Re: Using a P7B certificate file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 9/13/13 5:29 PM, James H. H. Lampert wrote: On 9/11/13 5:22 AM, Christopher Schultz wrote: Okay, great: you have a chain of certificates and could, with a bit of effort, convert that into a Java keystore or a PEM-encoded file for use with OpenSSL (and httpd, tcnative, etc.). Without the private key, though, you aren't going to get very far. Go back to the client and tell them that you need that, too. FINALLY! (And this is why we discourage our customers from building their own keystores: there's enough chance of screwing it up if I do it, and I've done it a few times; unless the customer has a Tomcat expert on staff, they're going to be as lost as I was the first time.) Well, one could argue that the server key really is the key to the kingdom, so exercising a certain amount of caution about sharing it around is appropriate in general. It sounds like this wasn't a security consideration, though, but basic incompetence on their part. We got the customer to send us the originating keystore (on the second try!), and the non-default password for it, and I managed to marry it to the signed certificate in the P7B file, and get it installed (screwing up the syntax of server.xml, the first time I tried to adjust it from our choice of keystore name and alias to their choices and their non-default password), and finally managed to get it to come up. Thanks, Mr. Schultz, et al. You were more helpful than you might realize. Uh.. sure! I suspect I just confirmed something that you already knew: you didn't have everything you needed to do the job you were asked to do. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSM4TEAAoJEBzwKT+lPKRYjG0QAKfXB9F9VjpKZJkCmrnbaq3w EVtvlDPtiA5fEgOETgAXbrMhyb78SFvBg2rGVvjpZ9uGLebahI7tjQgRX1pAWDfA 1V4BmSX86kx49TWEYi11rsC+KzxGbVZBidj8C0iVIdW7msNfPdW6PXpO8u4T9v86 CQkY2TxVQ91pNadWOddzgnWuEfXmgFHhsYinLiyOMQVGKTAGckTeV3BLH06YkTM3 wZVe231zDluQXm1NtPXS0ReCiugGOIeKvptnxWL2VnnXj0reh8FieniW2+zZ+7F6 k15Xu53Gc2Mu3N1DH80JM2kkMygJBAxDVPXrKcvuZ+JUL9kuwBMcOCQf+TrnZrIk R+9qK1SY5tGR4cNZpM2O6A2v9ixrOrNYBGpYfB3RrqV7XQPrtCZbvoaL8Ai+6TKN Jpqyu9STxsbMLaxo/9uDKwo1SCINW99vOG0eKFXrfC1+S2HJdhTot/SvzTqrN660 mP0TOgS5XPjJeCgt54LYRsMcIllSHIteFU1YyPpVPJbGkYQSB20j5p2wLOljpk4X oPyV+XcxzT/AyAKQGQ1lFiw8NmkIMUvS6xzbYDeQU2RojJWQaSR23eMPYG6XyRGN nLe74doyrtArcRQiiWskkltJiTCgl+Ow+H7lEurql2OogVI7iTg4WGo7VmXIecF5 D/zOFGVBzTw1Brzs7Xex =n+rP -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using a P7B certificate file
On 9/11/13 5:22 AM, Christopher Schultz wrote: Okay, great: you have a chain of certificates and could, with a bit of effort, convert that into a Java keystore or a PEM-encoded file for use with OpenSSL (and httpd, tcnative, etc.). Without the private key, though, you aren't going to get very far. Go back to the client and tell them that you need that, too. FINALLY! (And this is why we discourage our customers from building their own keystores: there's enough chance of screwing it up if I do it, and I've done it a few times; unless the customer has a Tomcat expert on staff, they're going to be as lost as I was the first time.) We got the customer to send us the originating keystore (on the second try!), and the non-default password for it, and I managed to marry it to the signed certificate in the P7B file, and get it installed (screwing up the syntax of server.xml, the first time I tried to adjust it from our choice of keystore name and alias to their choices and their non-default password), and finally managed to get it to come up. Thanks, Mr. Schultz, et