Which HTTP connector are you using?
Mark
J.V. jvsr...@gmail.com wrote:
I am generating a self signed cert using open SSL with the following
commands
openssl req -x509 -notes -days 365 -newkey rsa:2048 -keyout
privateKey.key -out ca.crt
I accept all the defaults when prompted except for 'Common Name' and
enter my IP address there.
This generates : ca.crt
It then export this to a ca.p12 with:
$openssl pkcs12 -export -in ca.crt -inkey privateKey.key -out ca.p12
I then copy this file to $TOMCAT_HOME/conf/a.keystore
Then I run this command
$open ssl pkcs12 -in ca.p12 -out ca.pem -clcerts -nokeys -nodes
and copy this to $TOMCAT_HOME/conf/ca.pem
Before doing this, I remove some junk at the top of the file before
---BEGIN CERTIFICATE
---
I then modify my server.xml and open port 8443 and point to the
a.keystore file.
This seems to work OK.
However when I generate a.keystore and ca.pem using BouncyCastle, the
certs do not seem to work but I have all the same settings. When
generating in pure Java, I am required to install the JCE to generate
the keys. I am not sure why openssl does not require some download or
license to generate the RSA keys and why it lets me generate with a key
size of 2048 without some sort of extension (openssl must have some
export controls correct)?
My first question is:
1) Why does the first method (using openssl) work? Would I not need to
apply JCE to my local jdk/jre when running Tomcat for the certs to
work?
2) What is wrong with generating the keys in Java?
I am essentially following this:
http://blog.thilinamb.com/2010/01/how-to-generate-self-signed.html
Except there is no keystore to initially load so I skipped that part.
any help on generating a self signed cert in Java that would mirror the
openssl generation would be greatly appreciated.
J.V.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
