Re: Symantec SSL cert in tomcat 6

2014-01-03 Thread Ognjen Blagojevic 

Martin,

On 4.1.2014 0:27, Martin Gainty wrote:

With JKS keystore you must keep private key and certificates in the same
keystore.



MG>Since A pfx that Verisign provides contains key and cert
MG>"Windows servers use .pfx files to contain the public key files (your SSL
  Certificate files, provided by DigiCert) and MG>the associated private key
  file (generated by your server as part of the CSR).
"
MG>perhaps you are referring to the key/certificate combination in pfx?


No, not really. We are talking about Tomcat and JKS, not Windows servers 
and pfx.


-Ognjen

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Symantec SSL cert in tomcat 6

2014-01-03 Thread Martin Gainty 
MG>Ongnjen
> Gene,
> 
> On 3.1.2014 14:55, Gene Matthews wrote:
> > Thie symantec instructions say to ensure the alias for the ssl cert has an 
> > Entry Type of PrivateKeyEntry.  Mine DOES NOT.  Instructions say if it does 
> > not, to please import the certificate in the “Private Key” alias.
> 
> With JKS keystore you must keep private key and certificates in the same 
> keystore.
MG>Since A pfx that Verisign provides contains key and cert
MG>"Windows servers use .pfx files to contain the public key files (your SSL
 Certificate files, provided by DigiCert) and MG>the associated private key
 file (generated by your server as part of the CSR).
"
MG>perhaps you are referring to the key/certificate combination in pfx?

 Therefore, you shouldn't import server certificate and inter. 
> certificates into brand new keystore, but into the "old" keystore -- the 
> one you used to create key pair, and to generate CSR.
MG>CSR is the request to CA Authority (verisign ) to sign (digitally identify) 
this certificate 
MG> certificate signing request (also CSR or certification request) is a 
message sent from an applicant to a MG>certificate authority in order to apply 
for a digital identity certificate. The most common format for CSRs is the 
MG>PKCS#10 specification
MG>
> 
> I find it strange that Symantec/Verisign didn't mention that explicitly 
> in their documentation.
MG>agreed
> 
> > It also says to ensure the Certificate chain length is 4.
> 
> Once you import certificates into the right keystore, check that again.
> 
> 
> > PS:  How does one search the archives of this list?  When I browse the 
> > archive site I don’t see a search field anywhere.  So I’ve been googling 
> > without coming up with a solution. it is probably out there but I don’t 
> > know enough to recognize it :-(
> 
> http://tomcat.apache.org/lists.html
> 
> Search for "Archives".
> 
> -Ognjen
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

Re: Symantec SSL cert in tomcat 6

2014-01-03 Thread Ognjen Blagojevic 

Gene,

On 3.1.2014 14:55, Gene Matthews wrote:

Thie symantec instructions say to ensure the alias for the ssl cert has an 
Entry Type of PrivateKeyEntry.  Mine DOES NOT.  Instructions say if it does 
not, to please import the certificate in the “Private Key” alias.


With JKS keystore you must keep private key and certificates in the same 
keystore. Therefore, you shouldn't import server certificate and inter. 
certificates into brand new keystore, but into the "old" keystore -- the 
one you used to create key pair, and to generate CSR.


I find it strange that Symantec/Verisign didn't mention that explicitly 
in their documentation.




It also says to ensure the Certificate chain length is 4.


Once you import certificates into the right keystore, check that again.



PS:  How does one search the archives of this list?  When I browse the archive 
site I don’t see a search field anywhere.  So I’ve been googling without coming 
up with a solution. it is probably out there but I don’t know enough to 
recognize it :-(


http://tomcat.apache.org/lists.html

Search for "Archives".

-Ognjen

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Symantec SSL cert in tomcat 6

2014-01-03 Thread Gene Matthews 
Hi,

We have a working tomcat 6 installation with a self-signed cert.  We have 
received a certificate from Symantec (x509) and are trying to get it working in 
our tomcat 6 installation.  So far, I’ve had no luck.

What I have done so far:

1) Followed instructions from 
https://knowledge.verisign.com/support/mpki-for-ssl-support/index?page=content&actp=CROSSLINK&id=AR124
 
- downloaded primary & secondary intermediate CA from Symantec
- imported into a brand new keystone using
keytool -import -trustcacerts -alias primaryIntermediate -keystore 
geneKeystore -file priimary_inter.cer
keytool -import -trustcacerts -alias secondaryIntermediate -keystore 
geneKeystore -file secondary_inter.cer

keystore didn’t exist prior to the first import above but it seemed top 
create it ok and prompt for passwords.

- install the SSL cert from Symantec
keytool -import -trustcacerts -alias myalias -keystore geneKeystore 
-file ssl_cert.cer

- verify contents of keystone
keytool -list -v -keystore geneKeystore

Thie symantec instructions say to ensure the alias for the ssl cert has 
an Entry Type of PrivateKeyEntry.  Mine DOES NOT.  Instructions say if it does 
not, to please import the certificate in the “Private Key” alias.  I’m not sure 
what that means.  I’m assuming it does not mean to import the cert using the 
alias of ‘PrivateKey” as I believe the alias has to match what was in the CSR?? 
 It also says to ensure the Certificate chain length is 4.  The Symantec 
example shows sample output the above command with the “Certificate chain 
length: 4’ in the output but I don’t get that in mine.  My keystone type is JKS 
and provider is SUN as in their example though.  I do see four extensions 
listed under the ‘myalias’ alias; not sure if that would imply a chain length 
of four.  As you can already guess, I’m no SSL expert (or even tomcat expert 
for that matter).  Since I wasn’t sure what to do here I left his alone and 
moved on.

2) edit server.xml



3) restart tomcat

-verified tomcat is running
-verified something listening on port 8443 (netstat -an |grep 8443)
-catalina.out contents below:

Jan 03, 2014 8:43:43 AM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal 
performance in production environments was not found on the java.library.path: 
:/usr/share/tomcat6/lib:/usr/share/tomcat6/lib:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
Jan 03, 2014 8:43:43 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'minSpareThreads' to '25' did not find a matching property.
Jan 03, 2014 8:43:43 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'maxSpareThreads' to '75' did not find a matching property.
Jan 03, 2014 8:43:43 AM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Jan 03, 2014 8:43:44 AM org.apache.tomcat.util.net.NioSelectorPool 
getSharedSelector
INFO: Using a shared selector for servlet write/read
Jan 03, 2014 8:43:44 AM org.apache.coyote.http11.Http11NioProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443
Jan 03, 2014 8:43:44 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1217 ms
Jan 03, 2014 8:43:44 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Jan 03, 2014 8:43:44 AM org.apache.catalina.core.StandardEngine start
...
Jan 03, 2014 8:43:53 AM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Jan 03, 2014 8:43:53 AM org.apache.coyote.http11.Http11NioProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8443
Jan 03, 2014 8:43:53 AM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Jan 03, 2014 8:43:53 AM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/49  config=null
Jan 03, 2014 8:43:53 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 9583 ms


I’m not doing something correctly but I’m not sure what that is.  If anyone can 
point me in the right direction I would appreciate it.

Thanks,

Gene

PS:  How does one search the archives of this list?  When I browse the archive 
site I don’t see a search field anywhere.  So I’ve been googling without coming 
up with a solution. it is probably out there but I don’t know enough to 
recognize it :-(



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org