Chris, I have tried the commands you wrote me for creating a keystore. When I access my application on ssl port, I get "The connection was reset" error.
I have used this command: openssl pkcs12 -export -in server.pem -inkey server.key -certfile serverchain.pem -out server.p12 In serverchain.pem I have concatenation of my own CA certificate that signed this server.pem certificate for my server, and other 2 CA certificates that were given to me. (basically, one faculty CA, my subject project CA, and my own CA is actually my group CA certificate, by which I have signed my server.pem) After that I have used this command: keytool -importkeystore -srckeystore server.p12 -destkeystore serverkeystore.jks -srcstoretype pkcs12 Specified the new key store in the connector with its password, reboot, and "The connection was reset" error appears again. If in the first command I add the -chain in the end as you wrote me on your reply, I get this error: "Error unable to get local issuer certificate getting chain." Why is this happening? > Date: Tue, 19 May 2015 15:01:06 -0400 > From: ch...@christopherschultz.net > To: users@tomcat.apache.org > Subject: Re: Problem with APR library - Tomcat 7 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Dejan, > > On 5/19/15 2:17 PM, Dejan Stamenov wrote: > > Can you please explain me these two lines you have wrote: > > > > $ openssl pkcs12 -export -in ${HOSTNAME}.crt \ -inkey > > ${HOSTNAME}.key \ -certfile CA-intermediate.crt -out > > ${HOSTNAME}.p12 -chain > > Packages your server's certificate, key, and the CA's intermediate > certificate into a single PKCS#12 keystore. OpenSSL can't write Java > keystores, and Java's keytool cant read PEM files. So, we use a > PKCS#12 keystore as an intermediary, which both tools can read. > > > $ $JAVA_HOME/bin/keytool -importkeystore \ -srckeystore > > ${HOSTNAME}.p12 \ -destkeystore ${HOSTNAME}.jks \ -srcstoretype > > pkcs12 > > Converts a PKCS#12 keystore into a Java keystore. > > > Basically, what I have is 3 .pem files. One is the certificate for > > my server, and the other two are the intermediate CA certificate > > and root CA. > > You shouldn't need the CA's root certificate since most browsers ship > with those root certs as anchors. If you need to add the CA's root to > your keystore, you can always add it like this: > > $ keytool -import -alias [Authority.CA] \ > -trustcacerts \ > -file [authority's CA cert] \ > -keystore ${HOSTNAME}.jks > > > So, I should run the pkcs12 for each of these 3 certificates? > > No, it does everything at once. Make sure you keep your PEM files in a > safe place as a back-up. > > > And if you can explain me in a word or two what is being created > > with them, it would be much appreciated as I am first time working > > with this. > > See above. If you want security done right, get someone who knows > about X.509 certificates, etc. or do some reading to get yourself more > familiar with these concepts. There really is no cookbook to just "do > SSL" because it's complicated and, if you don't do it properly, > increasingly risky lately. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJVW4hyAAoJEBzwKT+lPKRYdVsP/2KG0pobgtXBEDS6WBK6OMV1 > Sss/Xy2Ed3KCrtHceXL59FWoQBWysFRX/mVOPXnv4zAY7aurXOjI5oyHCRNZsOa/ > 4PmqKy/HU4MaxCPBJczD0DfYi5HmuFdRTT9NHdXzM3/gPei29vyx7OE0Lr1/DYHT > 5spnvkh9WwA30sfGBb07/zEA79OM17eVge/Ki/Bfd0WRBODd2iIfM9GfKxR9vpM4 > vLE2P3zhGdCQT1aWxDIveZ+IL2QOdt7VwS2KWjc04snxjMh374EXvOtw7PWsD6Yg > nlJxhrprRPhTiPDDuhOW4guV/o2jdLxYMBw/DX0gluCZ9qQLrUKC83cfdnE2+tuC > PMaDBRT0UGzQx5Ok5iv1vNEBgAiwrWfK2MGrFAiiAJWGEjnANYc2GOQEdv7549gD > 9nw6lgYbOOBztU326Hf6qeC/XDOBb/hDfc3E1xXkoXroWlUSteP3nmgkCDaoZY7B > O005BAkQzZuhd7EFk3cWLBowSVt53O6xju5pOf6mdI8hPsIgWYB0ZxejS0cp0VvK > +9pv5mkwUnmqQp5znkoBevBWRolzdOsHECXGotri2q3CoX1j+oCFmH+Nj+cpbRAF > ob3/UuAMUfGXkb3TzILN2jnqX+JPmAXq5h7bEZTIu9PIy0x6BeGn1zkWiBSbfZcZ > lg3He5P+ADNKCVHiMVBj > =zaTm > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >