Chris,
I have tried the commands you wrote me for creating a keystore. When I access
my application on ssl port, I get "The connection was reset" error.
I have used this command:
openssl pkcs12 -export -in server.pem -inkey
server.key -certfile serverchain.pem -out
server.p12
In serverchain.pem I have concatenation of my own CA certificate that signed
this server.pem certificate for my server, and other 2 CA certificates that
were given to me. (basically, one faculty CA, my subject project CA, and my own
CA is actually my group CA certificate, by which I have signed my server.pem)
After that I have used this command:
keytool -importkeystore -srckeystore
server.p12 -destkeystore serverkeystore.jks -srcstoretype pkcs12
Specified the new key store in the connector with its password, reboot, and
"The connection was reset" error appears again.
If in the first command I add the -chain in the end as you wrote me on your
reply, I get this error: "Error unable to get local issuer certificate getting
chain."
Why is this happening?
> Date: Tue, 19 May 2015 15:01:06 -0400
> From: ch...@christopherschultz.net
> To: users@tomcat.apache.org
> Subject: Re: Problem with APR library - Tomcat 7
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Dejan,
>
> On 5/19/15 2:17 PM, Dejan Stamenov wrote:
> > Can you please explain me these two lines you have wrote:
> >
> > $ openssl pkcs12 -export -in ${HOSTNAME}.crt \ -inkey
> > ${HOSTNAME}.key \ -certfile CA-intermediate.crt -out
> > ${HOSTNAME}.p12 -chain
>
> Packages your server's certificate, key, and the CA's intermediate
> certificate into a single PKCS#12 keystore. OpenSSL can't write Java
> keystores, and Java's keytool cant read PEM files. So, we use a
> PKCS#12 keystore as an intermediary, which both tools can read.
>
> > $ $JAVA_HOME/bin/keytool -importkeystore \ -srckeystore
> > ${HOSTNAME}.p12 \ -destkeystore ${HOSTNAME}.jks \ -srcstoretype
> > pkcs12
>
> Converts a PKCS#12 keystore into a Java keystore.
>
> > Basically, what I have is 3 .pem files. One is the certificate for
> > my server, and the other two are the intermediate CA certificate
> > and root CA.
>
> You shouldn't need the CA's root certificate since most browsers ship
> with those root certs as anchors. If you need to add the CA's root to
> your keystore, you can always add it like this:
>
> $ keytool -import -alias [Authority.CA] \
> -trustcacerts \
> -file [authority's CA cert] \
> -keystore ${HOSTNAME}.jks
>
> > So, I should run the pkcs12 for each of these 3 certificates?
>
> No, it does everything at once. Make sure you keep your PEM files in a
> safe place as a back-up.
>
> > And if you can explain me in a word or two what is being created
> > with them, it would be much appreciated as I am first time working
> > with this.
>
> See above. If you want security done right, get someone who knows
> about X.509 certificates, etc. or do some reading to get yourself more
> familiar with these concepts. There really is no cookbook to just "do
> SSL" because it's complicated and, if you don't do it properly,
> increasingly risky lately.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJVW4hyAAoJEBzwKT+lPKRYdVsP/2KG0pobgtXBEDS6WBK6OMV1
> Sss/Xy2Ed3KCrtHceXL59FWoQBWysFRX/mVOPXnv4zAY7aurXOjI5oyHCRNZsOa/
> 4PmqKy/HU4MaxCPBJczD0DfYi5HmuFdRTT9NHdXzM3/gPei29vyx7OE0Lr1/DYHT
> 5spnvkh9WwA30sfGBb07/zEA79OM17eVge/Ki/Bfd0WRBODd2iIfM9GfKxR9vpM4
> vLE2P3zhGdCQT1aWxDIveZ+IL2QOdt7VwS2KWjc04snxjMh374EXvOtw7PWsD6Yg
> nlJxhrprRPhTiPDDuhOW4guV/o2jdLxYMBw/DX0gluCZ9qQLrUKC83cfdnE2+tuC
> PMaDBRT0UGzQx5Ok5iv1vNEBgAiwrWfK2MGrFAiiAJWGEjnANYc2GOQEdv7549gD
> 9nw6lgYbOOBztU326Hf6qeC/XDOBb/hDfc3E1xXkoXroWlUSteP3nmgkCDaoZY7B
> O005BAkQzZuhd7EFk3cWLBowSVt53O6xju5pOf6mdI8hPsIgWYB0ZxejS0cp0VvK
> +9pv5mkwUnmqQp5znkoBevBWRolzdOsHECXGotri2q3CoX1j+oCFmH+Nj+cpbRAF
> ob3/UuAMUfGXkb3TzILN2jnqX+JPmAXq5h7bEZTIu9PIy0x6BeGn1zkWiBSbfZcZ
> lg3He5P+ADNKCVHiMVBj
> =zaTm
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
