RE: SSL InvalidKeystore Format?
I don't understand why you just don't use openssl to convert the certificates to a format you need? George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 > -Original Message- > From: Nate Rock [mailto:[EMAIL PROTECTED] > Sent: Monday, December 05, 2005 9:10 AM > To: Tomcat Users List; [EMAIL PROTECTED] > Subject: RE: SSL InvalidKeystore Format? > > Sweet Carl that would be awesome! I have other stuff to do as > well, but > I will take a look at your post from yesterday with code to see if I > can't glean any sort of extra inspiration from it since it didn't > mention PKCS12 formats I just kind of glanced over it =( - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL InvalidKeystore Format?
Hi. Ok, well what I think I will do is clean up my utility classes into a useful utility class (with main and command line switches etc) to do all the in/out/conversions as I use them. I will then mail that source to the list and hopefully it would assist everyone! Will try to get that out this week! Regards, Carl -Original Message- From: Nate Rock [mailto:[EMAIL PROTECTED] Sent: 05 December 2005 16:10 To: Tomcat Users List; [EMAIL PROTECTED] Subject: RE: SSL InvalidKeystore Format? Sweet Carl that would be awesome! I have other stuff to do as well, but I will take a look at your post from yesterday with code to see if I can't glean any sort of extra inspiration from it since it didn't mention PKCS12 formats I just kind of glanced over it =( All our certs are currently in PKCS12(PFX) format and having to re-request them all using OpenSSL would be a PITA ;) I remember back when looking at our PKI code that it was anoying to try and get the private key exported and in the correct (RSA) format that apache expects out of a PKCS12 file using java. If we could build a utility based off your current code that could take an existing keystore (JKS/PKCS12) that could extract it into PEM (RSA) encoded private key/signed certificate that apache/tomcat(APR) could use and maybe do the reverse, take both pem encoded files and build a keystore (JKS/PKCS12) file, I think it would help a lot of people out when trying to get the APR/SSL thing configured. The confusing part is that when you export a private key in PEM format using java, the default format is PKCS8 which from what I understand, the APR doesn't know what to do with because it's expecting PEM (RSA) encoding. With the utility, we could say that if your certificates were made using java keystores, to get them to work with the APR, run this java command to split them into PEM (RSA) encode private key/signed certificate. If your certificates were made using OpenSSL and you want to use them with the tomcat connector, run this other simple command using your PEM (RSA) encoded private key/signed certificate to get a keystore. I think we already do this using some set of OpenSSL commands(openssl pkcs12, and openssl rsa) as well, but I havn't gotten my verisign cert yet this morning so I can try it out and get back to everyone. Although I don't like to re-invent the wheel, being able to convert between keystore/PEM(RSA) encoded private key/certificates with a simple java app might be better than forcing peeps to learn how to install/configure OpenSSL on their respective platforms. -rOcK -Original Message- From: Carl Olivier [mailto:[EMAIL PROTECTED] Sent: Monday, December 05, 2005 7:41 AM To: 'Tomcat Users List' Subject: RE: SSL InvalidKeystore Format? Hi Nate. I am not sure if this is relevant, but think it is - the private keys, CSRs and certificates I am using with tomcat (as per my email from yesterday -- although I have not posted my mechanism for exporting PFX and PEM certificates -with Private Keys etc) have been used as is imported into IIS, Apache, etc with no problems. I will post my export function (as well as the import functions for PFX and PEM with private keys attached) later (or tomorrow) - just a little busy right now. I have a large number of actual certificates (purchased from a number of CAs including verisign) in production use. Anyway - will post my other steps/functions etc as soon as I have a moment! Regards, Carl -Original Message- From: Nate Rock [mailto:[EMAIL PROTECTED] Sent: 05 December 2005 05:11 To: Tomcat Users List; [EMAIL PROTECTED] Subject: RE: SSL InvalidKeystore Format? I think the issue Scott is getting caught up on is the same issue I have been having for the last week: Using APR + SSL with anything but a self signed certificate isn't clearly defined as of yet. Scott, my recommendation to you at this point is to uninstall tomcat, and then reinstall it making sure to NOT check the "native" checkbox when given installation options. This will install tomcat without the APR connector and the steps listed on Verisign (and on the tomcat site) using java keytores will work fine. I know Carl and Dhaval have been giving awesome information about how to generate csrs/keystores etc. but none of us (including me) has a rock solid example using an actual verisign certificate that they have set up and have running right now in production using APR. (Remy?) I think that using OpenSSL for generating the private key/csr will end up being the "way it's done" because of the difference between RSA and PKCS8 private key encodings. (OpenSSL vs java keystore default encodings) If any of you have actually used a verisign (NOT a self signed OpenSSL certificate from http://www.fatofthelan.com/articles/articles.php?pid=12.) with APR+SSL please post the exact steps you used from generating the primary key/csr file down to the co
RE: SSL InvalidKeystore Format?
