----- Original Message ----- > > > > Hey Daniel > > > > I seem to be making progress. Here’s what I’ve done so far: > > > > Imported the existing PKCS12 (remedy.optinet.net_cert.pfx) keystore > into a Java Keystore (remedy.optinet.net_cert.jks): > > > > D:\Program Files (x86)\Java\jdk1.6.0_19\bin>keytool -importkeystore > -srckeystore C:\remedy.optinet.net_cert.pfx -srcstoretype pkcs12 > -srcstorepass password -destkeystore C:\remedy.optinet.net_cert.jks > -deststoretype jks -deststorepass password > > Entry for alias > 20c65d93292c975f9dfb4204c6d2788e_dfeea05a-6260-4cd4-b6f3-cf50b6bcad85 > successfully imported. > > Import command completed: 1 entries successfully imported, 0 entries > failed or cancelled > > > > Then I attempted importing the root certificate (Thawte Primary Root > CA.cer) but got an error: > > > > D:\Program Files (x86)\Java\jdk1.6.0_19\bin>keytool -import -keystore > C:\remedy.optinet.net_cert.jks -storepass password -file "C:/Thawte > Primary Root CA.cer" > > keytool error: java.lang.Exception: Input not an X.509 certificate > > > > Then I used the one I had exported from certmngr previously and it > worked: > > > > D:\Program Files (x86)\Java\jdk1.6.0_19\bin>keytool -import -keystore > C:\remedy.optinet.net_cert.jks -storepass password -file "C:\Thawte > Primary Root CA_x.cer" > > > > Owner: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For > authorized use only", OU=Certification Services Division, O="thawte, > Inc.", C=US > > Issuer: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For > authorized use only", OU=Certification Services Division, O="thawte, > Inc.", C=US > > Serial number: 344ed55720d5edec49f42fce37db2b6d > > Valid from: Fri Nov 17 02:00:00 CAT 2006 until: Thu Jul 17 01:59:59 > CAT 2036 > > Certificate fingerprints: > > MD5: 8C:CA:DC:0B:22:CE:F5:BE:72:AC:41:1A:11:A8:D8:12 > > SHA1: 91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81 > > Signature algorithm name: SHA1withRSA > > Version: 3 > > > > Extensions: > > > > #1: ObjectId: 2.5.29.15 Criticality=true > > KeyUsage [ > > Key_CertSign > > Crl_Sign > > ] > > > > #2: ObjectId: 2.5.29.19 Criticality=true > > BasicConstraints:[ > > CA:true > > PathLen:2147483647 > > ] > > > > #3: ObjectId: 2.5.29.14 Criticality=false > > SubjectKeyIdentifier [ > > KeyIdentifier [ > > 0000: 7B 5B 45 CF AF CE CB 7A FD 31 92 1A 6A B6 F3 46 > .[E....z.1..j..F > > 0010: EB 57 48 50 .WHP > > ] > > ] > > > > Trust this certificate? [no]: yes > > Certificate was added to keystore > > > > Then I attempted to import the intermediate certificate but got an > error: > > > > D:\Program Files (x86)\Java\jdk1.6.0_19\bin>keytool -import -keystore > C:\remedy.optinet.net_cert.jks -storepass password -file "C:\Thawte > SSL CA_x.cer" > > keytool error: java.lang.Exception: Certificate not imported, alias > <mykey> already exists >
When you import, you should specify the "-alias" option so that you can control the alias given to the key that is imported. I don't think it really matters what you use for the alias so long as it is unique. That being said, something that accurately describes the key being imported is helpful. I think I've seen "root" and "intermediate" used before for importing CA root and intermediate certificates. > > > Then I decided to add an “-alias” of “remedy.optinet.net”. I really > don’t know if what I did here is correct but it seems to have > worked: > > > > D:\Program Files (x86)\Java\jdk1.6.0_19\bin>keytool -import -alias > remedy.optinet.net -keystore C:\remedy.optinet.net_cert.jks > -storepass password -file "C:\Thawte SSL CA_x.cer" > > Certificate was added to keystore > > > > So then I amended the server.xml file as follows: > > > > <Connector executor="tomcatThreadPool" > > port="80" protocol="HTTP/1.1" > > connectionTimeout="20000" > > redirectPort="443" /> > > > > > > <!