to the key/certificate combination in pfx?

 Therefore, you shouldn't import server certificate and inter. 
 certificates into brand new keystore, but into the old keystore -- the 
 one you used to create key pair, and to generate CSR.
MGCSR is the request to CA Authority (verisign ) to sign (digitally identify) 
this certificate 
MG certificate signing request (also CSR or certification request) is a 
message sent from an applicant to a MGcertificate authority in order to apply 
for a digital identity certificate. The most common format for CSRs is the 
MGPKCS#10 specification
MG
 
 I find it strange that Symantec/Verisign didn't mention that explicitly 
 in their documentation.
MGagreed
 
  It also says to ensure the Certificate chain length is 4.
 
 Once you import certificates into the right keystore, check that again.
 
 
  PS:  How does one search the archives of this list?  When I browse the 
  archive site I don’t see a search field anywhere.  So I’ve been googling 
  without coming up with a solution. it is probably out there but I don’t 
  know enough to recognize it :-(
 
 http://tomcat.apache.org/lists.html
 
 Search for Archives.
 
 -Ognjen
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Symantec SSL cert in tomcat 6

2014-01-03 Thread Ognjen Blagojevic 

Martin,

On 4.1.2014 0:27, Martin Gainty wrote:

With JKS keystore you must keep private key and certificates in the same
keystore.



MGSince A pfx that Verisign provides contains key and cert
MGWindows servers use .pfx files to contain the public key files (your SSL
  Certificate files, provided by DigiCert) and MGthe associated private key
  file (generated by your server as part of the CSR).

MGperhaps you are referring to the key/certificate combination in pfx?


No, not really. We are talking about Tomcat and JKS, not Windows servers 
and pfx.


-Ognjen

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org