Re: installing certificates

2017-10-11 Thread Adam Pease

Hi Chris and all,
  I was able to get my system running based on the instructions at 
https://community.letsencrypt.org/t/configuring-lets-encrypt-with-tomcat-6-x-and-7-x/32416 
.  I clarified them a little and put

them into the context of installing my open source project at
https://github.com/ontologyportal/sigmakee/blob/master/Security.txt

all the best,
Adam


On 10/09/2017 03:13 PM, Adam Pease wrote:

Hi Chris,
   Many thanks for the quick response!  There's a lot of new terminology 
(to me) to all this and it's quite confusing I'm afraid.


   I tried Let's Encrypt just now but since I'm running Tomcat sites 
either I'm not doing it right, or it doesn't know how to verify domains 
when they don't answer on port 80.  So I get "The server could not 
connect to the client to verify the domain :: Timeout"
   Following the process at "gethttpsforfree.com" resulted in two long 
hex keys: one titled "Signed Certificate" and one titled "Intermediate 
Certificate".  I'm not sure what a "server certificate" is.  Is that a 
public/private key pair that I generated at the beginning of this 
process with


openssl genrsa 4096 > account.key

or what I did at the beginning of the tomcat instructions

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

But that generates a .keystore file which is already a parameter to the 
failing command.


I really appreciate your help.

all the best,
Adam

On 10/09/2017 02:00 PM, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Adam,

On 10/9/17 4:24 PM, Adam Pease wrote:

Hi, I'm running Tomcat 8.5.23 on an AWS Ubuntu Linux 16.04 LTS
installation.  I'm trying to follow the instructions at
https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html to get
HTTPS running under tomcat.


Version mismatch. You want this guide:
https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html


My site runs with a self-signed certificate.  Now I'm trying to
install a proper certificate from > https://gethttpsforfree.com/

Try Let's Encrypt. I know nothing about "gethttpsforfree.com", but
I've personally done Let's Encrypt.


After the rather lengthy process to generate the "Signed
Certificate" and "Intermediate Certificate" it appears I'm ready to
follow the instructions under the heading "Importing the
Certificate".


BTW, LE is a single command to get a signed certificate.


My first question is whether there is a difference between the
certificates mentioned in

- "import a so called Chain Certificate or Root Certificate into
your keystore"

and

- "After that you can proceed with importing your Certificate."


You have a "server certificate" -- that's yours, and represents you.
There is (usually) another certificate, called the "chain" or
"intermediate" certificate, which represents the Certificate Authority
who signed your certificate.

When your server performs a TLS handshake with the client, it needs to
present a "certificate chain" which includes your server certificate
(the "leaf") and any certificates required to link the server cert to
a root certificate which is stored within the client and already
trusted (e.g. VeriSign, DigiCert, etc.). So your server needs to have
multiple certificates available to send, and only one "belongs" to you.


I was able to execute the command:

keytool -import -alias root -keystore 
-trustcacerts -file 

using a single file that has the "Signed Certificate" and
"Intermediate Certificate" from gethttpsforfree.  But then I get an
error from the next command

~$ keytool -import -alias tomcat -keystore .keystore -file
chained.pem Enter keystore password: keytool error:
java.lang.Exception: Certificate reply does not contain public key
for 


Which file is which? Looks like you imported the chain twice.


When I run

~$ keytool -list -v

I see (in part)

Alias name: tomcat Creation date: Oct 9, 2017 Entry type:
PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner:
CN=Adam Pease

I'm very new to certificates.  Could someone point me in the right
direction?


Java keystores are a nightmare... it's not your fault. ;)

It looks like you didn't successfully import the CA's
root/intermediate certificate. Can you reply with some more specifics?
What files do you have from the CA, what keystore(s) do you have, and
what are the exact commands you are running? You've left-out some
important details from your post above.

Here's what I have in my "Java Keystore Cheat Cheet":

Create your server key and self-signed cert:

$ keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 4096
-alias ${HOSTNAME} -keystore ${HOSTNAME}.jks


Now, export your CSR:


$ keytool -certreq -sigalg SHA256withRSA -keystore ${HOSTNAME}.jks


Use that CSR to get your cert signed.

Now, import the signed cert back into your 

Re: installing certificates

2017-10-09 Thread Adam Pease

Hi Chris,
  Many thanks for the quick response!  There's a lot of new terminology 
(to me) to all this and it's quite confusing I'm afraid.


  I tried Let's Encrypt just now but since I'm running Tomcat sites 
either I'm not doing it right, or it doesn't know how to verify domains 
when they don't answer on port 80.  So I get "The server could not 
connect to the client to verify the domain :: Timeout"
  Following the process at "gethttpsforfree.com" resulted in two long 
hex keys: one titled "Signed Certificate" and one titled "Intermediate 
Certificate".  I'm not sure what a "server certificate" is.  Is that a 
public/private key pair that I generated at the beginning of this 
process with


openssl genrsa 4096 > account.key

or what I did at the beginning of the tomcat instructions

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

But that generates a .keystore file which is already a parameter to the 
failing command.


