RE: Self-Signed Certificate for Tomcat JVM and CAS
I wish you would read this email earlier. I thought if I use the default password (changeit), I don't need to have -storepass parameter. This morning I re-read extkeytool example and tried to put the storepass parameter and it works. After I imported my self-signed cert to JVM truststore, CAS client can trust CAS server. Thank all of you for providing me all the valueable links and information. Lisa -Original Message- From: Morris Jones [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 15, 2007 10:48 AM To: Tomcat Users List; [EMAIL PROTECTED] Subject: Re: Self-Signed Certificate for Tomcat JVM and CAS Sorry I hadn't seen your message earlier when you posted it. But you should create the keystore with a keystore password. Did you do that? Cheers, Mojo Lisa Tan wrote: > After following the docs to generate self-signed pkcs12 key, I failed to import the key/certificate into my application with No password given for keystore, integrity will not be verified. What does the reason cause this error? > > I read some docs which ask to create an empty Java keystore and convert PEM formatted key to PKCS8 format. Why do I need to create an empty keystore? > > Thanks, > > Lisa > > Original message >> Date: Fri, 10 Aug 2007 18:25:56 -0700 >> From: "Bill Barker" <[EMAIL PROTECTED]> >> Subject: Re: Self-Signed Certificate for Tomcat JVM and CAS >> To: users@tomcat.apache.org >> >> >> "Lisa Tan" <[EMAIL PROTECTED]> wrote in message >> news:[EMAIL PROTECTED] >>> I don't know if this is a right list to ask this question. I tried to >>> configure shibboleth which uses Tomcat with CAS authentication. I received >>> an error: Unable to validate ProxyTicketValidator >>> >>> >>> >>> I did google search on this topic and understood the reason causing this >>> problem is Tomcat JVM doesn't trust the SSL cert of the CAS server. Since >>> I >>> am still in the testing stage, I can't get a CA certificate but the >>> self-signed certificate. >>> >>> >>> >>> If my understanding is correct, the self signed certificate via openssl >>> doesn't have jks format but Tomcat JVM only accept jks format certificate. >>> >> If you had read the friendly manual at >> http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, you would know that >> this isn't true :). While it talks about the keystore, the truststore works >> the same way. So use openssl to create a pkcs12 file, specify this as the >> truststore, in whatever way you need to do from the CAS docs, and you should >> be good to go. >>> >>> I am just wondering if any one can give me some instruction how to create >>> a >>> self-signed certificate and private key which can be used or imported to >>> both Tomcat JVM and CAS server. >>> >>> >>> >>> Thanks, >>> >>> >>> >>> Lisa >>> >>> >>> >>> >>> >>> >> >> >> >> - >> To start a new topic, e-mail: users@tomcat.apache.org >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -- Morris Jones Monrovia, CA http://www.whiteoaks.com Old Town Astronomers http://www.otastro.org - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Self-Signed Certificate for Tomcat JVM and CAS
Sorry I hadn't seen your message earlier when you posted it. But you should create the keystore with a keystore password. Did you do that? Cheers, Mojo Lisa Tan wrote: After following the docs to generate self-signed pkcs12 key, I failed to import the key/certificate into my application with No password given for keystore, integrity will not be verified. What does the reason cause this error? I read some docs which ask to create an empty Java keystore and convert PEM formatted key to PKCS8 format. Why do I need to create an empty keystore? Thanks, Lisa Original message Date: Fri, 10 Aug 2007 18:25:56 -0700 From: "Bill Barker" <[EMAIL PROTECTED]> Subject: Re: Self-Signed Certificate for Tomcat JVM and CAS To: users@tomcat.apache.org "Lisa Tan" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] I don't know if this is a right list to ask this question. I tried to configure shibboleth which uses Tomcat with CAS authentication. I received an error: Unable to validate ProxyTicketValidator I did google search on this topic and understood the reason causing this problem is Tomcat JVM doesn't trust the SSL cert of the CAS server. Since I am still in the testing stage, I can't get a CA certificate but the self-signed certificate. If my understanding is correct, the self signed certificate via openssl doesn't have jks format but Tomcat JVM only accept jks format certificate. If you had read the friendly manual at http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, you would know that this isn't true :). While it talks about the keystore, the truststore works the same way. So use openssl to create a pkcs12 file, specify this as the truststore, in whatever way you need to do from the CAS docs, and you should be good to go. I am just wondering if any one can give me some instruction how to create a self-signed certificate and private key which can be used or imported to both Tomcat JVM and CAS server. Thanks, Lisa - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Morris Jones Monrovia, CA http://www.whiteoaks.com Old Town Astronomers http://www.otastro.org - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Self-Signed Certificate for Tomcat JVM and CAS
