-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dejan,
On 5/19/15 2:17 PM, Dejan Stamenov wrote:
> Can you please explain me these two lines you have wrote:
>
> $ openssl pkcs12 -export -in ${HOSTNAME}.crt \ -inkey
> ${HOSTNAME}.key \ -certfile CA-intermediate.crt -out
> ${HOSTNAME}.p12 -chain
Packages your server's certificate, key, and the CA's intermediate
certificate into a single PKCS#12 keystore. OpenSSL can't write Java
keystores, and Java's keytool cant read PEM files. So, we use a
PKCS#12 keystore as an intermediary, which both tools can read.
> $ $JAVA_HOME/bin/keytool -importkeystore \ -srckeystore
> ${HOSTNAME}.p12 \ -destkeystore ${HOSTNAME}.jks \ -srcstoretype
> pkcs12
Converts a PKCS#12 keystore into a Java keystore.
> Basically, what I have is 3 .pem files. One is the certificate for
> my server, and the other two are the intermediate CA certificate
> and root CA.
You shouldn't need the CA's root certificate since most browsers ship
with those root certs as anchors. If you need to add the CA's root to
your keystore, you can always add it like this:
$ keytool -import -alias [Authority.CA] \
-trustcacerts \
-file [authority's CA cert] \
-keystore ${HOSTNAME}.jks
> So, I should run the pkcs12 for each of these 3 certificates?
No, it does everything at once. Make sure you keep your PEM files in a
safe place as a back-up.
> And if you can explain me in a word or two what is being created
> with them, it would be much appreciated as I am first time working
> with this.
See above. If you want security done right, get someone who knows
about X.509 certificates, etc. or do some reading to get yourself more
familiar with these concepts. There really is no cookbook to just "do
SSL" because it's complicated and, if you don't do it properly,
increasingly risky lately.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVW4hyAAoJEBzwKT+lPKRYdVsP/2KG0pobgtXBEDS6WBK6OMV1
Sss/Xy2Ed3KCrtHceXL59FWoQBWysFRX/mVOPXnv4zAY7aurXOjI5oyHCRNZsOa/
4PmqKy/HU4MaxCPBJczD0DfYi5HmuFdRTT9NHdXzM3/gPei29vyx7OE0Lr1/DYHT
5spnvkh9WwA30sfGBb07/zEA79OM17eVge/Ki/Bfd0WRBODd2iIfM9GfKxR9vpM4
vLE2P3zhGdCQT1aWxDIveZ+IL2QOdt7VwS2KWjc04snxjMh374EXvOtw7PWsD6Yg
nlJxhrprRPhTiPDDuhOW4guV/o2jdLxYMBw/DX0gluCZ9qQLrUKC83cfdnE2+tuC
PMaDBRT0UGzQx5Ok5iv1vNEBgAiwrWfK2MGrFAiiAJWGEjnANYc2GOQEdv7549gD
9nw6lgYbOOBztU326Hf6qeC/XDOBb/hDfc3E1xXkoXroWlUSteP3nmgkCDaoZY7B
O005BAkQzZuhd7EFk3cWLBowSVt53O6xju5pOf6mdI8hPsIgWYB0ZxejS0cp0VvK
+9pv5mkwUnmqQp5znkoBevBWRolzdOsHECXGotri2q3CoX1j+oCFmH+Nj+cpbRAF
ob3/UuAMUfGXkb3TzILN2jnqX+JPmAXq5h7bEZTIu9PIy0x6BeGn1zkWiBSbfZcZ
lg3He5P+ADNKCVHiMVBj
=zaTm
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
