>From: owner-openssl-us...@openssl.org On Behalf Of Kevin Jenkins >Sent: Tuesday, 26 March, 2013 21:53
>I'm a new user and am confused on how to generate .crt and .pem file. >I am using Apache Tomcat with OpenSSL. >I have a domain with a DNS entry pointing to the IP of my webserver. >Their support have given me 3 files >intermediate.txt -> intermediate certificate? >milestone.lobby3.raknet.com.txt -> primary certificate??? >privatekey.txt -> ??? Files named .txt are probably PEM format but to be certain open each with a text editor. If you see a line like -----BEGIN CERTIFICATE----- followed by several lines of reasonable length consisting entirely of letters and digits and + and / and (maybe) = at the end, followed by a line -----END CERTIFICATE-----, it's PEM. If you see mostly blobs or weird characters with a few brief chunks of readable text like your server name here and there, it's (probably) DER. >From http://www.modssl.org/docs/2.1/ssl_reference.html I have >copy/pasted this entry into server.xml in Tomcat mod_ssl is the module to use OpenSSL in Apache *native* httpd. The version on modssl.org appears to be way out of date, and I believe has been supersed by the one on the Apache website. Apache Tomcat can use APR, which in turn uses OpenSSL. Latest version: http://tomcat.apache.org/tomcat-7.0-doc/apr.html#HTTP/HTTPS http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/N ative APR is deliberately similar to mod_ssl (and both of them deliberately similar to openssl) but not always identical. ><-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> ><Connector > protocol="HTTP/1.1" > port="8443" maxThreads="200" > scheme="https" secure="true" SSLEnabled="true" > SSLCertificateFile="/usr/local/ssl/server.crt" > SSLCertificateKeyFile="/usr/local/ssl/server.pem" > SSLVerifyClient="optional" SSLProtocol="TLSv1"/> It may be meaningless to specify SSLVerifyClient without also specifying SSLCACertificate{File,Path} and providing the CA certs that you want to use to verify the client certs (if in fact used). OpenSSL has an optional default but I don't know if APR uses it. Even if it does, what is there may or may not be what you want. >So this raises the question where does the .crt and .pem files come from? >Searching it seems like this page has what I need >http://www.digicert.com/ssl-support/pem-ssl-creation.htm >However, that page uses various terminologies such as primary certificate, >root certificate, intermediate certificate, private key, and I'm not sure >which term goes to what kind of file I have, or even what I have, or if >I have everything i need. I can kind of infer that privatekey.txt is the >private key, but for the other files I don't know. And they have 4 terms >but I only have 3 files, so I'm not sure what is missing. A file named privatekey probably is your privatekey, and if in PEM format it should be acceptable to APR SSLCertificateKeyFile. A file named with your server name is probably a cert for your server, and if PEM it should be acceptable to APR SSLCertificateFile. If intermediate.txt is a cert in PEM format, it is probably an intermediate cert your server should supply for authentication. If your version of APR (or mod_ssl) accepts SSLCertificateChainFile, that's the right place to put an intermediate (or several of them). If not, OpenSSL will actually use certs from its "truststore" to build chain as well as verifying, so you can workaround by adding the intermediate cert to a file (easier) or dir (with hashname) you use for SSLCACertificateFile or ...Path respectively. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