al. You were more helpful than you might realize. -- James H. H. Lampert Touchtone Corporation - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using a P7B certificate file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 9/10/13 6:50 PM, James H. H. Lampert wrote: On 9/10/13 2:19 PM, Christopher Schultz wrote: P7B is otherwise known as a PKCS#7 file and usually contains a certificate. Does the file contain *only* a certificate, or does it also contain the key that was used to generate the CSR? If you have the cert but not the key, you won't be able to use it for serving HTTPS. Let's start with what you've actually got. You said you have a file. What's in the file? Well, from what little I'd read, A P7B file only contains certificates and chain certificates, not the private key. (from https://www.sslshopper.com/ssl-converter.html) Is there a way it *can* contain the private key as well? At any rate, it contains the typical unintelligible block of characters between BEGIN PKCS7 and END PKCS7 marks, 98 lines of 64 characters and a 99th line of 4 characters, approximately 6kb. I did a bit of futzing around with it, found I could use keychain access on my Mac to import it into an empty keychain file for inspection, and I found that it it appears to contain a root certificate, an intermediate certificate, and the signed SSL certificate. Looking at it with the corresponding utility on my WinDoze box gives the same result. Unless you know of something else that can inspect a P7B file, I'm guessing that it's just a reply to a CSR, waiting to be installed in the originating keystore. You could use OpenSSL to inspect it, but I suspect it would give you the same result. Okay, great: you have a chain of certificates and could, with a bit of effort, convert that into a Java keystore or a PEM-encoded file for use with OpenSSL (and httpd, tcnative, etc.). Without the private key, though, you aren't going to get very far. Go back to the client and tell them that you need that, too. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSMGB1AAoJEBzwKT+lPKRY3V4QALfCpfIut8j3+CMLlYxe2l+d q9M884k+CaBST5FBCUpGF0sdtBinoPnq9JINDQihBBg1WIJ7kji8CEi5/78ePqmv 7aZcPqZDt2/32+QWX+WNKRJy0IawLJl89DnB2DnnJdb4GaSzrJXPhUwBCzA61wXc eRjRmKrx8oQTRYDKHp2eaY4HrYFn6tmiU3a6mZKO6NF7bLWyk8vPbEpCO9WXM+fd SqxwlWqr6JKLyiEmswxhZsHQN7u7Pppr+wMvmRVmnNRRgYzRUT9NKvobd6XyaWau T4dFlkSMWZqnUctH8L4vmoPm/TBzM6bwqDCSnRg1QCeMvfLeribo2AWzsMXgtvlN iNdzp9pwKXWhowKcWN+pZxMwUXgkusZEDth0JnA59tZaufWYTMucv2sW7+890kJ6 ZyCOKhfAF7U4gJNuJXy1cFOHpVhsLGFwM/dnOSqzuA7lvf8Duc5jY2Hm7BA69lRT HwiSyunw2IARcp0nWbEiVKdF1WU2+bzevhk896S2qwWmXwATMc6gy38EnL/TRSpw QXyXCrglCTl2yt1pbE45+1Zb3CVC8RWsvaSGsFRzPxotTcOEZGwLjv4FtvHOHn4o 1+EP+6oanG43OEKKm6+PHQ1BnDCnko3dKEeSftrHVeW6N3/sLMpjKa/JsKXL8CpZ mnUDjvnZ3ZLbBuvOncpl =mDnw -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Using a P7B certificate file
Hi I am getting following error when I try with wget OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol Unable to establish SSL connection. Thanks Regards, Prashant Shinde Senior Consultant Hoonar Tekwurks Consulting LLP email: prashant.shi...