Sweet Carl that would be awesome! I have other stuff to do as well, but I will take a look at your post from yesterday with code to see if I can't glean any sort of extra inspiration from it since it didn't mention PKCS12 formats I just kind of glanced over it =( All our certs are currently in PKCS12(PFX) format and having to re-request them all using OpenSSL would be a PITA ;) I remember back when looking at our PKI code that it was anoying to try and get the private key exported and in the correct (RSA) format that apache expects out of a PKCS12 file using java. If we could build a utility based off your current code that could take an existing keystore (JKS/PKCS12) that could extract it into PEM (RSA) encoded private key/signed certificate that apache/tomcat(APR) could use and maybe do the reverse, take both pem encoded files and build a keystore (JKS/PKCS12) file, I think it would help a lot of people out when trying to get the APR/SSL thing configured. The confusing part is that when you export a private key in PEM format using java, the default format is PKCS8 which from what I understand, the APR doesn't know what to do with because it's expecting PEM (RSA) encoding. With the utility, we could say that if your certificates were made using java keystores, to get them to work with the APR, run this java command to split them into PEM (RSA) encode private key/signed certificate. If your certificates were made using OpenSSL and you want to use them with the tomcat connector, run this other simple command using your PEM (RSA) encoded private key/signed certificate to get a keystore. I think we already do this using some set of OpenSSL commands(openssl pkcs12, and openssl rsa) as well, but I havn't gotten my verisign cert yet this morning so I can try it out and get back to everyone. Although I don't like to re-invent the wheel, being able to convert between keystore/PEM(RSA) encoded private key/certificates with a simple java app might be better than forcing peeps to learn how to install/configure OpenSSL on their respective platforms. -rOcK -Original Message- From: Carl Olivier [mailto:[EMAIL PROTECTED] Sent: Monday, December 05, 2005 7:41 AM To: 'Tomcat Users List' Subject: RE: SSL InvalidKeystore Format? Hi Nate. I am not sure if this is relevant, but think it is - the private keys, CSRs and certificates I am using with tomcat (as per my email from yesterday -- although I have not posted my mechanism for exporting PFX and PEM certificates -with Private Keys etc) have been used as is imported into IIS, Apache, etc with no problems. I will post my export function (as well as the import functions for PFX and PEM with private keys attached) later (or tomorrow) - just a little busy right now. I have a large number of actual certificates (purchased from a number of CAs including verisign) in production use. Anyway - will post my other steps/functions etc as soon as I have a moment! Regards, Carl -Original Message- From: Nate Rock [mailto:[EMAIL PROTECTED] Sent: 05 December 2005 05:11 To: Tomcat Users List; [EMAIL PROTECTED] Subject: RE: SSL InvalidKeystore Format? I think the issue Scott is getting caught up on is the same issue I have been having for the last week: Using APR + SSL with anything but a self signed certificate isn't clearly defined as of yet. Scott, my recommendation to you at this point is to uninstall tomcat, and then reinstall it making sure to NOT check the "native" checkbox when given installation options. This will install tomcat without the APR connector and the steps listed on Verisign (and on the tomcat site) using java keytores will work fine. I know Carl and Dhaval have been giving awesome information about how to generate csrs/keystores etc. but none of us (including me) has a rock solid example using an actual verisign certificate that they have set up and have running right now in production using APR. (Remy?) I think that using OpenSSL for generating the private key/csr will end up being the "way it's done" because of the difference between RSA and PKCS8 private key encodings. (OpenSSL vs java keystore default encodings) If any of you have actually used a verisign (NOT a self signed OpenSSL certificate from http://www.fatofthelan.com/articles/articles.php?pid=12.) with APR+SSL please post the exact steps you used from generating the primary key/csr file down to the connector you used. We would also like to know exactly what encoding the primary key/cert is in because as I found out this week, PEM is different if you are using OpenSSL vs JSSE. =P I will be getting a verisign certificate early this week to try out some things I discovered over the weekend involving some un-documented APR params that are part of mod_ssl that may be the missing link (SSLCACertificateFile attribute ;). I think part of the issue with APR + verisign certificates is the location for the tr
RE: SSL InvalidKeystore Format?
Hi Nate. I am not sure if this is relevant, but think it is - the private keys, CSRs and certificates I am using with tomcat (as per my email from yesterday -- although I have not posted my mechanism for exporting PFX and PEM certificates -with Private Keys etc) have been used as is imported into IIS, Apache, etc with no problems. I will post my export function (as well as the import functions for PFX and PEM with private keys attached) later (or tomorrow) - just a little busy right now. I have a large number of actual certificates (purchased from a number of CAs including verisign) in production use. Anyway - will post my other steps/functions etc as soon as I have a moment! Regards, Carl -Original Message- From: Nate Rock [mailto:[EMAIL PROTECTED] Sent: 05 December 2005 05:11 To: Tomcat Users List; [EMAIL PROTECTED] Subject: RE: SSL InvalidKeystore Format? I think the issue Scott is getting caught up on is the same issue I have been having for the last week: Using APR + SSL with anything but a self signed certificate isn't clearly defined as of yet. Scott, my recommendation to you at this point is to uninstall tomcat, and then reinstall it making sure to NOT check the "native" checkbox when given installation options. This will install tomcat without the APR connector and the steps listed on Verisign (and on the tomcat site) using java keytores will work fine. I know Carl and Dhaval have been giving awesome information about how to generate csrs/keystores etc. but none of us (including me) has a rock solid example using an actual verisign certificate that they have set up and have running right now in production using APR. (Remy?) I think that using OpenSSL for generating the private key/csr will end up being the "way it's done" because of the difference between RSA and PKCS8 private key encodings. (OpenSSL vs java keystore default encodings) If any of you have actually used a verisign (NOT a self signed OpenSSL certificate from http://www.fatofthelan.com/articles/articles.php?pid=12.) with APR+SSL please post the exact steps you used from generating the primary key/csr file down to the connector you used. We would also like to know exactly what encoding the primary key/cert is in because as I found out this week, PEM is different if you are using OpenSSL vs JSSE. =P I will be getting a verisign certificate early this week to try out some things I discovered over the weekend involving some un-documented APR params that are part of mod_ssl that may be the missing link (SSLCACertificateFile attribute ;). I think part of the issue with APR + verisign certificates is the location for the trusted CA certificates. How does one point the APR connector so that it trusts the verisign root CA cert(s) (the APR doesn't use the cacerts java keystore... Where is it getting it's list of trusted CAs?) The mod_ssl doc points to the attribute SSLCACertificateFile for giving it a list of trusted CAs. http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslcacertificatefile But it's not listed on the APR page under the SSL section. After checking out the source code, it looks like this attribute is "supported" just not documented so I decided to try it out using my self signed certificate as the CA certificate. Using my self-signed server.crt, I copied it and renamed it to ca.crt (it can be it's own ca, since it's self signed ;) No errors were thrown and I was indeed prompted for a client certificate. I can experiment with this a bit more later on this week but for now I am recommending to our company to hold off on the APR connector under windows until the APR+SSL thing is ironed out a bit more. Guess I get to go uninstall/re-install tomcat(without the APR connector) on our test server bright and early tommorrow morning. Thanks to Carl, Dhaval and Remey for all their input this week... I know I have learned a lot and have hopefully thrown out some something informative. I know we can get it figured out, I just have a few other projects I put off towards the end of last week that need to get done before wed but I will still try to monitor the SSL threads. -rOcK - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL InvalidKeystore Format?
