Try this -> https://wiki.jasig.org/pages/viewpage.action?pageId=1194
D. Sent from my iPhone > On Mar 27, 2015, at 05:26, Gianluca Diodato <[email protected]> > wrote: > > Hi Dmitriy, > I have created a certificate mycert.crt PEM format with xca GUI. > Which are the instruction now to import this .crt in java keystore? I googled > but I'm very confused... > Can you help me? > > Best > Gianluca > > Il giorno giovedì 26 marzo 2015 19:09:10 UTC+1, Dmitriy Kopylenko ha scritto: >> >> Yes. >> >> Sent from my iPhone >> >>> On Mar 26, 2015, at 12:53, Gianluca Diodato <[email protected]> wrote: >>> >>> Hi Dmitriy, >>> I have created my certificate with xca gui and export into a file .crt with >>> PEM format. >>> And now? I have to import this file in my keystore for change Tomcat? >>> >>> Best >>> Gianluca >>> >>> Il giorno mercoledì 25 marzo 2015 15:51:35 UTC+1, Dmitriy Kopylenko ha >>> scritto: >>>> >>>> I just want to add that there is an excellent GUI software for managing >>>> all of this stuff (built on OpenSSL), namely xca: >>>> http://sourceforge.net/projects/xca/ >>>> >>>> Best, >>>> D. >>>> >>>>> On Mar 25, 2015, at 10:42 AM, Waldbieser, Carl <[email protected]> >>>>> wrote: >>>>> >>>>> Gianluca, >>>>> >>>>> This site [1] has useful `keytool` examples. You should be able to view >>>>> the contents of your keystore with something like: >>>>> >>>>> $ keytool -l -v -keystore /path/to/your/keystore.jks >>>>> >>>>> There are some useful troubleshooting tips on SO [2]. >>>>> >>>>> To configure Tomcat to use the keystore, you need to set up a connector >>>>> like the following in $CATALINA_HOME/conf/server.xml: >>>>> >>>>> <Connector >>>>> protocol="org.apache.coyote.http11.Http11Protocol" >>>>> >>>>> SSLImplementation="edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation" >>>>> port="443" >>>>> scheme="https" >>>>> secure="true" >>>>> clientAuth="false" >>>>> SSLEnabled="true" >>>>> emptySessionPath="true" >>>>> sslProtocol="TLS" >>>>> keystoreFile="/path/to/your/keystore.jks" >>>>> keystorePass="YourKeystorePassword" >>>>> truststoreFile="/path/to/your/keystore.jks" >>>>> truststorePass="YourKeystorePassword" >>>>> truststoreAlgorithm="DelegateToApplication" >>>>> /> >>>>> >>>>> The exact parameters may vary a bit depending on your version of Tomcat >>>>> or other preferences you may have. >>>>> >>>>> >>>>> [1] >>>>> https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html >>>>> [2] >>>>> http://stackoverflow.com/questions/2138940/import-pem-into-java-key-store >>>>> >>>>> Thanks, >>>>> Carl >>>>> >>>>> ----- Original Message ----- >>>>> From: "Gianluca Diodato" <[email protected]> >>>>> To: [email protected] >>>>> Cc: [email protected], [email protected], >>>>> [email protected], [email protected] >>>>> Sent: Wednesday, March 25, 2015 10:21:05 AM >>>>> Subject: Re: [cas-user] SSL problem (I need tutorial!!) Cas Server on >>>>> remote machine , Java Cas Client other machine >>>>> >>>>> Carl, >>>>> thank you very much for detailed answer. >>>>> I'm in until 4)... I have created this files: >>>>> - casserver.crt >>>>> - casserver.key >>>>> - casserver.csr >>>>> - rootCA.pem >>>>> - rootCA.key >>>>> - rootCA.srl >>>>> >>>>> In 5) I have to install the private key and public certificate in my CAS >>>>> server using java `keytool` (i don't know how... ) and configuring Tomcat >>>>> to use the keystore I created( i'm in!!). >>>>> It is this the instruction? keytool -import -trustcacerts -alias >>>>> *mydomain* >>>>> -file *mydomain.crt* -keystore >>>>> >>>>> *keystore.jks*Thanks >>>>> Gianluca >>>>> >>>>> Il giorno mercoledì 25 marzo 2015 14:21:07 UTC+1, Waldbieser, Carl ha >>>>> scritto: >>>>>> >>>>>> Gianluca, >>>>>> >>>>>> For development, I like to use the openssl tools to create my own CA and >>>>>> use it to sign my own certificates rather than using a self-signed >>>>>> certificate. >>>>>> Here are the notes I use. Lines starting with ($) are the actual >>>>>> commands >>>>>> I enter into the terminal. >>>>>> >>>>>> ================ >>>>>> Create My Own CA >>>>>> ================ >>>>>> >>>>>> # Create CA key >>>>>> $ openssl