@hoonartek.com | cell: +91 98220 38097| desk: +91 20 4900 5204 -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 11 September 2013 14:22 To: Tomcat Users List Subject: Re: Using a P7B certificate file -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 9/10/13 6:50 PM, James H. H. Lampert wrote: On 9/10/13 2:19 PM, Christopher Schultz wrote: P7B is otherwise known as a PKCS#7 file and usually contains a certificate. Does the file contain *only* a certificate, or does it also contain the key that was used to generate the CSR? If you have the cert but not the key, you won't be able to use it for serving HTTPS. Let's start with what you've actually got. You said you have a file. What's in the file? Well, from what little I'd read, A P7B file only contains certificates and chain certificates, not the private key. (from https://www.sslshopper.com/ssl-converter.html) Is there a way it *can* contain the private key as well? At any rate, it contains the typical unintelligible block of characters between BEGIN PKCS7 and END PKCS7 marks, 98 lines of 64 characters and a 99th line of 4 characters, approximately 6kb. I did a bit of futzing around with it, found I could use keychain access on my Mac to import it into an empty keychain file for inspection, and I found that it it appears to contain a root certificate, an intermediate certificate, and the signed SSL certificate. Looking at it with the corresponding utility on my WinDoze box gives the same result. Unless you know of something else that can inspect a P7B file, I'm guessing that it's just a reply to a CSR, waiting to be installed in the originating keystore. You could use OpenSSL to inspect it, but I suspect it would give you the same result. Okay, great: you have a chain of certificates and could, with a bit of effort, convert that into a Java keystore or a PEM-encoded file for use with OpenSSL (and httpd, tcnative, etc.). Without the private key, though, you aren't going to get very far. Go back to the client and tell them that you need that, too. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSMGB1AAoJEBzwKT+lPKRY3V4QALfCpfIut8j3+CMLlYxe2l+d q9M884k+CaBST5FBCUpGF0sdtBinoPnq9JINDQihBBg1WIJ7kji8CEi5/78ePqmv 7aZcPqZDt2/32+QWX+WNKRJy0IawLJl89DnB2DnnJdb4GaSzrJXPhUwBCzA61wXc eRjRmKrx8oQTRYDKHp2eaY4HrYFn6tmiU3a6mZKO6NF7bLWyk8vPbEpCO9WXM+fd SqxwlWqr6JKLyiEmswxhZsHQN7u7Pppr+wMvmRVmnNRRgYzRUT9NKvobd6XyaWau T4dFlkSMWZqnUctH8L4vmoPm/TBzM6bwqDCSnRg1QCeMvfLeribo2AWzsMXgtvlN iNdzp9pwKXWhowKcWN+pZxMwUXgkusZEDth0JnA59tZaufWYTMucv2sW7+890kJ6 ZyCOKhfAF7U4gJNuJXy1cFOHpVhsLGFwM/dnOSqzuA7lvf8Duc5jY2Hm7BA69lRT HwiSyunw2IARcp0nWbEiVKdF1WU2+bzevhk896S2qwWmXwATMc6gy38EnL/TRSpw QXyXCrglCTl2yt1pbE45+1Zb3CVC8RWsvaSGsFRzPxotTcOEZGwLjv4FtvHOHn4o 1+EP+6oanG43OEKKm6+PHQ1BnDCnko3dKEeSftrHVeW6N3/sLMpjKa/JsKXL8CpZ mnUDjvnZ3ZLbBuvOncpl =mDnw -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Using a P7B certificate file
We have a customer that wants to apply an existing multi-domain certificate to the tomcat server in our application. The only thing is, all we've seen is a P7B file, not a keystore, and we don't even know what sort of keystore they used to generate the original CSR. The only time a similar situation came up in the past was when somebody jumped the gun, and assumed that since the Tomcat server was running on an AS/400, it would use keystores and certificates created through IBM's Digital Certificate Manager, in IBM's proprietary format. All I can say about that is that I hope they either got their money back for the totally unusable keystore, or got credit on the correct one. Needless to say, we generally take full control of certificate installation, in order to reduce the potential for expensive mistakes. At any rate, what can be done with this customer who wants to use their multi-domain certificate in Tomcat? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using a P7B certificate file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 9/10/13 1:12 PM, James H. H. Lampert wrote: We have a customer that wants to apply an existing multi-domain certificate to the tomcat server in our application. The only thing is, all we've seen is a P7B file, not a keystore, and we don't even know what sort of keystore they used to generate the original CSR. P7B is otherwise known as a PKCS#7 file and usually contains a certificate. Does the file contain *only* a certificate, or does it also contain the key that was used to generate the CSR? If you have the cert but not the key, you won't be able to use it for serving HTTPS. The only time a similar situation came up in the past was when somebody jumped the gun, and assumed that since the Tomcat server was running on an AS/400, it would use keystores and certificates created through IBM's Digital Certificate Manager, in IBM's proprietary format. All I can say about that is that I hope they either got their money back for the totally unusable keystore, or got credit on the correct one. Most CAs will re-issue certificates for the same hostname with a reasonable explanation. Needless to say, we generally take full control of certificate installation, in order to reduce the potential for expensive mistakes. At any rate, what can be done with this customer who wants to use their multi-domain certificate in Tomcat? Let's start with what you've actually got. You said you have a file. What's in the file? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSL4zMAAoJEBzwKT+lPKRYCsgP/i29HaX0liAzys1ULHGRTWra OObCfl0tCTQ0pI/UndnLWYpfryka4J18UdlxNcwGC5UwoMCXb3nFLCexgJFBROew 1I21wBvo7ZthsnDDRht9Vr4ja+6GS5YKyQkFSLFwOz2niSNJqhgd5BiUKPENAmq4 N64I222B7zDOyY4HbPEjpGamJ4ZigYZMKGU7PzjVuuv4vMdgXNWF7n9W5jaavIZC Y7n/Y+4hUYEl6JBjfsWogprwhKFk46mzo+mhEvRGGuUiDAjxcR4lyI8R0oDz/Xpp hIoaS7m4s3z4SuAB0OAUkzWPsui8CyJweSHkcD382bswqvmd9AuaLCiRGyWOf5j0 aPMA0GZUYXe+cYOkgBa53Rx8Ud3mELUPiS08/LLO9Add2qIzCjI3XcxcpwcCMvxR hjdbuKzS50doQHc5nv+CQ+LYtbCWmvRRscvj8y8UcqbIddwK8ML1Jqij9Jeb7IQF qZIzpQWMWJ6qvzmepz6f5+P/1PdoT6hT25O5KKcYj+ZRhSQo07euU4j+q95ZV5zX 3b1VoTB6RwVMRth14cEd6KKfVP9FXupkL/uwp+cNxRP6KXC81JL2Y0WbE0PcTsI2 pMhtqu69RY7kBuikNfYkEPsQVcrs8z/TPMXTQHs/lhoPXavHnxskbSn5xS3PmrUX 5e5y9NJ+3rUrBO8b+oMe =SHPO -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using a P7B certificate file
On 9/10/13 2:19 PM, Christopher Schultz wrote: P7B is otherwise known as a PKCS#7 file and usually contains a certificate. Does the file contain *only* a certificate, or does it also contain the key that was used to generate the CSR? If you have the cert but not the key, you won't be able to use it for serving HTTPS. Let's start with what you've actually got. You said you have a file. What's in the file? Well, from what little I'd read, A P7B file only contains certificates and chain certificates, not the private key. (from https://www.sslshopper.com/ssl-converter.html) Is there a way it *can* contain the private key as well? At any rate, it contains the typical unintelligible block of characters between BEGIN PKCS7 and END PKCS7 marks, 98 lines of 64 characters and a 99th line of 4 characters, approximately 6kb. I did a bit of futzing around with it, found I could use keychain access on my Mac to import it into an empty keychain file for inspection, and I found that it it appears to contain a root certificate, an intermediate certificate, and the signed SSL certificate. Looking at it with the corresponding utility on my WinDoze box gives the same result. Unless you know of something else that can inspect a P7B file, I'm guessing that it's just a reply to a CSR, waiting to be installed in the originating keystore. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org