RE: SSL certificate help!
Hi Raj, thanks for your detailed mail which was very helpful. I had followed the same., but i had another question. The certificate from verisign has been placed as instructed , but how do i enable the client i.e browser in my case for the same . does anything specific has to be done? prior to doing this, i was using a self-signed certificate, which the browser still reads. how to make the browser know abt the verisign cert? hope u got the point. thanx in advance Ritesh -Original Message- From: Raja Sekhar [mailto:[EMAIL PROTECTED]] Sent: Monday, May 06, 2002 5:30 PM To: Tomcat Users List Subject: Re: SSL certificate help! Hi, Follow these steps to configure your digital id 1. generate a local certificate: keytool -genkey -alias tomcat -keyalg RSA -keystore myfile where myfile is the name of the desired keystore-file 2. generate the CSR (you need it to request your (demo)certificate) keytool -certreq -keyalg RSA -alias tomcat -file certreq.pem -keystore myfile now you have a file called certreq.pem. Send this to your trustcenter. Note : You can skip steps 1 2 becoz u said, u already got a verisign certificate. But make sure that u have done these steps only to send your demo cert. to verisign. 3. Goto verisign download TrustedCA Root Certificate which they give for the browser. The downloaded file name would be getcacert. Now use the following command to import that into trust store keytool -import -alias root -keystore myfile -trustcacerts -file root-cert-file 4. Now import your verisign certificate with this command keytool -import -alias tomcat -keystore myfile -trustcacerts -file received-cert-file With the above 4 steps, u r ready with your keystore. Now goto server.xml search for Http10Connector port=8443 secure=true / Uncomment the above line add the following changes Http10Connector port=8443 secure=true keystoreFile = path of your keystore keypass = if u give anything other than changeit socketFactory = org.apache.tomcat.net.SSLSocketFactory / I think this should solve your problem. All the best. Regards, ..Raj -- On Mon, 6 May 2002 15:57:03t.riteshmenon wrote: Hello all, I have got a Trial SSL Server Digital ID from Verisign . I would like to know how to configure it with tomcat(3.2.1) . i'm trying to enable ssl with tomcat. any help in this regard would be most welcome. thanks in advance Ritesh --- - This message contains privileged and confidential information and is intended only for the individual named.If you are not the intended recipient you should not disseminate,distribute,store,print, copy or deliver this message.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or contain viruses.The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. --- - -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] Join 18 million Eudora users by signing up for a free Eudora Web-Mail account at http://www.eudoramail.com -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] This message contains privileged and confidential information and is intended only for the individual named.If you are not the intended recipient you should not disseminate,distribute,store,print, copy or deliver this message.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or contain viruses.The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL certificate help!
Here is what worked for me: STEP A - generate your private key Pre-req: JDK must be installed 1) cd to $JAVA_HOME/jre/bin 2) run ./keytool -genkey -alias tomcat -keyalg RSA -keystore FULL PATH TO KEYSTORE 3) You will be prompted for a password for the keystore 3) at the prompts, enter: What is your first and last name? [Unknown]: DO NOT USE NAME - ENTER THE NAME OF YOUR MACHINE AS IT'S KNOWN TO VISITORS What is the name of your organizational unit? [Unknown]: WHATEVER YOU LIKE What is the name of your organization? [Unknown]: TYPICALLY COMPANY NAME What is the name of your City or Locality? [Unknown]: YOUR CITY What is the name of your State or Province? [Unknown]: STATE OR PROV What is the two-letter country code for this unit? [Unknown]: COUNTRY CODE 4) You will then be prompted for another password - use the same (ie. Press ENTER) STEP B - Generate a Certificate Request 1) cd to $JAVA_HOME/jre/bin 2) ./keytool -certreq -alias tomcat -file csr.txt -keystore FULL PATH TO SAME KEYSTORE CREATED IN STEP A STEP C - Get the new cert from Verisign www.versign.com has all the info here STEP D - Install the Verisign ROOT CA cert AND your server cert When you get your cert in step C, they will provide you with the root cert 1) cd to $JAVA_HOME/jre/bin 2) ./keytool -import -alias verisign -file FILE THAT CONTAINS THE VERSIGN ROOT CA CERT -keystore PATH TO KEYSTORE 3) ./keytool -import -trustcacerts -alias tomcat -file FILE THAT CONTAINS YOUR CERT FROM VERISIGN -keystore PATH TO KEYSTORE STEP E - Configure an SSL listener for tomcat 1) edit $JAKARTA_HOME/conf/server.xml and add the following: !-- Define an SSL HTTP/1.1 Connector on port 443 -- Connector className=org.apache.catalina.connector.http.HttpConnector port=443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=10 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false protocol=TLS keystoreFile=FULL PATH TO KEYSTORE FILE keystorePass=PASSWORD HERE/ /Connector 2) Stop and start the tomcat server -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, May 06, 2002 6:27 AM To: [EMAIL PROTECTED] Subject: SSL certificate help! Hello all, I have got a Trial SSL Server Digital ID from Verisign . I would like to know how to configure it with tomcat(3.2.1) . i'm trying to enable ssl with tomcat. any help in this regard would be most welcome. thanks in advance Ritesh This message contains privileged and confidential information and is intended only for the individual named.If you are not the intended recipient you should not disseminate,distribute,store,print, copy or deliver this message.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or contain viruses.The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: SSL certificate help!
Hi, Follow these steps to configure your digital id 1. generate a local certificate: keytool -genkey -alias tomcat -keyalg RSA -keystore myfile where myfile is the name of the desired keystore-file 2. generate the CSR (you need it to request your (demo)certificate) keytool -certreq -keyalg RSA -alias tomcat -file certreq.pem -keystore myfile now you have a file called certreq.pem. Send this to your trustcenter. Note : You can skip steps 1 2 becoz u said, u already got a verisign certificate. But make sure that u have done these steps only to send your demo cert. to verisign. 3. Goto verisign download TrustedCA Root Certificate which they give for the browser. The downloaded file name would be getcacert. Now use the following command to import that into trust store keytool -import -alias root -keystore myfile -trustcacerts -file root-cert-file 4. Now import your verisign certificate with this command keytool -import -alias tomcat -keystore myfile -trustcacerts -file received-cert-file With the above 4 steps, u r ready with your keystore. Now goto server.xml search for Http10Connector port=8443 secure=true / Uncomment the above line add the following changes Http10Connector port=8443 secure=true keystoreFile = path of your keystore keypass = if u give anything other than changeit socketFactory = org.apache.tomcat.net.SSLSocketFactory / I think this should solve your problem. All the best. Regards, ..Raj -- On Mon, 6 May 2002 15:57:03t.riteshmenon wrote: Hello all, I have got a Trial SSL Server Digital ID from Verisign . I would like to know how to configure it with tomcat(3.2.1) . i'm trying to enable ssl with tomcat. any help in this regard would be most welcome. thanks in advance Ritesh This message contains privileged and confidential information and is intended only for the individual named.If you are not the intended recipient you should not disseminate,distribute,store,print, copy or deliver this message.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or contain viruses.The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] Join 18 million Eudora users by signing up for a free Eudora Web-Mail account at http://www.eudoramail.com -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]