I think the issue Scott is getting caught up on is the same issue I have been having for the last week: Using APR + SSL with anything but a self signed certificate isn't clearly defined as of yet. Scott, my recommendation to you at this point is to uninstall tomcat, and then reinstall it making sure to NOT check the "native" checkbox when given installation options. This will install tomcat without the APR connector and the steps listed on Verisign (and on the tomcat site) using java keytores will work fine. I know Carl and Dhaval have been giving awesome information about how to generate csrs/keystores etc. but none of us (including me) has a rock solid example using an actual verisign certificate that they have set up and have running right now in production using APR. (Remy?) I think that using OpenSSL for generating the private key/csr will end up being the "way it's done" because of the difference between RSA and PKCS8 private key encodings. (OpenSSL vs java keystore default encodings) If any of you have actually used a verisign (NOT a self signed OpenSSL certificate from http://www.fatofthelan.com/articles/articles.php?pid=12.) with APR+SSL please post the exact steps you used from generating the primary key/csr file down to the connector you used. We would also like to know exactly what encoding the primary key/cert is in because as I found out this week, PEM is different if you are using OpenSSL vs JSSE. =P I will be getting a verisign certificate early this week to try out some things I discovered over the weekend involving some un-documented APR params that are part of mod_ssl that may be the missing link (SSLCACertificateFile attribute ;). I think part of the issue with APR + verisign certificates is the location for the trusted CA certificates. How does one point the APR connector so that it trusts the verisign root CA cert(s) (the APR doesn't use the cacerts java keystore... Where is it getting it's list of trusted CAs?) The mod_ssl doc points to the attribute SSLCACertificateFile for giving it a list of trusted CAs. http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslcacertificatefile But it's not listed on the APR page under the SSL section. After checking out the source code, it looks like this attribute is "supported" just not documented so I decided to try it out using my self signed certificate as the CA certificate. Using my self-signed server.crt, I copied it and renamed it to ca.crt (it can be it's own ca, since it's self signed ;) No errors were thrown and I was indeed prompted for a client certificate. I can experiment with this a bit more later on this week but for now I am recommending to our company to hold off on the APR connector under windows until the APR+SSL thing is ironed out a bit more. Guess I get to go uninstall/re-install tomcat(without the APR connector) on our test server bright and early tommorrow morning. Thanks to Carl, Dhaval and Remey for all their input this week... I know I have learned a lot and have hopefully thrown out some something informative. I know we can get it figured out, I just have a few other projects I put off towards the end of last week that need to get done before wed but I will still try to monitor the SSL threads. -rOcK - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL InvalidKeystore Format?
Greetings.
Not sure if this will help, but I spent a lot of time fighting with
certificates for use with Tomcat - from CSRs to issued certificates from the
CAs - as well as using PFX files as exported from other webservers etc..
I have however got it working great, and thought to give you my steps,
commands, and pointers - hopefully they will assist!
Scenario 1: CSR with issued Cert from CA
1. Generate the CSR.
Important - generating the CSR requires a private key (which resides in the
keystore used for the generation) to be present when importing the actual
certificate from the CA (in response to the CSR). Thus I have a number of
different keystores I use.
Generate the Private Key I will be using to generate the CSR (using my
'privatestore' keystore):
"keytool -genkey -keyalg RSA -dname cn=www.site.com ou=My Deptartment o=My
Company l=My City s=My province c=GBR -alias certrequest -keypass mypasswd
-keystore /ssl/privatestore -storepass mystorepwd -validity 365"
This generates the private key, and generates the CSR ready for extraction
to be submitted to the CA.
I use the following code snippet to extract the private key - bearing in
mind that I will be wanting to use the private key later when I wish to
import the public key (cert) as returned by the CA. Useful to note that I
create a keystore per connector (per site) for use in Tomcat.
=== code snippet ===
//this first snippet extracts the private key - as I wish to
persist it in Base64 encoding
//for use when I import the certificate later
//I resuse this keystore for private key/CSR generation
//load the privatestore keystore used for privatekey/CSR
generation
File workingkeystore = new File( "/ssl/privatestore" );
KeyStore workingStore = KeyStore.getInstance( "JKS" );
workingStore.load( new FileInputStream( workingkeystore ),
"mystorepwd".toCharArray() );
//extract the keypair (private key is what we want)
KeyPair kp = getPrivateKey( workingStore, "certrequest",
"mypasswd".toCharArray() );
PrivateKey pkey = kp.getPrivate();
//get the private key binary
byte[] binary = pkey.getEncoded();
//base64 encoder - in package sun.misc
BASE64Encoder myB64 = new BASE64Encoder();
//encode the private key binary as a Base64 string
String b64 = myB64.encode( binary );
//persist the private key for later use
PrintWriter out = new PrintWriter( new FileWriter( new
File("/ssl/privatekeys/www.mysite.com.pkey") ) );
try
{
out.println( "-BEGIN PRIVATE KEY-" );
out.println( b64 );
out.println( "-END PRIVATE KEY-" );
}
finally
{
out.close();
}
=== end snippet ===
Now I use the keytool to generate the CSR with the private key generated
above (note I use the same alias I used when generating the private key to
ensure correct processing). Note that this will generate the Base64
representation of the CSR to the specified location using the -file switch.
"keytool -certreq -file /ssl/csrs/www.site.com.csr -alias certrequest
-keypass mypasswd -keystore /ssl/privatestore -storepass mystorepwd"
The Base64 string which is the contents of the CSR above can then be
submitted to the CA. Be sure to keep the private key generated for use when
importing the CA issued certificate. I will now go over how I go about
importing/setting up the actual certificate keystore for use with Tomcat:
Using a Base64 String representation of the Certificate returned by the CA:
Before I run the code below however I run the Private Key we generated to
create the CSR through the openssl to get it into the correct format -
namely pkcs8 (DER) format using the openssl command as follows:
"openssl pkcs8 -topk8 -nocrypt -in /ssl/privatekeys/www.mysite.com.pkey -out
/ssl/temp/www.mysite.com.tempkey -outform der"
=== code snippet ===
//first create the keystore we will be using for the cert
//the actual keystore file path - ensure this does not exist
String keyFilePath =
"/ssl/keystores/www.mysite.com.keystore";
KeyStore ks;
try {
ks = KeyStore.getInstance("JKS", "SUN");
ks.load( null, "mypasswd".toCharArray() );
ks.store(new FileOutputStream ( new
File(keyFilePath) ), "mypasswd".toCharArray());
} catch (Exception e) {
//handle as you require
throw new RuntimeException("Failed to create new
Keysto
Re: SSL InvalidKeystore Format?