I really appreciate your help.

all the best,
Adam

On 10/09/2017 02:00 PM, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Adam,

On 10/9/17 4:24 PM, Adam Pease wrote:

Hi, I'm running Tomcat 8.5.23 on an AWS Ubuntu Linux 16.04 LTS
installation.  I'm trying to follow the instructions at
https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html to get
HTTPS running under tomcat.


Version mismatch. You want this guide:
https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html


My site runs with a self-signed certificate.  Now I'm trying to
install a proper certificate from > https://gethttpsforfree.com/

Try Let's Encrypt. I know nothing about "gethttpsforfree.com", but
I've personally done Let's Encrypt.


After the rather lengthy process to generate the "Signed
Certificate" and "Intermediate Certificate" it appears I'm ready to
follow the instructions under the heading "Importing the
Certificate".


BTW, LE is a single command to get a signed certificate.


My first question is whether there is a difference between the
certificates mentioned in

- "import a so called Chain Certificate or Root Certificate into
your keystore"

and

- "After that you can proceed with importing your Certificate."


You have a "server certificate" -- that's yours, and represents you.
There is (usually) another certificate, called the "chain" or
"intermediate" certificate, which represents the Certificate Authority
who signed your certificate.

When your server performs a TLS handshake with the client, it needs to
present a "certificate chain" which includes your server certificate
(the "leaf") and any certificates required to link the server cert to
a root certificate which is stored within the client and already
trusted (e.g. VeriSign, DigiCert, etc.). So your server needs to have
multiple certificates available to send, and only one "belongs" to you.


I was able to execute the command:

keytool -import -alias root -keystore 
-trustcacerts -file 

using a single file that has the "Signed Certificate" and
"Intermediate Certificate" from gethttpsforfree.  But then I get an
error from the next command

~$ keytool -import -alias tomcat -keystore .keystore -file
chained.pem Enter keystore password: keytool error:
java.lang.Exception: Certificate reply does not contain public key
for 


Which file is which? Looks like you imported the chain twice.


When I run

~$ keytool -list -v

I see (in part)

Alias name: tomcat Creation date: Oct 9, 2017 Entry type:
PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner:
CN=Adam Pease

I'm very new to certificates.  Could someone point me in the right
direction?


Java keystores are a nightmare... it's not your fault. ;)

It looks like you didn't successfully import the CA's
root/intermediate certificate. Can you reply with some more specifics?
What files do you have from the CA, what keystore(s) do you have, and
what are the exact commands you are running? You've left-out some
important details from your post above.

Here's what I have in my "Java Keystore Cheat Cheet":

Create your server key and self-signed cert:

$ keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 4096
-alias ${HOSTNAME} -keystore ${HOSTNAME}.jks


Now, export your CSR:


$ keytool -certreq -sigalg SHA256withRSA -keystore ${HOSTNAME}.jks


Use that CSR to get your cert signed.

Now, import the signed cert back into your keystore, starting with the
root and/or intermediate cert and finishing with your server's cert:


$ keytool -import -alias [Authority.CA] -trustcacerts -file
[authority's CA cert] -keystore ${HOSTNAME}.jks


(^ if necessary)


$ keytool -import -alias [Authority.intermediate] -trustcacerts
-file [authority's intermediate cert] -keystore ${HOSTNAME}.jks $
keytool -import -alias ${HOSTNAME} -fi

installing certificates

2017-10-09 Thread Adam Pease

Hi,
  I'm running Tomcat 8.5.23 on an AWS Ubuntu Linux 16.04 LTS 
installation.  I'm trying to follow the instructions at 
https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html to get HTTPS 
running under tomcat.  My site runs with a self-signed certificate.  Now 
I'm trying to install a proper certificate from 
https://gethttpsforfree.com/ .  After the rather lengthy process to 
generate the "Signed Certificate" and "Intermediate Certificate" it 
appears I'm ready to follow the instructions under the heading 
"Importing the Certificate".
  My first question is whether there is a difference between the 
certificates mentioned in


- "import a so called Chain Certificate or Root Certificate into your 
keystore"


and

- "After that you can proceed with importing your Certificate."

I was able to execute the command:

keytool -import -alias root -keystore 
-trustcacerts -file 

using a single file that has the "Signed Certificate" and "Intermediate 
Certificate" from gethttpsforfree.  But then I get an error from the 
next command


~$ keytool -import -alias tomcat -keystore .keystore -file chained.pem
Enter keystore password:
keytool error: java.lang.Exception: Certificate reply does not contain 
public key for 


When I run

~$ keytool -list -v

I see (in part)

Alias name: tomcat
Creation date: Oct 9, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Adam Pease

I'm very new to certificates.  Could someone point me in the right 
direction?


all the best,
Adam

--
---
Adam Pease
http://www.ontologyportal.org
http://www.adampease.org
@apease_ontology on Twitter

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org