This tool has saved me a few times over: http://sourceforge.net/projects/portecle/
On Mon, Oct 28, 2013 at 4:41 PM, Ognjen Blagojevic < ognjen.d.blagoje...@gmail.com> wrote: > Chris, > Leo, > > On 28.10.2013 18:23, Leo Donahue - OETX wrote: > >> I've been having some trouble lately converting keys and certs from >>> OpenSSL >>> format into Java's JKS format. I follow all of the magical incantations >>> I can find >>> online to convert key+cert into a Java keystore but I get no love. Is >>> there a >>> decent guide anywhere for how to do this? >>> >> >> From my book of spells. >> >> Used this to configure SSL in Apache httpd for subversion edge. >> >> openssl pkcs12 -export -in C:/server.crt -inkey C:/server.key -name >> svnedge -out C:/server.p12 >> >> keytool -importkeystore -srckeystore C:/server.p12 -srcstoretype PKCS12 >> -destkeystore C:/svnedge.jks >> > > During TLS handshake, server may respond with complete certificate chain > (server certificate with all intermediate certificates) or with incomplete > certificate chain (e.g. server certificate, without any/some intermediate > certificates). Most servers, around 88% of them, deliver full certificate > chain, according to research mentioned here [1]. > > Complete certificate chain is being recognized as valid by every client > that implements TLS (assuming that root CA certificate is in the client > keystore). Incomplete certificate chain may be recognized as valid by some > TLS clients (e.g. Internet Explorer), using information from X.509v3 > extension called Authority Information Access (AIA), or using previously > validated certificate chains. Some clients will not recognize incomplete > certificate chain as valid (e.g. openssl or Apache HTTPCommons Client). > Even the same client may sometimes recognize incomplete certificate chains > as valid and sometimes as invalid, thanks to caching of intermediate > certificates. Therefore, it is best practice always to deliver complete > certificate chain to the client. > > Having root CA certificate in the chain is unnecessary, as it wastes your > bandwidth during TLS handshake (your client already have root CA > certificate in its own keystore). > > Assuming that intermediate certificates (intermediates.pem), server > certificate (server.pem) and private key (server.key) are all in PEM > format, you need to add option -certfile to command Leo provided: > > openssl pkcs12 -export -out keystore.p12 -name myserver -in server.pem > -inkey server.key -certfile intermediates.pem > > > Verify that the contents of the p12 keystore with: > > openssl pkcs12 -in keystore.p12 -nokeys > > You should verify that the certificate chain is complete (up to, but > without root CA certificate). > > Now, you may use that keystore for BIO and NIO connectors: > > keystoreFile="keystore.p12" keyAlias="myserver" keystoreType="pkcs12" > > Or you may convert it to JKS keystore as Leo suggests. > > -Ognjen > > [1] > https://bugzilla.mozilla.org/**show_bug.cgi?id=399324#c72<https://bugzilla.mozilla.org/show_bug.cgi?id=399324#c72> > > ------------------------------**------------------------------**--------- > To unsubscribe, e-mail: > users-unsubscribe@tomcat.**apache.org<users-unsubscr...@tomcat.apache.org> > For additional commands, e-mail: users-h...@tomcat.apache.org > >