it). Put those file in TOMCAT_HOME\bin. (e) Edit the server.xml in Tomcat and make changes in SSL connector following way: Also you can customize the port number as I explained earlier. (f) Restart the tomcat and test SSL. --- Further reading: JSSE + OpenSSL Hybrid Approch: http://marc.theaimsgroup.com/?l=tomcat-user&m=106293430225790&w=2 Tomcat thread (Nate's messages about more explanation) http://www.mail-archive.com/users%40tomcat.apache.org/msg02402.html More detail information about key and cerficates (Nate's explanation) http://www.mail-archive.com/users%40tomcat.apache.org/msg02329.html Tomcat + OpenSSL Documentation http://tomcat.apache.org/tomcat-5.5-doc/index.html http://www.openssl.org Enabling SSL in Apahe as well as running openssl.exe (provied by tomcat APR binaries) on Windows machine http://www.fatofthelan.com/articles/articles.php?pid=12 Scott, since you are interested enableing APR, let's forget about keytool and JSSE for now and only concentrate/use OpenSSL. I think if you generate new key and csr using OpenSSL and request Verisign to issue new cerficate based upon that key and csr, they will give you new cerficate. Then you can use that cerficate (certificate.crt) with key in your tomcat configuration. Since you know that with self-signed certificate, things are working so they should work with Verisign-signed certificate also. Let us know how it goes. Regards, D --> --- Scott Purcell <[EMAIL PROTECTED]> wrote: > Do you think Verisign should be able to supply me with a openSSL > certificate? Maybe that would help. I just don't know enough about this to > make any logical sense. I will email Verisign and see what they say. > > Thanks, > Scott > > PS, did you have Nates earlier email you described below? If so could you > email me it? > > Thanks > > > - Original Message - > From: "Dhaval Patel" <[EMAIL PROTECTED]> > To: "Tomcat Users List" > Sent: Saturday, December 03, 2005 1:13 PM > Subject: Re: SSL InvalidKeystore Format? > > > > Scott, > > > >You might have to use OpenSSL instead of keytool. OpenSSL is > recommended in production > > environment. Also if you want to use APR+SSL, you might have to use > OpenSSL (I am not sure about > > it). So you have to generate key using openssl and then supplied key to > Verisign. If you have > > time, read my and Nate's previous messages. Nate's message explains a lot > about key, certificate > > and encoding. > > > >I am not quite sure wheter this key+certificate will work with APR+SSL > since they were > > generated using keytool. But you can try. > > > >Let us know if it works or not. > > > > Regards, > > D > > > > --- Scott Purcell <[EMAIL PROTECTED]> wrote: > > > > > Just found this in my email mess: Thanks for responding: > > > Here is what I supplied to verisign for my certificate: > > > > > > 1) Prepared the Keystore: > > > keytool -genkey -keystore myKeystore -alias keystoreAlias > > > (it asked for me for passwords, etc.); > > > > > > 2) Generated a CSR > > > a) keytool -genkey -alias keystoreAlias -keyalg RSA -keystore > myKeystore > > > b) keytool -certreq -keyalg RSA -alias keystoreAlias -file > > > certreq.csr -keystore myKeystore > > > > > > so it looks like I used keytool, and not openssl. > > > > > > Then they send me back a > > > cert.cer file in my email: > > > > > > ### > > > 2) I was not able to download it from anywhere, as it came in my email: > > > > > > 3) I was able to get the SSL running in a ssl format using the supplied > link > > > from fatofthelan.com article pid=12 > > > and currently have a generic certificate running. > > > > > > > > > Thanks, > > > Scott > > > > > > > > > > > > > > > > > > > > > - Original Message - > > > From: "Nate Rock" <[EMAIL PROTECTED]> > > > To: "Tomcat Users List" > > > Sent: Friday, December 02, 2005 8:50 AM > > > Subject: RE: SSL InvalidKeystore Format? > > > > > > > > > Dhaval your explincation was excellent! I think with a bit more > information > > > about how exactly Scott got his certificate from verisign, I think we > can > > > help him out a bit more. > > > > > > 1. What did you use to create your Certificate Request (csr) t
Re: SSL InvalidKeystore Format?
Could you clarify? I am unsure what you mean. I am really stuck on this, and could use a hand. - Original Message - From: "James Rome" <[EMAIL PROTECTED]> To: Sent: Saturday, December 03, 2005 2:42 PM Subject: Re: SSL InvalidKeystore Format? > The accepted CAs are in /jre/lib/security/cacerts which you manage with > keytool. This only comes into play if you require a client certificate. > Then the user's browser only presents certificates from your CA list. > > Jim > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL InvalidKeystore Format?
The accepted CAs are in /jre/lib/security/cacerts which you manage with keytool. This only comes into play if you require a client certificate. Then the user's browser only presents certificates from your CA list. Jim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL InvalidKeystore Format?
Do you think Verisign should be able to supply me with a openSSL certificate? Maybe that would help. I just don't know enough about this to make any logical sense. I will email Verisign and see what they say. Thanks, Scott PS, did you have Nates earlier email you described below? If so could you email me it? Thanks - Original Message - From: "Dhaval Patel" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Saturday, December 03, 2005 1:13 PM Subject: Re: SSL InvalidKeystore Format? > Scott, > >You might have to use OpenSSL instead of keytool. OpenSSL is recommended in production > environment. Also if you want to use APR+SSL, you might have to use OpenSSL (I am not sure about > it). So you have to generate key using openssl and then supplied key to Verisign. If you have > time, read my and Nate's previous messages. Nate's message explains a lot about key, certificate > and encoding. > >I am not quite sure wheter this key+certificate will work with APR+SSL since they were > generated using keytool. But you can try. > >Let us know if it works or not. > > Regards, > D > > --- Scott Purcell <[EMAIL PROTECTED]> wrote: > > > Just found this in my email mess: Thanks for responding: > > Here is what I supplied to verisign for my certificate: > > > > 1) Prepared the Keystore: > > keytool -genkey -keystore myKeystore -alias keystoreAlias > > (it asked for me for passwords, etc.); > > > > 2) Generated a CSR > > a) keytool -genkey -alias keystoreAlias -keyalg RSA -keystore myKeystore > > b) keytool -certreq -keyalg RSA -alias keystoreAlias -file > > certreq.csr -keystore myKeystore > > > > so it looks like I used keytool, and not openssl. > > > > Then they send me back a > > cert.cer file in my email: > > > > ### > > 2) I was not able to download it from anywhere, as it came in my email: > > > > 3) I was able to get the SSL running in a ssl format using the supplied link > > from fatofthelan.com article pid=12 > > and currently have a generic certificate running. > > > > > > Thanks, > > Scott > > > > > > > > > > > > > > - Original Message - > > From: "Nate Rock" <[EMAIL PROTECTED]> > > To: "Tomcat Users List" > > Sent: Friday, December 02, 2005 8:50 AM > > Subject: RE: SSL InvalidKeystore Format? > > > > > > Dhaval your explincation was excellent! I think with a bit more information > > about how exactly Scott got his certificate from verisign, I think we can > > help him out a bit more. > > > > 1. What did you use to create your Certificate Request (csr) to verisign? > > > > -IIS > > -java keytool > > -openssl > > > > 2. after you received your signed certificate back from verisign, what > > format did you download it in? > > > > -PKCS7 - signed cert only - DER binary encoding > > -PEM - signed cert only > > > > 3. After you got the signed certificate what format is your keystore? > > > > -PKCS12 - pub/priv keys + signed certificate > > -JKS - pub/priv keys + signed certificate (sun specific format > > -PEM - single file with both PEM encoded (RSA formatted, non encrypted!) > > private key concatinated on to the PEM encoded signed cert > > -PEM - two files > > 1. one contain the PEM encoded (RSA formattd, non-encrypted private key - > > server.key > > 2. one containing the PEM encoded signed cert > > > > The native ARP connector only supports the last two file formats, so if you > > have a PKCS12 refer to my previous posting expliaining how to split a PKCS12 > > file into multiple PEM Encoded files. > > > > Just for the record, I belive you can go back to verisign and download your > > signed certificate in multiple formats... > > > > I am also in the process of parsing out a signed by verisign certificate to > > see if it's even possible. We may be stuck using self signed certificates > > for now because the APR connector doesn't support he following attributes > > yet: > > > > SSLCACertificateFile > > SSLCACertificatePath > > > > These attributes are supported allowing you to specify which CA's you accept > > outside of the "default" ones (who's location I am still trying to > > trackdown). > > > >-rOcK > > > > -Original Message- > > From: Dhaval Patel [mailto:[EMAIL PROTECTED] > > Sent: Thursday, December 01, 2005 8:48 PM > > To: Tomcat
Re: SSL InvalidKeystore Format?
