Hi Dmitriy, I have created a certificate mycert.crt PEM format with xca GUI. Which are the instruction now to import this .crt in java keystore? I googled but I'm very confused... Can you help me?
Best Gianluca Il giorno giovedì 26 marzo 2015 19:09:10 UTC+1, Dmitriy Kopylenko ha scritto: > > Yes. > > Sent from my iPhone > > On Mar 26, 2015, at 12:53, Gianluca Diodato <[email protected] > <javascript:>> wrote: > > Hi Dmitriy, > I have created my certificate with xca gui and export into a file .crt > with PEM format. > And now? I have to import this file in my keystore for change Tomcat? > > Best > Gianluca > > Il giorno mercoledì 25 marzo 2015 15:51:35 UTC+1, Dmitriy Kopylenko ha > scritto: >> >> I just want to add that there is an excellent GUI software for managing >> all of this stuff (built on OpenSSL), namely xca: >> http://sourceforge.net/projects/xca/ >> >> Best, >> D. >> >> On Mar 25, 2015, at 10:42 AM, Waldbieser, Carl <[email protected]> >> wrote: >> >> Gianluca, >> >> This site [1] has useful `keytool` examples. You should be able to view >> the contents of your keystore with something like: >> >> $ keytool -l -v -keystore /path/to/your/keystore.jks >> >> There are some useful troubleshooting tips on SO [2]. >> >> To configure Tomcat to use the keystore, you need to set up a connector >> like the following in $CATALINA_HOME/conf/server.xml: >> >> <Connector >> protocol="org.apache.coyote.http11.Http11Protocol" >> >> >> SSLImplementation="edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation" >> port="443" >> scheme="https" >> secure="true" >> clientAuth="false" >> SSLEnabled="true" >> emptySessionPath="true" >> sslProtocol="TLS" >> keystoreFile="/path/to/your/keystore.jks" >> keystorePass="YourKeystorePassword" >> truststoreFile="/path/to/your/keystore.jks" >> truststorePass="YourKeystorePassword" >> truststoreAlgorithm="DelegateToApplication" >> /> >> >> The exact parameters may vary a bit depending on your version of Tomcat >> or other preferences you may have. >> >> >> [1] >> https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html >> [2] >> http://stackoverflow.com/questions/2138940/import-pem-into-java-key-store >> >> Thanks, >> Carl >> >> ----- Original Message ----- >> From: "Gianluca Diodato" <[email protected]> >> To: [email protected] >> Cc: [email protected], [email protected], >> [email protected], [email protected] >> Sent: Wednesday, March 25, 2015 10:21:05 AM >> Subject: Re: [cas-user] SSL problem (I need tutorial!!) Cas Server on >> remote machine , Java Cas Client other machine >> >> Carl, >> thank you very much for detailed answer. >> I'm in until 4)... I have created this files: >> - casserver.crt >> - casserver.key >> - casserver.csr >> - rootCA.pem >> - rootCA.key >> - rootCA.srl >> >> In 5) I have to install the private key and public certificate in my CAS >> server using java `keytool` (i don't know how... ) and configuring Tomcat >> to use the keystore I created( i'm in!!). >> It is this the instruction? keytool -import -trustcacerts -alias >> *mydomain* >> -file *mydomain.crt* -keystore >> >> *keystore.jks*Thanks >> Gianluca >> >> Il giorno mercoledì 25 marzo 2015 14:21:07 UTC+1, Waldbieser, Carl ha >> scritto: >> >> >> Gianluca, >> >> For development, I like to use the openssl tools to create my own CA and >> use it to sign my own certificates rather than using a self-signed >> certificate. >> Here are the notes I use. Lines starting with ($) are the actual >> commands >> I enter into the terminal. >> >> ================ >> Create My Own CA >> ================ >> >> # Create CA key >> $ openssl genrsa -des3 -out rootCA.key 2048 >> # Create and self-sign CA cert. >> $ openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out >> rootCA.pem >> >> ------------ >> Create a Key >> ------------ >> $ openssl genrsa -out example.key 2048 >> >> ------------------------------------ >> Create a Certificate Signing Request >> ------------------------------------ >> $ openssl req -new -key example.key -out example.csr >> >> ---------- >> Sign a CSR >> ---------- >> openssl x509 -req -in example.csr -CA rootCA.pem -CAkey rootCA.key >> -CAcreateserial -out example.crt -days 500 >> >> >> So first, I generate a CA key and cert (first 2 commands). This is >> something you only need to do once, but you have to keep the key >> somewhere >> you can find it, and you need to remember the password you choose for it >> as >> you will use this key to sign your certs. >> >> Next, whenever you set up a develoment *server*, you create a private key >> for the server (command under "Create a Key" section) and a certificate >> signing request (section "Create a certificate signing request). >> >> Finally, you use the CA you generated to sign the CSR and generate a >> public certificate for the server (section "Sign a CSR"). These steps >> are >> basically what real CAs do, but they need to be a lot more careful with >> their keys and their CA public certs are typically already included in >> your >> browser. >> >> It is worth noting that the OpenSSL tool commands above generate keys and >> certs in PEM format, which is a text format you can view in an editor. >> The >> CAS server runs as a Java servlet, so it uses a Java keystore format (a >> file that sometimes has a .jks extension). You need to use the Java >> `keytool` command to import certificates and private keys into the Java >> keystore. >> >> Browsers will typically accept certificates in a variety of formats. >> >> So for your CAS setup, I would: >> >> 1) Generate a CA key and certificate. >> 2) Generate a private key for my CAS server. >> 3) Generate a CSR for the CAS server private key. >> 4) Use my CA key to sign the CAS server CSR and create a public >> certificate. >> 5) Install the private key and public certificate in my CAS server using >> java `keytool` and configuring Tomcat to use the keystore I created. >> Alternatively, if I have Apache in front of Tomcat and am using >> something like mod_ajp, I can just use the PEM files in my Apache config >> and not worry about SSL in Tomcat. >> 6) Import my CA public cert into my browser. >> 7) Test that the CAS server cert is accepted by my browser (hit the >> /logout URL and verify the cert gives me the "green lock" icon). >> 8) Repeat steps 2-5 for my server with the CAS client app. >> 9) Since the CAS client app is actually going to make an HTTPS request >> to CAS using a back-channel, you have to make sure that the >> HTTPS Java client it uses trusts your CA. I am not sure how to >> configure this *specifically* for only that client, but I believe >> you can import your CA into the system-wide Java CA-certs keystore. >> Its name is typically "cacerts", but the location on your >> system may vary. >> >> Thanks, >> Carl >> >> ----- Original Message ----- >> From: "Gianluca Diodato" <[email protected] <javascript:>> >> To: [email protected] <javascript:> >> Cc: [email protected] <javascript:>, [email protected] >> <javascript:>, [email protected] <javascript:> >> Sent: Wednesday, March 25, 2015 6:24:44 AM >> Subject: Re: [cas-user] SSL problem (I need tutorial!!) Cas Server on >> remote machine , Java Cas Client other machine >> >> Hi Carl, >> thanks to your answer. >> First of all, yes it is a development environment. >> I create my own CA into server machine (CAS Server) with this tutorial >> (http://tekyhost.com/ubuntu-12-04-and-tomcat-7-ssl-implementation/) and >> everything works fine (https://localhost:8443/cas/login and on other >> mychine https://my_ip_server:8443/cas/login). I follows this >> tutorial http://jasig.github.io/cas/4.0.x/index.html and for the >> authentication i create a db (mySQL) with a table users (2 columns: >> email, >> password(MD5)). In the other machine I'm developing a web application >> (J2EE >> in Eclipse) and I'm searching to connect login page to cas login page via >> web.xml adding filters ( >> https://cuit.columbia.edu/cas-ify-java-application) >> >> via SSL. >> For my client machine, have I to create another own CA or have I to >> import >> server CA into $JAVA_HOME/jre/lib/security/cacerts (client)?? >> Sorry but all this is new for me!! >> >> Thanks >> Gianluca >> >> Il giorno martedì 24 marzo 2015 16:29:55 UTC+1, Waldbieser, Carl ha >> scritto: >> >> >> >> Gianluca, >> >> Is this a development environment or is it a production environment >> >> where >> >> user's web browsers need to trust the certificate? In the latter case, >> >> you >> >> will need to generate a private key, make a certificate request, and get >> certificate signed from a Certificate Authority (CA). >> >> In a development environment, it is possible to be your own CA. You >> >> would >> >> basically do the same things as in production, but you would need to add >> the local CA certificates to the browsers you will be testing. If you >> >> use >> >> proxy CAS, your CAS server will also need to trust your private CA. >> >> Thanks, >> Carl Waldbieser >> ITS System Programmer >> Lafayette College >> >> ----- Original Message ----- >> From: "Gianluca Diodato" <[email protected] <javascript:>> >> To: [email protected] <javascript:> >> Sent: Tuesday, March 24, 2015 11:10:29 AM >> Subject: [cas-user] SSL problem (I need tutorial!!) Cas Server on remote >> machine , Java Cas Client other machine >> >> Hi All, >> can anyone help me with my configuration problem as subject?? >> I need to configure my envorinment to SSL like this: >> >> Machine 1: CAS SERVER -- Ubuntu 12.04 - Tomcat 7 - JDK 1.6 -- SSL >> certificate generate with openssl + apr and added to Tomcat + Users into >> MysqlDB (WORKS) >> Machine 2: Cas Client java 3.3.3 (jar) imported into my webapp with only >> welcome page at moment -- Eclipse Luna + Tomcat 7 + JDK 1.6 >> >> In machine 2 how to generate trusted certificate in order to connect my >> client to CAS Server to login my users? >> Anyone know if exists tutorial or guide step-by-step even basic. >> >> Please, help me >> >> Gianluca >> >> -- >> You are currently subscribed to [email protected] <javascript:> >> >> as: >> >> [email protected] <javascript:> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- >> You are currently subscribed to [email protected] <javascript:> >> >> as: >> >> [email protected] <javascript:> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> >> -- >> You are currently subscribed to [email protected] <javascript:> >> as: >> [email protected] <javascript:> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- > You are currently subscribed to [email protected] <javascript:> as: > [email protected] <javascript:> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] <javascript:> as: > [email protected] <javascript:> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