-- Define a SSL HTTP/1.1 Connector on port 8443 > > This connector uses the JSSE configuration, when using APR, the > > connector should be using the OpenSSL style configuration > > described in the APR documentation --> > > <Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" > minSpareThreads="25" maxSpareThreads="75" enableLookups="false" > disableUploadTimeout="true" acceptCount="100" scheme="https" > secure="true" > > clientAuth="false" sslProtocol="TLS" > keystoreFile="C:\remedy.optinet.net_cert.jks" > keystorePass="password" keystoreType="jks" protocol="HTTP/1.1" > SSLEnabled="true" > > URIEncoding="UTF-8"/> > > > > Now, if you have a look at the screenshots below it seems as though > all I have to do is get one of the Infrastructure guys to add > “remedy.optinet.net” to DNS as an alias for the load balancer and > this ought to work. > > Screenshots and other attachments do not make it through to the list. They get filtered out. Dan > > > > > > > > > > > > > > > > Let me know what you think. > > > > Kind Regards > > Melanie > > > > > > > > > > From: Melanie Snayer > Sent: 24 March 2012 10:36 PM > To: Tomcat Users List > Subject: RE: configuring SSL for Tomcat with .pfx > > > > Hi Daniel > > > > Thanks so much for replying. > > > > So you mentioned that I ought to import the existing PKCS12 > (remedy.optinet.net_cert.pfx) keystore into a Java Keystore > (remedy.optinet.net_cert.jks) using the following command: > > > > keytool -importkeystore -srckeystore remedy.optinet.net_cert.pfx > -srcstoretype pkcs12 -srcstorepass password -destkeystore > remedy.optinet.net_cert.jks -deststoretype jks -deststorepass > password > > > > ...and then to import the root and intermediate certificates into the > Java Keystore (remedy.optinet.net_cert.jks). Would I use the > following commands or are these incorrect? > > > > keytool -import -keystore remedy.optinet.net_cert.jks -storepass > password -storetype PKCS12 -file “c:\Thawte Primary Root CA.cer” > > > > keytool -import -keystore remedy.optinet.net_cert.jks -storepass > password -storetype PKCS12 -file “c:\Thawte SSL CA.cer” > > > > Thanks & Regards > > Melanie > > > > -----Original Message----- > From: Daniel Mikusa [ mailto:dmik...@vmware.com ] > Sent: 23 March 2012 07:21 PM > To: Tomcat Users List > Subject: Re: configuring SSL for Tomcat with .pfx > > > > ----- Original Message ----- > > > Hi everyone, > > > > > > I have been tasked with configuring SSL for Tomcat. I am new to > > Tomcat > > > configuration so I have been through the docs and consulted many > > > different articles in an attempt to figure out how all of this > > works. > > > > > > I have been given the following (attached): > > > > > > * Thawte Primary Root CA.cer > > > > > > * Thawte SSL CA.cer > > > > > > * remedy.optinet.net_cert.pfx > > > > > > My plan was to import the root cert then the intermediate cert then > > > the .pfx by doing the following: > > > > > > > > > * keytool -import -keystore tomcat.keystore2 -storepass > > > password -storetype PKCS12 -file "c:\Thawte Primary Root CA.cer" > > > > > > * keytool -import -keystore tomcat.keystore2 -storepass > > > password -storetype PKCS12 -file c:\Thawte SSL CA.cer > > > > > > * keytool -importkeystore -deststorepass password > > > -destkeystore c:\tomcat.keystore2 -srckeystore > > > c:\remedy.optinet.net_cert.pfx -srcstoretype PKCS12 -srcstorepass > > > password > > > > > > > > > What if you try this... > > > > 1.) Import your existing PKCS12 keystore into a Java Keystore. > > > > keytool -importkeystore -srckeystore remedy.optinet.net_cert.pfx > -srcstoretype pkcs12 -srcstorepass password -destkeystore > remedy.optinet.net_cert.jks -deststoretype jks -deststorepass > password > > > > 2.) Then import your root and intermediate certificates into the > remedy.optinet.net_cert.jks. > > > > > > Alternatively, you might try a GUI utility like Keystore Explorer. > > > > http://www.lazgosoftware.com/kse/index.html > > > > Dan > > > > > > > But got the following error when I started with the root cert: > > > > > > D:\Program Files (x86)\Java\jdk1.6.0_19\bin>keytool -import > > -keystore > > > tomcat.keystore2 -storepass password -file "c:\Thawte Primary Root > > > CA.cer" > > > keytool error: java.lang.Exception: Input not an X.509 certificate > > > > > > > > > Then I imported the certificates into certmgr and exported them to > > > X.509 and tried again .... got the following: > > > > > > D:\Program Files (x86)\Java\jdk1.6.0_19\bin>keytool -import > > -keystore > > > tomcat.key > > > store2 -storepass password -storetype PKCS12 -file "Thawte Primary > > > Root CA_x.cer " > > > Owner: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For > > > authorized use only", OU=Certification Services Division, > > O="thawte, > > > Inc.", C=US > > > Issuer: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For > > > authorized us e only", OU=Certification Services Division, > > O="thawte, > > > Inc.", C=US