Scott, You might have to use OpenSSL instead of keytool. OpenSSL is recommended in production environment. Also if you want to use APR+SSL, you might have to use OpenSSL (I am not sure about it). So you have to generate key using openssl and then supplied key to Verisign. If you have time, read my and Nate's previous messages. Nate's message explains a lot about key, certificate and encoding. I am not quite sure wheter this key+certificate will work with APR+SSL since they were generated using keytool. But you can try. Let us know if it works or not. Regards, D --- Scott Purcell <[EMAIL PROTECTED]> wrote: > Just found this in my email mess: Thanks for responding: > Here is what I supplied to verisign for my certificate: > > 1) Prepared the Keystore: > keytool -genkey -keystore myKeystore -alias keystoreAlias > (it asked for me for passwords, etc.); > > 2) Generated a CSR > a) keytool -genkey -alias keystoreAlias -keyalg RSA -keystore myKeystore > b) keytool -certreq -keyalg RSA -alias keystoreAlias -file > certreq.csr -keystore myKeystore > > so it looks like I used keytool, and not openssl. > > Then they send me back a > cert.cer file in my email: > > ### > 2) I was not able to download it from anywhere, as it came in my email: > > 3) I was able to get the SSL running in a ssl format using the supplied link > from fatofthelan.com article pid=12 > and currently have a generic certificate running. > > > Thanks, > Scott > > > > > > > - Original Message - > From: "Nate Rock" <[EMAIL PROTECTED]> > To: "Tomcat Users List" > Sent: Friday, December 02, 2005 8:50 AM > Subject: RE: SSL InvalidKeystore Format? > > > Dhaval your explincation was excellent! I think with a bit more information > about how exactly Scott got his certificate from verisign, I think we can > help him out a bit more. > > 1. What did you use to create your Certificate Request (csr) to verisign? > > -IIS > -java keytool > -openssl > > 2. after you received your signed certificate back from verisign, what > format did you download it in? > > -PKCS7 - signed cert only - DER binary encoding > -PEM - signed cert only > > 3. After you got the signed certificate what format is your keystore? > > -PKCS12 - pub/priv keys + signed certificate > -JKS - pub/priv keys + signed certificate (sun specific format > -PEM - single file with both PEM encoded (RSA formatted, non encrypted!) > private key concatinated on to the PEM encoded signed cert > -PEM - two files > 1. one contain the PEM encoded (RSA formattd, non-encrypted private key - > server.key > 2. one containing the PEM encoded signed cert > > The native ARP connector only supports the last two file formats, so if you > have a PKCS12 refer to my previous posting expliaining how to split a PKCS12 > file into multiple PEM Encoded files. > > Just for the record, I belive you can go back to verisign and download your > signed certificate in multiple formats... > > I am also in the process of parsing out a signed by verisign certificate to > see if it's even possible. We may be stuck using self signed certificates > for now because the APR connector doesn't support he following attributes > yet: > > SSLCACertificateFile > SSLCACertificatePath > > These attributes are supported allowing you to specify which CA's you accept > outside of the "default" ones (who's location I am still trying to > trackdown). > >-rOcK > > -Original Message- > From: Dhaval Patel [mailto:[EMAIL PROTECTED] > Sent: Thursday, December 01, 2005 8:48 PM > To: Tomcat Users List > Subject: Re: SSL InvalidKeystore Format? > > Hi Scott, > > Good to hear that it works. Thank also go to Remy and Nate Rock. > > You have purchased SSL. In this purchase process, did you submit > Certificate Request (csr) to Verisign? As far as I know the process of > getting signed SSL certificate is first you have to generate certificate > request (csr), then you have to submit this csr to Verisign or Thawte, then > they will give you actual signed certificate (.crt) and then you have to use > that crt in this process. > > Based upon my knowledge,to incorporate Verisign certificate, steps are as > follows: > (Derived from http://www.fatofthelan.com/articles/articles.php?pid=12 ) > (1) openssl req -new -out server.csr (This will generate csr and private > key. Make sure you feel the values correctly on openssl command prompt. ) > (2) openssl rsa -in privkey.pem -out server.key (This removes the passphrase > from the private key. > Also delete g
Re: SSL InvalidKeystore Format?