genrsa -des3 -out rootCA.key 2048 >>>>>> # Create and self-sign CA cert. >>>>>> $ openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out >>>>>> rootCA.pem >>>>>> >>>>>> ------------ >>>>>> Create a Key >>>>>> ------------ >>>>>> $ openssl genrsa -out example.key 2048 >>>>>> >>>>>> ------------------------------------ >>>>>> Create a Certificate Signing Request >>>>>> ------------------------------------ >>>>>> $ openssl req -new -key example.key -out example.csr >>>>>> >>>>>> ---------- >>>>>> Sign a CSR >>>>>> ---------- >>>>>> openssl x509 -req -in example.csr -CA rootCA.pem -CAkey rootCA.key >>>>>> -CAcreateserial -out example.crt -days 500 >>>>>> >>>>>> >>>>>> So first, I generate a CA key and cert (first 2 commands). This is >>>>>> something you only need to do once, but you have to keep the key >>>>>> somewhere >>>>>> you can find it, and you need to remember the password you choose for it >>>>>> as >>>>>> you will use this key to sign your certs. >>>>>> >>>>>> Next, whenever you set up a develoment *server*, you create a private >>>>>> key >>>>>> for the server (command under "Create a Key" section) and a certificate >>>>>> signing request (section "Create a certificate signing request). >>>>>> >>>>>> Finally, you use the CA you generated to sign the CSR and generate a >>>>>> public certificate for the server (section "Sign a CSR"). These steps >>>>>> are >>>>>> basically what real CAs do, but they need to be a lot more careful with >>>>>> their keys and their CA public certs are typically already included in >>>>>> your >>>>>> browser. >>>>>> >>>>>> It is worth noting that the OpenSSL tool commands above generate keys >>>>>> and >>>>>> certs in PEM format, which is a text format you can view in an editor. >>>>>> The >>>>>> CAS server runs as a Java servlet, so it uses a Java keystore format (a >>>>>> file that sometimes has a .jks extension). You need to use the Java >>>>>> `keytool` command to import certificates and private keys into the Java >>>>>> keystore. >>>>>> >>>>>> Browsers will typically accept certificates in a variety of formats. >>>>>> >>>>>> So for your CAS setup, I would: >>>>>> >>>>>> 1) Generate a CA key and certificate. >>>>>> 2) Generate a private key for my CAS server. >>>>>> 3) Generate a CSR for the CAS server private key. >>>>>> 4) Use my CA key to sign the CAS server CSR and create a public >>>>>> certificate. >>>>>> 5) Install the private key and public certificate in my CAS server >>>>>> using >>>>>> java `keytool` and configuring Tomcat to use the keystore I created. >>>>>> Alternatively, if I have Apache in front of Tomcat and am using >>>>>> something like mod_ajp, I can just use the PEM files in my Apache config >>>>>> and not worry about SSL in Tomcat. >>>>>> 6) Import my CA public cert into my browser. >>>>>> 7) Test that the CAS server cert is accepted by my browser (hit the >>>>>> /logout URL and verify the cert gives me the "green lock" icon). >>>>>> 8) Repeat steps 2-5 for my server with the CAS client app. >>>>>> 9) Since the CAS client app is actually going to make an HTTPS request >>>>>> to CAS using a back-channel, you have to make sure that the >>>>>> HTTPS Java client it uses trusts your CA. I am not sure how to >>>>>> configure this *specifically* for only that client, but I believe >>>>>> you can import your CA into the system-wide Java CA-certs keystore. >>>>>> Its name is typically "cacerts", but the location on your >>>>>> system may vary. >>>>>> >>>>>> Thanks, >>>>>> Carl >>>>>> >>>>>> ----- Original Message ----- >>>>>> From: "Gianluca Diodato" <[email protected] <javascript:>> >>>>>> To: [email protected] <javascript:> >>>>>> Cc: [email protected] <javascript:>, [email protected] >>>>>> <javascript:>, [email protected] <javascript:> >>>>>> Sent: Wednesday, March 25, 2015 6:24:44 AM >>>>>> Subject: Re: [cas-user] SSL problem (I need tutorial!!) Cas Server on >>>>>> remote machine , Java Cas Client other machine >>>>>> >>>>>> Hi Carl, >>>>>> thanks to your answer. >>>>>> First of all, yes it is a development environment. >>>>>> I create my own CA into server machine (CAS Server) with