Graphical keystore tool - http://keystore-explorer.org/
It may make things easier On Mon, Oct 9, 2017 at 6:13 PM, Adam Pease <ape...@articulatesoftware.com> wrote: > Hi Chris, > Many thanks for the quick response! There's a lot of new terminology (to > me) to all this and it's quite confusing I'm afraid. > > I tried Let's Encrypt just now but since I'm running Tomcat sites either > I'm not doing it right, or it doesn't know how to verify domains when they > don't answer on port 80. So I get "The server could not connect to the > client to verify the domain :: Timeout" > Following the process at "gethttpsforfree.com" resulted in two long hex > keys: one titled "Signed Certificate" and one titled "Intermediate > Certificate". I'm not sure what a "server certificate" is. Is that a > public/private key pair that I generated at the beginning of this process > with > > openssl genrsa 4096 > account.key > > or what I did at the beginning of the tomcat instructions > > $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA > > But that generates a .keystore file which is already a parameter to the > failing command. > > I really appreciate your help. > > all the best, > Adam > > > On 10/09/2017 02:00 PM, Christopher Schultz wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Adam, >> >> On 10/9/17 4:24 PM, Adam Pease wrote: >>> >>> Hi, I'm running Tomcat 8.5.23 on an AWS Ubuntu Linux 16.04 LTS >>> installation. I'm trying to follow the instructions at >>> https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html to get >>> HTTPS running under tomcat. >> >> >> Version mismatch. You want this guide: >> https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html >> >>> My site runs with a self-signed certificate. Now I'm trying to >>> install a proper certificate from > https://gethttpsforfree.com/ >> >> Try Let's Encrypt. I know nothing about "gethttpsforfree.com", but >> I've personally done Let's Encrypt. >> >>> After the rather lengthy process to generate the "Signed >>> Certificate" and "Intermediate Certificate" it appears I'm ready to >>> follow the instructions under the heading "Importing the >>> Certificate". >> >> >> BTW, LE is a single command to get a signed certificate. >> >>> My first question is whether there is a difference between the >>> certificates mentioned in >>> >>> - "import a so called Chain Certificate or Root Certificate into >>> your keystore" >>> >>> and >>> >>> - "After that you can proceed with importing your Certificate." >> >> >> You have a "server certificate" -- that's yours, and represents you. >> There is (usually) another certificate, called the "chain" or >> "intermediate" certificate, which represents the Certificate Authority >> who signed your certificate. >> >> When your server performs a TLS handshake with the client, it needs to >> present a "certificate chain" which includes your server certificate >> (the "leaf") and any certificates required to link the server cert to >> a root certificate which is stored within the client and already >> trusted (e.g. VeriSign, DigiCert, etc.). So your server needs to have >> multiple certificates available to send, and only one "belongs" to you. >> >>> I was able to execute the command: >>> >>> keytool -import -alias root -keystore <your_keystore_filename> >>> -trustcacerts -file <filename_of_the_chain_certificate> >>> >>> using a single file that has the "Signed Certificate" and >>> "Intermediate Certificate" from gethttpsforfree. But then I get an >>> error from the next command >>> >>> ~$ keytool -import -alias tomcat -keystore .keystore -file >>> chained.pem Enter keystore password: keytool error: >>> java.lang.Exception: Certificate reply does not contain public key >>> for <tomcat> >> >> >> Which file is which? Looks like you imported the chain twice. >> >>> When I run >>> >>> ~$ keytool -list -v >>> >>> I see (in part) >>> >>> Alias name: tomcat Creation date: Oct 9, 2017 Entry type: >>> PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: >>> CN=Adam Pease >>> >>> I'm very new to certificates. Could someone point me in the right >>> direction? >> >> >> Java keystores are a nightmare... it's not your fault. ;) >> >> It looks like you didn't successfully import the CA's >> root/intermediate certificate. Can you reply with some more specifics? >> What files do you have from the CA, what keystore(s) do you have, and >> what are the exact commands you are running? You've left-out some >> important details from your post above. >> >> Here's what I have in my "Java Keystore Cheat Cheet": >> >> Create your server key and self-signed cert: >>> >>> $ keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 4096 >>> -alias ${HOSTNAME} -keystore ${HOSTNAME}.jks >> >> >> Now, export your CSR: >> >>> $ keytool -certreq -sigalg SHA256withRSA -keystore ${HOSTNAME}.jks >>> >> Use that CSR to get your cert signed. >> >> Now, import the signed cert back into your keystore, starting with the >> root and/or intermediate cert and finishing with your server's cert: >> >>> $ keytool -import -alias [Authority.CA] -trustcacerts -file >>> [authority's CA cert] -keystore ${HOSTNAME}.jks >> >> >> (^^^^^ if necessary) >> >>> $ keytool -import -alias [Authority.intermediate] -trustcacerts >>> -file [authority's intermediate cert] -keystore ${HOSTNAME}.jks $ >>> keytool -import -alias ${HOSTNAME} -file ${HOSTNAME}.crt -keystore >>> ${HOSTNAME}.jks >> >> >> Hope that helps, >> - -chris >> -----BEGIN PGP SIGNATURE----- >> Comment: GPGTools - http://gpgtools.org >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb41sdHGNocmlzQGNo >> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjanw//ZLdT9HeenslFlWAz >> 6Bn76MPvXVnBAQ2NqK0ufp26p70KpOpYb+3+4OxxVIvZBo7DAFwS3Q6EY/bntij7 >> eyH8m/7GH3ZwIiNrwyFpRbIVQh9Jft5Q+Cmf9ARvUespfJZ0MjxvPKXfxGvt6IAI >> ojyexYNlQ4P2kL2I1CCcYwQtwu838nFlZOHIw+11BlPl2Opm5GLcXVgVUtIoNS4n >> JfgS7818t45mUeH1kPfTYwGaI/3KNRJS2OFp0A7dSr3qamR9Xpve0mYG2G4XH9BI >> PGbGgXKQhaAAsw4rMtuOxp1ukxsfRW3VQItrTTg5F0juR2BkTZOsxzJMlJrKcvrG >> 3p+BmH9rTEUE6EctyLOu0b20DzeM5FHtBGxNOSuPBuQpFq28Nzgvjm5QQPosyEZG >> uESgDOpsJ/qVLgBZeEd3HlLJGF2UQQryW5gAWhUVn3gk3/IEyrmhfWipqw1IBhgP >> uJ6g8rowShwIOz/9b7ZLwPlyl0r+diTtMXf8qT5+DpsS7SMHSJ47/Kcba2wQxoON >> TQnerLohHKJcKg140liZvpYI7bh63nendNsUdMTOKcyAKLhIw0deDkeHDTx/DCks >> 0QJAkW2SvjeIBeRN/3+xrsvYD/XvKr/xCuUGIdsHCDotrFsF+lk7SwecFhU+8I+W >> RoezW/Qt6SSgu5iyyfuioT/na64= >> =3ECo >> -----END PGP SIGNATURE----- >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > -- > ------------------- > Adam Pease > http://www.ontologyportal.org > http://www.adampease.org > @apease_ontology on Twitter > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