Just found this in my email mess: Thanks for responding: Here is what I supplied to verisign for my certificate: 1) Prepared the Keystore: keytool -genkey -keystore myKeystore -alias keystoreAlias (it asked for me for passwords, etc.); 2) Generated a CSR a) keytool -genkey -alias keystoreAlias -keyalg RSA -keystore myKeystore b) keytool -certreq -keyalg RSA -alias keystoreAlias -file certreq.csr -keystore myKeystore so it looks like I used keytool, and not openssl. Then they send me back a cert.cer file in my email: ### 2) I was not able to download it from anywhere, as it came in my email: 3) I was able to get the SSL running in a ssl format using the supplied link from fatofthelan.com article pid=12 and currently have a generic certificate running. Thanks, Scott - Original Message - From: "Nate Rock" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Friday, December 02, 2005 8:50 AM Subject: RE: SSL InvalidKeystore Format? Dhaval your explincation was excellent! I think with a bit more information about how exactly Scott got his certificate from verisign, I think we can help him out a bit more. 1. What did you use to create your Certificate Request (csr) to verisign? -IIS -java keytool -openssl 2. after you received your signed certificate back from verisign, what format did you download it in? -PKCS7 - signed cert only - DER binary encoding -PEM - signed cert only 3. After you got the signed certificate what format is your keystore? -PKCS12 - pub/priv keys + signed certificate -JKS - pub/priv keys + signed certificate (sun specific format -PEM - single file with both PEM encoded (RSA formatted, non encrypted!) private key concatinated on to the PEM encoded signed cert -PEM - two files 1. one contain the PEM encoded (RSA formattd, non-encrypted private key - server.key 2. one containing the PEM encoded signed cert The native ARP connector only supports the last two file formats, so if you have a PKCS12 refer to my previous posting expliaining how to split a PKCS12 file into multiple PEM Encoded files. Just for the record, I belive you can go back to verisign and download your signed certificate in multiple formats... I am also in the process of parsing out a signed by verisign certificate to see if it's even possible. We may be stuck using self signed certificates for now because the APR connector doesn't support he following attributes yet: SSLCACertificateFile SSLCACertificatePath These attributes are supported allowing you to specify which CA's you accept outside of the "default" ones (who's location I am still trying to trackdown). -rOcK -Original Message- From: Dhaval Patel [mailto:[EMAIL PROTECTED] Sent: Thursday, December 01, 2005 8:48 PM To: Tomcat Users List Subject: Re: SSL InvalidKeystore Format? Hi Scott, Good to hear that it works. Thank also go to Remy and Nate Rock. You have purchased SSL. In this purchase process, did you submit Certificate Request (csr) to Verisign? As far as I know the process of getting signed SSL certificate is first you have to generate certificate request (csr), then you have to submit this csr to Verisign or Thawte, then they will give you actual signed certificate (.crt) and then you have to use that crt in this process. Based upon my knowledge,to incorporate Verisign certificate, steps are as follows: (Derived from http://www.fatofthelan.com/articles/articles.php?pid=12 ) (1) openssl req -new -out server.csr (This will generate csr and private key. Make sure you feel the values correctly on openssl command prompt. ) (2) openssl rsa -in privkey.pem -out server.key (This removes the passphrase from the private key. Also delete generated .rnd file) (3) Here there are two (either or) possibilities: (a) save the key and submit this csr to Verisign. They will sign it and give you the final certificate (.crt format may be). You may also need to give them key. (this is paid option but mostly used in production environment) (b) create self-signed certificate. openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365 (this is free but it can be used in production environment. You dont need to perform this step if you have certificate from Versign) Is the self signed certificate good? Yes and may be no. Yes. It is nearly same as Verisign certificate and if you use it, the SSL will be enabled as it is going to be enabled using Verisign. The only problem you will face, is when you open the website in any browser it will complain about authenticity of the certificate. Browser can not verify it and so it will ask user if he/she wants to proceed further or not. The communication is still SSL enabled and secure. This method is more preferred in testing environment. I have seen many web projects using it in production environment also. May be no. Again if you have good professional website, it is
RE: SSL InvalidKeystore Format?
Dhaval your explincation was excellent! I think with a bit more information about how exactly Scott got his certificate from verisign, I think we can help him out a bit more. 1. What did you use to create your Certificate Request (csr) to verisign? -IIS -java keytool -openssl 2. after you received your signed certificate back from verisign, what format did you download it in? -PKCS7 - signed cert only - DER binary encoding -PEM - signed cert only 3. After you got the signed certificate what format is your keystore? -PKCS12 - pub/priv keys + signed certificate -JKS - pub/priv keys + signed certificate (sun specific format -PEM - single file with both PEM encoded (RSA formatted, non encrypted!) private key concatinated on to the PEM encoded signed cert -PEM - two files 1. one contain the PEM encoded (RSA formattd, non-encrypted private key - server.key 2. one containing the PEM encoded signed cert The native ARP connector only supports the last two file formats, so if you have a PKCS12 refer to my previous posting expliaining how to split a PKCS12 file into multiple PEM Encoded files. Just for the record, I belive you can go back to verisign and download your signed certificate in multiple formats... I am also in the process of parsing out a signed by verisign certificate to see if it's even possible. We may be stuck using self signed certificates for now because the APR connector doesn't support he following attributes yet: SSLCACertificateFile SSLCACertificatePath These attributes are supported allowing you to specify which CA's you accept outside of the "default" ones (who's location I am still trying to trackdown). -rOcK -Original Message- From: Dhaval Patel [mailto:[EMAIL PROTECTED] Sent: Thursday, December 01, 2005 8:48 PM To: Tomcat Users List Subject: Re: SSL InvalidKeystore Format? Hi Scott, Good to hear that it works. Thank also go to Remy and Nate Rock. You have purchased SSL. In this purchase process, did you submit Certificate Request (csr) to Verisign? As far as I know the process of getting signed SSL certificate is first you have to generate certificate request (csr), then you have to submit this csr to Verisign or Thawte, then they will give you actual signed certificate (.crt) and then you have to use that crt in this process. Based upon my knowledge,to incorporate Verisign certificate, steps are as follows: (Derived from http://www.fatofthelan.com/articles/articles.php?pid=12 ) (1) openssl req -new -out server.csr (This will generate csr and private key. Make sure you feel the values correctly on openssl command prompt. ) (2) openssl rsa -in privkey.pem -out server.key (This removes the passphrase from the private key. Also delete generated .rnd file) (3) Here there are two (either or) possibilities: (a) save the key and submit this csr to Verisign. They will sign it and give you the final certificate (.crt format may be). You may also need to give them key. (this is paid option but mostly used in production environment) (b) create self-signed certificate. openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365 (this is free but it can be used in production environment. You dont need to perform this step if you have certificate from Versign) Is the self signed certificate good? Yes and may be no. Yes. It is nearly same as Verisign certificate and if you use it, the SSL will be enabled as it is going to be enabled using Verisign. The only problem you will face, is when you open the website in any browser it will complain about authenticity of the certificate. Browser can not verify it and so it will ask user if he/she wants to proceed further or not. The communication is still SSL enabled and secure. This method is more preferred in testing environment. I have seen many web projects using it in production environment also. May be no. Again if you have good professional website, it is almost standard now that you use signed certificate from Verisign or Thawte. For example, if you do any online shopping from amazon or any store, you will visit the SSL page and they dont display any warning or anything. So the choice is in your hand. There is no harm involved in any of the above method. Again all of above explanation is based upon my reading. I would like users to comment about it so that I also can update myself and you have correct and better answer. Hope it helps you understanding SSL a bit further. Regards, D --- Scott Purcell <[EMAIL PROTECTED]> wrote: > Hard to believe ... but Dhaval the below steps actually worked, and my > site appears to have SSL. Thank you so much. But of course this draws > me to another question. > > I had just purchased a "Verisign" certi
Re: SSL InvalidKeystore Format?
