-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
To whom it may concern,
On 11/26/14 9:03 AM, Kernel freak wrote:
> After arguing with the admins for all this time, I finally have the
> few files ready. I have the following files :
>
> keystore.p12
That should contain your key. Can you confirm that with a 'keytool -list'?
> server.crt
Is this the certificate that was signed by the CA?
> ssl-cert-snakeoil.key
Uh, oh. That looks like one of OpenSSL's built-in CAs that are used
for documentation and instructional purposes. I hope this isn't being
used for anything at all.
> domainname.com.ca-bundle
This should be the bundle of certificates for your domain, which may
include intermediate certificates. Are you using your own internal CA
or something?
> domainname.com.crt
Which certificate is this?
> domainname.com.csr
Is this the CSR that you generated yourself?
> domainname.com.key
Weird. Okay, I would expect domainname.com.key to have the key that
was used to generate domainname.com.csr, and that domainname.com.crt
is a signed version of that CSR. That should be all you need... I'm
not sure what all the other stuff is.
> vsftpd.pem.
What is this?
> I did the following as Christoph said:
>
> root@domainname:/etc/ssl/private# openssl pkcs12 -export -in
> server.crt -inkey ssl-cert-snakeoil.key -certfile
> domainname.com.crt -out keystore.p12 -chain (pressed enter here)
> unable to load certificates // This is the error.
I think you might want to do this:
$ openssl pkcs12 -export -in domainname.com.crt \
-inkey domainname.com.key \
-certfile domainname.com.ca-bundle \
-out keystore.p21 -chain
$ keytool -importkeystore -srckeystore keystore.p12 \
-srcstoretype pkcs12 \
-destkeystore keystore.jks
You are supposed to be able to use PKCS12 keystores directly with
Tomcat, but IIRC it's a pain and a bit more finicky than with just a
"normal" JKS-format keystore.
> If i just plain import the .crt file like this :
>
> keytool -import -alias tomcat -file domainname.com.crt -keystore
> /root/.keystore
A couple of things:
1. Don't run as root. Not for anything. Not even to run keytool.
2. Don't store your keystore under /root/.keystore, or you'll (likely)
have to run Tomcat as root. You can put your keystore anywhere you
want and point Tomcat to it explicitly.
3. If you import a certificate into a keystore and there is nothing
else in it (the keystore), then you can't perform a handshake because
the key is required for secure communication.
> Then firefox gives me this error :
>
> An error occurred during a connection to domainname.com:8443.
> Cannot communicate securely with peer: no common encryption
> algorithm(s). (Error code: ssl_error_no_cypher_overlap)
>
> The page you are trying to view cannot be shown because the
> authenticity of the received data could not be verified. Please
> contact the website owners to inform them of this problem.
The no_cipher_overlap error is likely to be incorrect... the real
problem is that the server can't decrypt the client's handshake
because the key is unavailable.
I think you might need to get some help with this from someone else at
your organization... someone who is a bit more versed in PKI and
configuring TLS for web servers.
- -chris
> On Tue, Nov 25, 2014 at 10:24 PM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> To whom it may concern,
>
> On 11/25/14 3:32 AM, Kernel freak wrote:
>>>> I don't have the server.key and server.crt. I have root
>>>> access to server, I can generate my own if necessary. I only
>>>> have .crt and .ca-bundle file. Can you tell me what to do.
>>>> Thank you very much for your help.
>
> If you don't have the server's key but you have the server's
> certificate, then you must start all over again because the key is
> half of a paired key.
>
> Did you generate the CSR yourself? With what key did you generate
> that CSR? If someone else generated the CSR, go ask them where the
> key is that they used.
>
> If you have lost the key then you must redo the whole process,
> starting with generating a new key and CSR, then get the CSR
> signed. Then, import the signed certificate back into the same
> keystore. Then, configure Tomcat to use that keystore.
>
> The instructions on the Tomcat users' guide are fairly
> straightforward even if they don't explain the intricacies of
> public key infrastructure -- that's outside the scope of the users'
> guide.
>
> Thanks, -chris
>
>>>> On Mon, Nov 24, 2014 at 7:48 PM, Christopher Schultz <
>>>> ch...@christopherschultz.net> wrote:
>>>>
>>>> Niranjan,
>>>>
>>>> On 11/24/14 10:51 AM, Niranjan Babu Bommu wrote:
>>>>>>> I think you have create a keystore from the cert,
>>>>>>> please follow these instruction and ket me know.
