Dennis, that worked, thanks a lot:) I used the .pfx file that I already
had and just appended 3 lines to the end of my SSL connector.
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 443 -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="100" debug="0" scheme="https" secure="true"
useURIValidationHack="false" disableUploadTimeout="true">
<Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" protocol="TLS"
keystoreType="PKCS12"
keystoreFile="/root/host.foo.org.pfx"
keystorePass="mypassword"/>
</Connector>
Chris
Dennis Dai said:
> Sorry I was wrong (it's been a while ...). You don't really need to
> import the pkcs12 format certificate into a keystore, the .pfx you
> generated earlier *is* the keystore in pkcs12 format.
>
> Now you only need to configure tomcat to recognize the keystore. See
> http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html for
> details. Specifically, you will need to add keystoreType="PKCS12"
> attribute in your SSL Connector among a whole bunch of others.
>
> On 5/25/2004 1:21 PM, Chris Purcell wrote:
>
>> I want to make sure we're on the same page here. I have a certificate
>> that looks like this...
>>
>> -----BEGIN CERTIFICATE-----
>> MIID/DCCAuSgAwIBAgIEAIXW1jANBgkqhkiG9w0BAQQFADCBozELMAkGA1UEBhMC
>> blablablabla
>> /WeCY0ZzyRYuHhQYIm3R+A==
>> -----END CERTIFICATE-----
>>
>> I copied it to a plain text file called domain.cert and then ran this
>> command and received this below error...
>>
>> [EMAIL PROTECTED] root# /usr/java/bin/keytool -import -file domain.cert
>> -storetype pkcs12
>> keytool error: java.io.IOException: DerInputStream.getLength():
>> lengthTag=109, too big.
>>
>> Am I doing this right?
>>
>> Thanks,
>> Chris
>>
>>
>>> I saw your original post but forgot to reply ...
>>>
>>> You can use keytool to import the certificate using pkcs12
>>> certificate store (add a '-storetype pkcs12' to keytool's
>>> arguments), which is supported by tomcat.
>>>
>>> Also, if your certificate is signed by an intermediate CA (meaning
>>> more than 2 certs on the chain), you will have to give each cert an
>>> alias name when you export it from openssl, otherwise the keytool
>>> won't recognize the chain. This really took me a while to figure out
>>> ...
>>>
>>> HTH,
>>>
>>> Dennis
>>>
>>> On 5/25/2004 12:30 PM, Chris Purcell wrote:
>>>> Thanks for the link Jim, I'm just getting around to this certificate
>>>> now, I got swamped with some extra work that I had to complete
>>>> first. I looked at the link you sent, but there is a small problem,
>>>> I don't know anything about Java:) What do I do with the source
>>>> code given on the page? Should I copy it into a text file and run
>>>> it with the java command? The only programming language I'm
>>>> familiar with is Perl.
>>>>
>>>> Thanks,
>>>> Chris
>>>>
>>>>
>>>>
>>>>> Hi Chris-
>>>>>
>>>>> I had to do this myself a month ago.
>>>>>
>>>>> You can't use Sun's keytool to import private keys into keystores.
>>>>> You'll need to use something else to load the private key and
>>>>> corresponding cert into a keystore which Tomcat can then read.
>>>>>
>>>>> See the program and notes at http://www.comu.de/docs/tomcat_ssl.htm
>>>>> - it
>>>>>
>>>>> will explain how to use openssl to convert an existing private
>>>>> key
>>>>> and
>>>>>
>>>>> cert into a format that can then be loaded (using source code they
>>>>> provide) into a Java JKS keystore.
>>>>>
>>>>> Let me know if you need more details.
>>>>>
>>>>> -Jim
>>>>>
>>>>> Chris Purcell wrote:
>>>>>
>>>>>> I have an Apache server with an SSL certificate installed from a
>>>>>> CA. Its just a plain text certificate that looks like this..
>>>>>>
>>>>>> -----BEGIN CERTIFICATE-----
>>>>>> MIID/DCCAuSgAwIBAgIEAIXW1jANBgkqhkiG9w0BAQQFADCBozELMAkGA1UEBhMC
>>>>>> blablablba
>>>>>> /WeCY0ZzyRYuHhQYIm3R+A==
>>>>>> -----END CERTIFICATE-----
>>>>>>
>>>>>> I want to move this certificate to a new server that only runs
>>>>>> Tomcat in standalone mode. I tried to convert it like this
>>>>>> (below) but am getting an error...
>>>>>>
>>>>>> [EMAIL PROTECTED] cert# openssl pkcs12 -export -inkey host-privkey.pem
>>>>>> -in server.cert -out host.foo.org.pfx
>>>>>> [EMAIL PROTECTED] cert# /usr/java/bin/keytool -import -file
>>>>>> host.foo.org.pfx Enter keystore password: changeit
>>>>>> keytool error: java.lang.Exception: Input not an X.509 certificate
>>>>>>
>>>>>> Am I doing something wrong here?
>>>>>>
>>>>>> Thanks,
>>>>>> Chris
>>>>>>
>
>
> --------------------------------------------------------------------- To
> unsubscribe, e-mail: [EMAIL PROTECTED] For
> additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