Hi Scott, Good to hear that it works. Thank also go to Remy and Nate Rock. You have purchased SSL. In this purchase process, did you submit Certificate Request (csr) to Verisign? As far as I know the process of getting signed SSL certificate is first you have to generate certificate request (csr), then you have to submit this csr to Verisign or Thawte, then they will give you actual signed certificate (.crt) and then you have to use that crt in this process. Based upon my knowledge,to incorporate Verisign certificate, steps are as follows: (Derived from http://www.fatofthelan.com/articles/articles.php?pid=12 ) (1) openssl req -new -out server.csr (This will generate csr and private key. Make sure you feel the values correctly on openssl command prompt. ) (2) openssl rsa -in privkey.pem -out server.key (This removes the passphrase from the private key. Also delete generated .rnd file) (3) Here there are two (either or) possibilities: (a) save the key and submit this csr to Verisign. They will sign it and give you the final certificate (.crt format may be). You may also need to give them key. (this is paid option but mostly used in production environment) (b) create self-signed certificate. openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365 (this is free but it can be used in production environment. You dont need to perform this step if you have certificate from Versign) Is the self signed certificate good? Yes and may be no. Yes. It is nearly same as Verisign certificate and if you use it, the SSL will be enabled as it is going to be enabled using Verisign. The only problem you will face, is when you open the website in any browser it will complain about authenticity of the certificate. Browser can not verify it and so it will ask user if he/she wants to proceed further or not. The communication is still SSL enabled and secure. This method is more preferred in testing environment. I have seen many web projects using it in production environment also. May be no. Again if you have good professional website, it is almost standard now that you use signed certificate from Verisign or Thawte. For example, if you do any online shopping from amazon or any store, you will visit the SSL page and they dont display any warning or anything. So the choice is in your hand. There is no harm involved in any of the above method. Again all of above explanation is based upon my reading. I would like users to comment about it so that I also can update myself and you have correct and better answer. Hope it helps you understanding SSL a bit further. Regards, D --- Scott Purcell <[EMAIL PROTECTED]> wrote: > Hard to believe ... but Dhaval the below steps actually worked, and my site > appears to have SSL. Thank you so much. But of course this draws me to > another question. > > I had just purchased a "Verisign" certificate and do not know how to handle > this? Can I just call the Verisign certificate when doing this: > openssl x509 -in server.csr -out server.crt -req -signkey server.key -days > 365 and using the one verisign gave me here? > > Also, is this a good certificate? Do I need the Verisign one? > > As you may be able to tell, I am very confused and could use a little > explanation if possible. > > Thanks much > Scott > > > > - Original Message - > From: "Dhaval Patel" <[EMAIL PROTECTED]> > To: "Tomcat Users List" > Sent: Thursday, December 01, 2005 2:08 PM > Subject: RE: SSL InvalidKeystore Format? > > > > Hi, > > > > I should have mention that I am running tomcat as a standalone server. I > mentioned the link > > (http://www.fatofthelan.com/articles/articles.php?pid=12) as a reference > to generate self-signed > > certificate with OpenSSL on windows. Even though it is very nice article > about how to setup SSL > > with Apache. I only applied part-3 (Generate a test certificate) from that > article to my > > Tomcat+SSL procedure. > > > > One thing that I found intersting on that article is part-4 (Configuring > Apache and mod_ssl). In > > this part, if you look at changes in httpd.conf, as mentioned below, > > > > SSLEngine o���n > > SSLCertificateFile conf/ssl/server.cert > > SSLCertificateKeyFile conf/ssl/server.key > > > > which is the same parameter that Remy has suggested. If I have found > this article early, I may > > be able to solve the issue. But again since I figured it out, I like it > now. > > > > Regards. > > D > > > > > > > > --- Scott Purcell <[EMAIL PROTECTED]> wrote: > > > > > Hello Dhaval, > > > > > > I was reading the article below, and it looks you you are not
Re: SSL InvalidKeystore Format?