>>>>>>>
>>>>>>> Create store with temporary key inside:
>>>>>>>
>>>>>>> keytool -genkey -alias <alias name> -keystore
>>>>>>> yourkeystore.jks -storepass Hello1 Then delete
>>>>>>> existing entry:
>>>>>>>
>>>>>>> keytool -delete -alias temp -keystore yourkeystore.jks
>>>>>>> -storepass Hello1 Now you've got empty store. You can
>>>>>>> check that it's empty:
>>>>>>>
>>>>>>> keytool -list -keystore yourkeystore.jks -storepass
>>>>>>> Hello1 Then import your certificate to the store:
>>>>>>>
>>>>>>> keytool -import -alias <alias name> -file
>>>>>>> cert_file.crt -keypass
>>>> keypass
>>>>>>> -keystore yourkeystore.jks -storepass Hello1
>>>>
>>>> Nope: the existing key *and* cert need to be imported
>>>> simultaneously into the keystore. If the OP already has a
>>>> cert, he's already got a key, too.
>>>>
>>>> The problem is that you probably started with OpenSSL to
>>>> generate your keys and stuff. Here is the proper procedure to
>>>> import your key, certificate, and CA bundle into a Java
>>>> keystore.
>>>>
>>>> You'll need these files:
>>>>
>>>> server.key (this is your server's secret key) server.crt
>>>> (this is your server's certificate, signed by the CA) ca.crt
>>>> (this is your CA's certificate)
>>>>
>>>> Here is the incantation:
>>>>
>>>> $ openssl pkcs12 -export -in server.crt -inkey server.key \
>>>> -certfile ca.crt -out keystore.p12 -chain
>>>>
>>>> $ $JAVA_HOME/bin/keytool -importkeystore -srckeystore
>>>> keystore.p12 \ -srcstoretype pkcs12 \ -destkeystore
>>>> keystore.jks
>>>>
>>>> Now, use keystore.jks in Tomcat's server.xml.
>>>>
>>>> If you already had created your key and cert request using
>>>> Java's 'keytool', then you can instead just import the signed
>>>> certificate into your keystore:
>>>>
>>>> $ $JAVA_HOME/bin/keytool -importcert -file server.crt \
>>>> -keystore keystore.jks \ -alias [alias]
>>>>
>>>> If you used an alias to create the certificate signing
>>>> request (CSR), then use the same alias in the above command.
>>>>
>>>> -chris
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>>
>>>>>
>
>>>>>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>>> For additional commands, e-mail:
>>>>> users-h...@tomcat.apache.org
>>>>>
>>>>>
>>>>
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUdgDwAAoJEBzwKT+lPKRYcy8QALp3Yf9mDWAZa6DvbG9bRUD9
ADUGDlAip0uroCgKtQ/8kqP36ExF1YNmOj6JN1Tii0KUBByB7P+NNzBNTsYb1JaY
iLog7tpPRCj50AoJ8+RWPvHPmgwBT8wr+wHESPaqgARMhX53vMxv9oJmyvxvcXNU
bybs4rdud2bSneo3e6trrKGY2Eq3LFE6cJs21VPrbQVhoZYhlOghEuCXjBg4CgAU
Ss2ZZJxchNA0ugwK0iKonoQ8j2eg0Vvu7xGrBqMwpmHw5CXS+3YCuoKwIVPovW03
6nrTygYzPAUuRlixBGAUIYOvkT7IyM3LoFkY0cBnczuzoldtjCOP+V3u8QhqvsZS
M7K7ahxchFjlLk61HGo7EnnLxeiBaTvNpCHRg2HGtTiuiNv1t9Qw0QYxVurOgD+E
X7lzq+lMCNOGC8WYVnRoMEKd2ze8aVABUnFDmCxH4ocf6t8NUOgBsNkKFsyX1ln3
JfVtxPaAhok/7/ob0/+FWlx9JZSz7BeccaFAxzAKf4xIqY7IlER9lc8cTH/2alZP
D9+tZ3VLB0UE711zOrGw2DmtxdHfeCxbab5Vr8kF6VMlEeTDYYGF9vt0MN+K4SCa
5GMM6NH43Hegi5N6ZyrIxH2uX78QEkHkTFsnhlLrcwLucJtEqFg02IRSUnQDYf41
/yek4SHkomHSa4qInIEf
=1/Mr
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