this tutorial >>>>>> (http://tekyhost.com/ubuntu-12-04-and-tomcat-7-ssl-implementation/) and >>>>>> everything works fine (https://localhost:8443/cas/login and on other >>>>>> mychine https://my_ip_server:8443/cas/login). I follows this >>>>>> tutorial http://jasig.github.io/cas/4.0.x/index.html and for the >>>>>> authentication i create a db (mySQL) with a table users (2 columns: >>>>>> email, >>>>>> password(MD5)). In the other machine I'm developing a web application >>>>>> (J2EE >>>>>> in Eclipse) and I'm searching to connect login page to cas login page >>>>>> via >>>>>> web.xml adding filters >>>>>> (https://cuit.columbia.edu/cas-ify-java-application) >>>>>> >>>>>> via SSL. >>>>>> For my client machine, have I to create another own CA or have I to >>>>>> import >>>>>> server CA into $JAVA_HOME/jre/lib/security/cacerts (client)?? >>>>>> Sorry but all this is new for me!! >>>>>> >>>>>> Thanks >>>>>> Gianluca >>>>>> >>>>>> Il giorno martedì 24 marzo 2015 16:29:55 UTC+1, Waldbieser, Carl ha >>>>>> scritto: >>>>>>> >>>>>>> >>>>>>> Gianluca, >>>>>>> >>>>>>> Is this a development environment or is it a production environment >>>>>> where >>>>>>> user's web browsers need to trust the certificate? In the latter case, >>>>>> you >>>>>>> will need to generate a private key, make a certificate request, and >>>>>>> get >>>>>>> certificate signed from a Certificate Authority (CA). >>>>>>> >>>>>>> In a development environment, it is possible to be your own CA. You >>>>>> would >>>>>>> basically do the same things as in production, but you would need to >>>>>>> add >>>>>>> the local CA certificates to the browsers you will be testing. If you >>>>>> use >>>>>>> proxy CAS, your CAS server will also need to trust your private CA. >>>>>>> >>>>>>> Thanks, >>>>>>> Carl Waldbieser >>>>>>> ITS System Programmer >>>>>>> Lafayette College >>>>>>> >>>>>>> ----- Original Message ----- >>>>>>> From: "Gianluca Diodato" <[email protected] <javascript:>> >>>>>>> To: [email protected] <javascript:> >>>>>>> Sent: Tuesday, March 24, 2015 11:10:29 AM >>>>>>> Subject: [cas-user] SSL problem (I need tutorial!!) Cas Server on >>>>>>> remote >>>>>>> machine , Java Cas Client other machine >>>>>>> >>>>>>> Hi All, >>>>>>> can anyone help me with my configuration problem as subject?? >>>>>>> I need to configure my envorinment to SSL like this: >>>>>>> >>>>>>> Machine 1: CAS SERVER -- Ubuntu 12.04 - Tomcat 7 - JDK 1.6 -- SSL >>>>>>> certificate generate with openssl + apr and added to Tomcat + Users >>>>>>> into >>>>>>> MysqlDB (WORKS) >>>>>>> Machine 2: Cas Client java 3.3.3 (jar) imported into my webapp with >>>>>>> only >>>>>>> welcome page at moment -- Eclipse Luna + Tomcat 7 + JDK 1.6 >>>>>>> >>>>>>> In machine 2 how to generate trusted certificate in order to connect my >>>>>>> client to CAS Server to login my users? >>>>>>> Anyone know if exists tutorial or guide step-by-step even basic. >>>>>>> >>>>>>> Please, help me >>>>>>> >>>>>>> Gianluca >>>>>>> >>>>>>> -- >>>>>>> You are currently subscribed to [email protected] <javascript:> >>>>>> as: >>>>>>> [email protected] <javascript:> >>>>>>> To unsubscribe, change settings or access archives, see >>>>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>>>>> >>>>>>> -- >>>>>>> You are currently subscribed to [email protected] <javascript:> >>>>>> as: >>>>>>> [email protected] <javascript:> >>>>>>> To unsubscribe, change settings or access archives, see >>>>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>>>> >>>>>> -- >>>>>> You are currently subscribed to [email protected] <javascript:> >>>>>> as: >>>>>> [email protected] <javascript:> >>>>>> To unsubscribe, change settings or access archives, see >>>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>>> >>>>> -- >>>>> You are currently subscribed to [email protected] as: >>>>> [email protected] >>>>> To unsubscribe, change settings or access archives, see >>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>> >>>> -- >>>> You are currently subscribed to [email protected] as: >>>> [email protected] >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