to re-iterate the doc from IBM at http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_cekeen.html "The keystore file is a key database file that contains both public keys (Public keys are stored as signer certificates) and private keys (private keys are stored in the personal certificates.)" M- This email message and any files transmitted with it contain confidential information intended only for the person(s) to whom this email message is addressed. If you have received this email message in error, please notify the sender immediately by telephone or email and destroy the original message without making a copy. Thank you. - Original Message - From: "Lisa Tan" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Saturday, August 11, 2007 6:23 PM Subject: Re: Self-Signed Certificate for Tomcat JVM and CAS After following the docs to generate self-signed pkcs12 key, I failed to import the key/certificate into my application with No password given for keystore, integrity will not be verified. What does the reason cause this error? I read some docs which ask to create an empty Java keystore and convert PEM formatted key to PKCS8 format. Why do I need to create an empty keystore? Thanks, Lisa Original message Date: Fri, 10 Aug 2007 18:25:56 -0700 From: "Bill Barker" <[EMAIL PROTECTED]> Subject: Re: Self-Signed Certificate for Tomcat JVM and CAS To: users@tomcat.apache.org "Lisa Tan" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] I don't know if this is a right list to ask this question. I tried to configure shibboleth which uses Tomcat with CAS authentication. I received an error: Unable to validate ProxyTicketValidator I did google search on this topic and understood the reason causing this problem is Tomcat JVM doesn't trust the SSL cert of the CAS server. Since I am still in the testing stage, I can't get a CA certificate but the self-signed certificate. If my understanding is correct, the self signed certificate via openssl doesn't have jks format but Tomcat JVM only accept jks format certificate. If you had read the friendly manual at http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, you would know that this isn't true :). While it talks about the keystore, the truststore works the same way. So use openssl to create a pkcs12 file, specify this as the truststore, in whatever way you need to do from the CAS docs, and you should be good to go. I am just wondering if any one can give me some instruction how to create a self-signed certificate and private key which can be used or imported to both Tomcat JVM and CAS server. Thanks, Lisa - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Self-Signed Certificate for Tomcat JVM and CAS
After following the docs to generate self-signed pkcs12 key, I failed to import the key/certificate into my application with No password given for keystore, integrity will not be verified. What does the reason cause this error? I read some docs which ask to create an empty Java keystore and convert PEM formatted key to PKCS8 format. Why do I need to create an empty keystore? Thanks, Lisa Original message >Date: Fri, 10 Aug 2007 18:25:56 -0700 >From: "Bill Barker" <[EMAIL PROTECTED]> >Subject: Re: Self-Signed Certificate for Tomcat JVM and CAS >To: users@tomcat.apache.org > > >"Lisa Tan" <[EMAIL PROTECTED]> wrote in message >news:[EMAIL PROTECTED] >>I don't know if this is a right list to ask this question. I tried to >> configure shibboleth which uses Tomcat with CAS authentication. I received >> an error: Unable to validate ProxyTicketValidator >> >> >> >> I did google search on this topic and understood the reason causing this >> problem is Tomcat JVM doesn't trust the SSL cert of the CAS server. Since >> I >> am still in the testing stage, I can't get a CA certificate but the >> self-signed certificate. >> >> >> >> If my understanding is correct, the self signed certificate via openssl >> doesn't have jks format but Tomcat JVM only accept jks format certificate. >> > >If you had read the friendly manual at >http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, you would know that >this isn't true :). While it talks about the keystore, the truststore works >the same way. So use openssl to create a pkcs12 file, specify this as the >truststore, in whatever way you need to do from the CAS docs, and you should >be good to go. >> >> >> I am just wondering if any one can give me some instruction how to create >> a >> self-signed certificate and private key which can be used or imported to >> both Tomcat JVM and CAS server. >> >> >> >> Thanks, >> >> >> >> Lisa >> >> >> >> >> >> > > > > >- >To start a new topic, e-mail: users@tomcat.apache.org >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Self-Signed Certificate for Tomcat JVM and CAS
"Lisa Tan" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] >I don't know if this is a right list to ask this question. I tried to > configure shibboleth which uses Tomcat with CAS authentication. I received > an error: Unable to validate ProxyTicketValidator > > > > I did google search on this topic and understood the reason causing this > problem is Tomcat JVM doesn't trust the SSL cert of the CAS server. Since > I > am still in the testing stage, I can't get a CA certificate but the > self-signed certificate. > > > > If my understanding is correct, the self signed certificate via openssl > doesn't have jks format but Tomcat JVM only accept jks format certificate. > If you had read the friendly manual at http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, you would know that this isn't true :). While it talks about the keystore, the truststore works the same way. So use openssl to create a pkcs12 file, specify this as the truststore, in whatever way you need to do from the CAS docs, and you should be good to go. > > > I am just wondering if any one can give me some instruction how to create > a > self-signed certificate and private key which can be used or imported to > both Tomcat JVM and CAS server. > > > > Thanks, > > > > Lisa > > > > > > - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Self-Signed Certificate for Tomcat JVM and CAS
I don't know if this is a right list to ask this question. I tried to configure shibboleth which uses Tomcat with CAS authentication. I received an error: Unable to validate ProxyTicketValidator I did google search on this topic and understood the reason causing this problem is Tomcat JVM doesn't trust the SSL cert of the CAS server. Since I am still in the testing stage, I can't get a CA certificate but the self-signed certificate. If my understanding is correct, the self signed certificate via openssl doesn't have jks format but Tomcat JVM only accept jks format certificate. I am just wondering if any one can give me some instruction how to create a self-signed certificate and private key which can be used or imported to both Tomcat JVM and CAS server. Thanks, Lisa