On Sun, Apr 13, 2008 at 11:32 PM, Melanie Pfefer <[EMAIL PROTECTED]> wrote: > hi Kirst, all, > > To use c_rehash, I must have .pem and .crt files. Correct me if I am worong > please. The remote server has a self-signed certificate that was generated > using keytool (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html) so the > file generated is .keytool. Should I generate .pem and .crt files to run > c_rehash? If so, how?
You can export your certificate using keytool, like this: keytool -export -alias tomcat -rfc > tomcat.pem The "-rfc" option is important, as this exports a PEM certicate. If your keystore is in a different location you need to add the -keystore <keystorefile> option. If your tomcat server uses a certificate with a different alias modify the -alias parameter. For proxying via apache to work it is important that the certicate passes all the tests. Normally when you connectyour browser to a https server with a self signed certificate, or when something else is wrong a dialog will pop up telling you what is wrong and giving you the option to go ahead and connect anyway. You must understand that since apache will connect to the https server in an non-interactive way there is no-one to confirm apache it is ook to proceed. Therefore the certificate must pass all the test. 1) The common name of the certificate must be identical to the name used in the URL. 2) The certificate must still be valid. 3) The signature must verify as OK. 1 &2 you take care of when you generate the certificate. 3) you take care of on the apache side, by putting the self signed cert in the cacerts dir. > On another front, I understand from you that I can having apache as a proxy > server that talks SSL witht the backend and non-ssl with the end user (in > URL, the user puts http not https even if the backend server is accessed via > https). Correct me if I am wrong please. You can indeed do this. I have one server who does exactly this. Krist -- [EMAIL PROTECTED] [EMAIL PROTECTED] Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