Serial number: 344ed55720d5edec49f42fce37db2b6d Valid > > > from: Fri Nov 17 02:00:00 CAT 2006 until: Thu Jul 17 01:59:59 CAT > > 2036 > > > Certificate fingerprints: > > > MD5: 8C:CA:DC:0B:22:CE:F5:BE:72:AC:41:1A:11:A8:D8:12 > > > SHA1: > > > 91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81 > > > Signature algorithm name: SHA1withRSA > > > Version: 3 > > > > > > Extensions: > > > > > > #1: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ > > > Key_CertSign > > > Crl_Sign > > > ] > > > > > > #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ > > > CA:true > > > PathLen:2147483647 > > > ] > > > > > > #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ > > > KeyIdentifier [ > > > 0000: 7B 5B 45 CF AF CE CB 7A FD 31 92 1A 6A B6 F3 46 > > > .[E....z.1..j..F > > > 0010: EB 57 48 50 .WHP > > > ] > > > ] > > > > > > Trust this certificate? [no]: yes > > > keytool error: java.security.KeyStoreException: TrustedCertEntry > > not > > > supported > > > > > > I am struggling to get to grips with all of the components like the > > > "alias", "key", "algorithm", "keystore", "certificate", etc ... and > > > the different types of keystores ; different types of certificates > > and > > > so many other things. > > > > > > If you could assist me I would appreciate it greatly. > > > > > > Regards > > > Melanie Snayer > > > BMC Remedy Product Consultant > > > ______________________________________________________________ > > > Blue Turtle Technologies > > > Tel : +27 (0) 87 721 1874/5/6 | Fax: +27 (0)21 552 7764 | > > > Cell: +27 (0)82 568 6205 > > > email: melan...@blueturtle.co.za<mailto:melan...@blueturtle.co.za > > > > | web: www.blueturtle.co.za<http://www.blueturtle.co.za > > > > > > > Imagination was given to us to compensate for what we are not; a > > sense > > > of humor was given to us to console us for what we are. > > > - Mark McGinnis > > > > > > > > > ________________________________ > > > Blue Turtle Technologies (Pty) Limited | Reg. no.: 2003/002610/07 | > > > http://www.blueturtle.co.za Gauteng : Tel: +27 (0)11 206 5600 | > > Fax: > > > +27 (0)11 206 5606 | Midridge Office Estate, International Business > > > Gateway, cnr New Road & Sixth Street, Midrand, 1685 | P O Box > > 31331, > > > Kyalami, 1684 Western Cape: Tel: +27 (0)87 721 1874 | Fax: +27 > > (0)21 > > > 552 7764 | Unit E6, Century Square, Heron Crescent, Century City, > > Cape > > > Town, > > > 7446 > > > > > > DISCLAIMER: This email and any files transmitted with it are > > > confidential and are intended solely for the use of the individual > > or > > > entity to whom they are addressed. This communication represents > > the > > > originator's personal views and opinions, which do not necessarily > > > reflect those of Blue Turtle Technologies (Pty) Ltd. If you are not > > > the original recipient or the person responsible for delivering the > > > email to the intended recipient, be advised that you have received > > > this email in error, and that any use, dissemination, forwarding, > > > printing, or copying of this email is strictly prohibited. If you > > > received this email in error, please immediately notify the sender. > > > Thank you. > > > > > > > Blue Turtle Technologies (Pty) Limited | Reg. no.: 2003/002610/07 | > http://www.blueturtle.co.za > Gauteng : Tel: +27 (0)11 206 5600 | Fax: +27 (0)11 206 5606 | > Midridge Office Estate, International Business Gateway, cnr New Road > & Sixth Street, Midrand, 1685 | P O Box 31331, Kyalami, 1684 > Western Cape: Tel: +27 (0)87 721 1874 | Fax: +27 (0)21 552 7764 | > Unit E6, Century Square, Heron Crescent, Century City, Cape Town, > 7446 > > DISCLAIMER: This email and any files transmitted with it are > confidential and are intended solely for the use of the individual > or entity to whom they are addressed. This communication represents > the originator's personal views and opinions, which do not > necessarily reflect those of Blue Turtle Technologies (Pty) Ltd. If > you are not the original recipient or the person responsible for > delivering the email to the intended recipient, be advised that you > have received this email in error, and that any use, dissemination, > forwarding, printing, or copying of this email is strictly > prohibited. If you received this email in error, please immediately > notify the sender. Thank you. > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
