 | Mailing List | | Home | | Forum Home | | JBoss - Java Application Server | | Struts - A MVC web framework | | Tomcat - JSP/Servlet container | | iText - An open source PDF Java Library | | JDOM - JDOM XML Parser | | J2EE - A mailing list for Java(tm) 2 Platform, Enterprise Edition | | J2EE Pattern - An interest list for Sun Java Center J2EE Pattern Catalog | | Servlet - A mailing list for discussion about Sun Microsystem's Java Servlet API Technology | | JSP - A mailing list about Java Server Pages specification and reference | |
Struts & Hibernate
|
|
|
| | | Antwort: RE: SSL, keystore with ca hierarchy | Antwort: RE: SSL, keystore with ca hierarchy 2004-01-24 - By Oliver Wulff
Back
I can't do step 1 and 2 because the certificate and private key has been
created already with openssl.
The file TestServer_APU.pem contains the private key and certificate in the
PEM format.
Should that work either?
Does the cacerts has to be located in %JAVA_HOME%\jre\lib\security\cacerts
or can I place it anywhere else?
"Mark Thomas"
<markt@(protected) An: "'Tomcat Users List'"
<tomcat-user@(protected)>
> Kopie:
Thema: RE: SSL, keystore with
ca hierarchy
24.01.2004 19:18
Bitte antworten
an "Tomcat Users
List"
I have successfully used a server signed cert with tomcat.
The step by step guide is quite lengthy. I'll give you the edited
highlights and
please follow up if you have any more questions.
1. Create key in .keystore with alias tomcat
2. Generate a signing request and sent to CA
3. Receive signed key (cert) and CA cert
4. Import The root cert into cacerts
5. Import CA cert into cacerts (%JAVA_HOME%\jre\lib\security\cacerts)
6. Import tomcat cert into .keystore, with -trustcacerts option and alias
tomcat
>From your post it looks like you have imported the root cert and the CA
cert
into .keystore rather than the cacerts file.
Mark
> -- --Original Message-- --
> From: Oliver Wulff [mailto:oliver.wulff@(protected)]
> Sent: Saturday, January 24, 2004 2:25 PM
> To: tomcat-user@(protected)
> Subject: SSL, keystore with ca hierarchy
>
>
>
>
>
> I've created the following keystore for Tomcat 4.1.18:
> SET KEYSTORE_FILE=.\.keystore
>
> keytool -import -keystore %KEYSTORE_FILE% -storepass icebeer
> -alias root
> -trustcacerts -file CA_Root_APU.pem
> keytool -import -keystore %KEYSTORE_FILE% -storepass icebeer -alias
> server_ca -trustcacerts -file CA_Server_APU.pem
> keytool -import -keystore %KEYSTORE_FILE% -storepass icebeer
> -alias tomcat
> -trustcacerts -file
>
> the root ca is self signed. the tomcat certificate is signed
> by server_ca
> which is issued by the root ca. the password for the keystore and the
> tomcat certificat are identical. Further, I've configured the
> server.xml
> accordingly:
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector  "
> port="9443" minProcessors="5" maxProcessors="75"
> enableLookups="true"
> acceptCount="100" debug="0" scheme="https" secure="true"
> useURIValidationHack="false" disableUploadTimeout="true">
> <Factory
> className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory "
> clientAuth="false" protocol="TLS"
> keystoreFile="certs/.keystore"
> keystorePass="123456"
> />
> </Connector>
>
> Tomcat starts with no problems:
> 24.01.2004 15:10:41 org.apache.coyote.http11.Http11Protocol start
> INFO: Starting Coyote HTTP/1.1 on port 9080
> 24.01.2004 15:10:41 org.apache.coyote.http11.Http11Protocol start
> INFO: Starting Coyote HTTP/1.1 on port 9443
>
> But I get the error "The Page Cannot Be Displayed" when I try
> to access the
> index.html.
>
> When I create the certificates in the following way it does work:
> keytool -genkey -storepass 123456 -alias tomcat -keyalg RSA -keystore
> .\dummy.keystore
> keytool -rfc -storepass 123456 -export -alias tomcat -keystore
> .\dummy.keystore -file dummy.tomcat.pem
>
> Does Tomcat not support certificates with a ca hierarchy?
>
> -oliver
>
>
>
>
>
>
>
> ******************* BITTE BEACHTEN *******************
> Diese Nachricht (wie auch allf�llige Anh�nge dazu) beinhaltet
> m�glicherweise vertrauliche oder gesetzlich gesch�tzte Daten oder
> Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
> genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
> irrt�mlicherweise erreicht hat, sind Sie h�flich gebeten, diese unter
> Ausschluss jeder Reproduktion zu zerst�ren und die absendende Person
> umgehend zu benachrichtigen. Vielen Dank f�r Ihre Hilfe.
>
>
> -- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
> For additional commands, e-mail: tomcat-user-help@(protected)
>
>
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)
******************* BITTE BEACHTEN *******************
Diese Nachricht (wie auch allf�llige Anh�nge dazu) beinhaltet
m�glicherweise vertrauliche oder gesetzlich gesch�tzte Daten oder
Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
irrt�mlicherweise erreicht hat, sind Sie h�flich gebeten, diese unter
Ausschluss jeder Reproduktion zu zerst�ren und die absendende Person
umgehend zu benachrichtigen. Vielen Dank f�r Ihre Hilfe.
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)
|
|
|
