OK so I tried it with the attributes set and now I get
java.lang.Exception: Error setting private key (error:0B080074:x509
certificate routines:X509_check_private_key:key values mismatch)
Which I take to mean that my server key is not the same as the
certificate key. Where did I go wrong?
SSLEngine=on SSLCertificateFile=/home/tomcat5/ssl/myverisign.crt
SSLCertificateKeyFile=/home/tomcat5/ssl/ca/ca.key
Did I send the wrong thing to verisign?
Dan
Daniel M Garland wrote:
Hi folks,
Again I call on your expert assistance:
I have a tomcat 5.5.2 server running on a Debian Etch linux box. Its
configured to use APR 1.1.3 and I want to get SSL going. I've
successfully managed this using JSSE but not OpenSSL. I installed
openssl using apt, as well as the APR libraries. Tomcat was installed
with the binaries from Apache.
I ran the following commands (with help from http://marc.info):
- Create private key and certificate request for my own certificate
authority
openssl req -new -newkey rsa:1024 -nodes -out ssl/ca/ca.csr -keyout
ssl/ca/ca.key
- Self-sign
openssl x509 -trustout -signkey ssl/ca/ca.key -days 365 -req -in
ssl/ca/ca.csr -out ssl/ca/ca.pem
-Import into Java's security thingy
keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file
ssl/ca/ca.pem -alias tomcat
-Created a file CA's serial numbers?
echo 02 ssl/ca/ca.srl
-Created a keystore
keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -keystore
~/.keystore -storetype JKS
-Create a certficate request for the server
keytool -certreq -keyalg RSA -alias tomcat -file ssl/certreq.csr
-keystore .keystore
(This certificate got sent off to verisign, but in the meantime I
thought I'd try signing myself off to see SSL working)
openssl x509 -CA ssl/ca/ca.pem -CAkey ssl/ca/ca.key -CAserial
ssl/ca/ca.srl -req -in ssl/certreq.csr -out ssl/selfcert.crt -days 365
- Import my self-cert into the keystore
keytool -import -alias tomcat -keystore .keystore -trustcacerts -file
ssl/selfcert.crt
Then I had this in server.xml
Connector port=8443 maxHttpHeaderSize=8192
maxThreads=150 minSpareThreads=25 maxSpareThreads=75
enableLookups=false disableUploadTimeout=true
acceptCount=100 scheme=https secure=true
clientAuth=false sslProtocol=TLS
keystoreFile=/home/tomcat5/.keystore keystorePass=password /
The docs said that it would pickup .keystore in the user's home
directory but I thought I'd set it explicitly.
When I restart tomcat I see in the log:
28-Nov-2007 14:59:26 org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443
And no errors alluding to SSL anywhere else.
When I try to access
https://myserver:8443
firefox tells me that the connection was interrupted, following a
lengthy pause.
keytool -list shows 1 entry.
Since I'm a bit of a newbie to SSL, and there is nothing in the log, I
am stuck as for what to do next. I gather that since I use APR I might
need other settings in my server.conf, but the documentation is vauge on
whether I need both the keystore attributes and the openssl stuff, or
just the ssl stuff, or what. If I were to add the SSLEngine,
SSLCertificateFile, SSLCertificateKeyFile attributes, what values would
I feed them based on the previous steps?
Does anyone have any good howtos for the openssl side of things (the
first line of the official docs is a caveat that the howto applies to
JSSE only!)
Thanks in advance
Dan Garland
__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
__
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
__
__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
__
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