Hard to believe ... but Dhaval the below steps actually worked, and my site appears to have SSL. Thank you so much. But of course this draws me to another question. I had just purchased a "Verisign" certificate and do not know how to handle this? Can I just call the Verisign certificate when doing this: openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365 and using the one verisign gave me here? Also, is this a good certificate? Do I need the Verisign one? As you may be able to tell, I am very confused and could use a little explanation if possible. Thanks much Scott - Original Message - From: "Dhaval Patel" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Thursday, December 01, 2005 2:08 PM Subject: RE: SSL InvalidKeystore Format? > Hi, > > I should have mention that I am running tomcat as a standalone server. I mentioned the link > (http://www.fatofthelan.com/articles/articles.php?pid=12) as a reference to generate self-signed > certificate with OpenSSL on windows. Even though it is very nice article about how to setup SSL > with Apache. I only applied part-3 (Generate a test certificate) from that article to my > Tomcat+SSL procedure. > > One thing that I found intersting on that article is part-4 (Configuring Apache and mod_ssl). In > this part, if you look at changes in httpd.conf, as mentioned below, > > SSLEngine on > SSLCertificateFile conf/ssl/server.cert > SSLCertificateKeyFile conf/ssl/server.key > > which is the same parameter that Remy has suggested. If I have found this article early, I may > be able to solve the issue. But again since I figured it out, I like it now. > > Regards. > D > > > > --- Scott Purcell <[EMAIL PROTECTED]> wrote: > > > Hello Dhaval, > > > > I was reading the article below, and it looks you you are not running Tomcat as standalone? Are > > you running Apache behind the scenes? > > > > I was just curious. > > > > Scott > > > > > > -----Original Message- > > From: Dhaval Patel [mailto:[EMAIL PROTECTED] > > Sent: Thursday, December 01, 2005 8:49 AM > > To: Tomcat Users List > > Subject: Re: SSL InvalidKeystore Format? > > > > > > Hi Scott, > > > > I am not tomcat expert as well as I can not help you about the error you are getting. > > After Remy's last message on SSL with APR, I finally got my windows xp + tomcat 5.5.12 + APR + > > SSL working. Following are the steps that I have followed: > > > > (1) Install Tomcat 5.5.12 and make sure it is working. > > (2) Download APR component (openssl.exe and tcnative-1.dll) and put it in %TOMCAT_HOME%\bin. > > (http://tomcat.heanet.ie/native/1.1.0/binaries/win32/) > > (3) I generated server.key and server.cert following guide at > > http://www.fatofthelan.com/articles/articles.php?pid=12 .I have put them in %TOMCAT_HOME%\bin > > only. > > (Make sure you follow the guide. I had trouble setting openssl.exe on windows xp. The answer is > > on > > that page only. You have to download openssl.cnf from google and place it in some folder and > > make > > a new environment OPENSSL_CONF pointing to that file. Trust me that link is very good.) > > (4) Change the server.xml in following way: > > >maxThreads="150" minSpareThreads="25" maxSpareThreads="75" > >enableLookups="false" disableUploadTimeout="true" > >scheme="https" secure="true" > >SSLEngine="on" > >SSLCertificateFile="C:\Tomcat5.5\bin\server.crt" > >SSLCertificateKeyFile="C:\Tomcat5.5\bin\server.key" /> > > (5) Restart the tomcat and SSL is enabled. > > > >I dont know if you have did the same way and you have issues. If you want to try, you can > > follow the above steps on some other windows xp machine. It worked for me so it should work for > > you. If you start from scratch, it may take about 30-40 mins to setup above things. > > > >Let me know how it goes. > > > > Regards, > > D > > > > --- Scott Purcell <[EMAIL PROTECTED]> wrote: > > > > > Well, after wasting much time trying to get the SSL running on 5.5.12, on XP, and finding out > > > about the bad tcnative-1.dll, I thought I was out of the woods on my SSL configuration. But it > > > appears I have one last issue (hopefully) > > > Since I renamed the tcnative-1.dll, I am getting logs in regards to my SSL (I was not getting > > > those prior, see earlier posts) and I am r
RE: SSL InvalidKeystore Format?
Special thanks to Remy for adding an example connector to the APR doc... I saw the change go through the dev list last night ;) Dhaval and Remy, between your two emails, I was actually able to get Tomcat 5.5.12 to use SSL, however there is one last problem I am running into... Dhaval, you created your PEM encoded key/certs using openssl and if you followed the article linked, you used the "openssl rsa" command. Using this I was able to get it to work just fine. I got super pumped and so I switched my Connector to point to the cert/key that I had exported from my PKCS12 keystore yesterda and it still didn't work correctly. After reading up on Private keys a bit more, it looks like the PEM encoding used by the "openssl rsa" command is in an older format (RSA) than the version my private key is being stored in. The key/cert I am using has the key in PKCS#8 format and not the antiquated SSLeay format. Output by the "openssl rsa" command as noted from the OpenSSL rsa(1) command page: "Note this command uses the traditional SSLeay compatible format for private key encryption: newer applications should use the more secure PKCS#8 format using the pkcs8 utility." Taken from the OpenSSL rsa command documenation located here: http://www.openssl.org/docs/apps/rsa.html If not, there might be an issue with the APR connector using PKCS#8 formatted private keys. Maybe I need to set up something differently in the connector when using the PKCS#8 private key format? After much deliberation, I found an issue with mod_ssl used in the APR. Evidently it doesn't support the PKCS#8 private key format. So you need to take it and convert it to the RSA format. Here is a nice article on how to convert your PKCS#8 private key extracted from your PKCS#12 keystore formatted in the non-encrypted, RSA, PEM format that OpenSSL expects: http://mark.foster.cc/kb/openssl-keytool.html The parts of the article that you should concern yourself about are: "The private key is being exported as PKCS#8 PEM format. To get it into the RSA format that works with Apache (see below) you can issue the following command:" openssl pkcs8 -inform PEM -nocrypt -in exported-pkcs8.key -out exported.key And "In summary, I had to re-encode the Java-base64-encoded private key using openssl to make it palatable to Apache:" openssl rsa -in privkey-java.key -out privkey.key I used Keystore Explorer 2.3 to extract the signed certificate and private key out of the PKCS#12. http://www.lazgosoftware.com/kse/ (free trial, $30 to buy. If you use java keystores/certificates a lot, totally worth it imo) I am still working on getting my certificate working 100% correctly but this information should help you guys out a lot if you are stuck with a PKCS#12 file. It won't be long now... -rOcK -Original Message- From: Dhaval Patel [mailto:[EMAIL PROTECTED] Sent: Thursday, December 01, 2005 8:49 AM To: Tomcat Users List Subject: Re: SSL InvalidKeystore Format? Hi Scott, I am not tomcat expert as well as I can not help you about the error you are getting. After Remy's last message on SSL with APR, I finally got my windows xp + tomcat 5.5.12 + APR + SSL working. Following are the steps that I have followed: (1) Install Tomcat 5.5.12 and make sure it is working. (2) Download APR component (openssl.exe and tcnative-1.dll) and put it in %TOMCAT_HOME%\bin. (http://tomcat.heanet.ie/native/1.1.0/binaries/win32/) (3) I generated server.key and server.cert following guide at http://www.fatofthelan.com/articles/articles.php?pid=12 .I have put them in %TOMCAT_HOME%\bin only. (Make sure you follow the guide. I had trouble setting openssl.exe on windows xp. The answer is on that page only. You have to download openssl.cnf from google and place it in some folder and make a new environment OPENSSL_CONF pointing to that file. Trust me that link is very good.) (4) Change the server.xml in following way: (5) Restart the tomcat and SSL is enabled. I dont know if you have did the same way and you have issues. If you want to try, you can follow the above steps on some other windows xp machine. It worked for me so it should work for you. If you start from scratch, it may take about 30-40 mins to setup above things. Let me know how it goes. Regards, D --- Scott Purcell <[EMAIL PROTECTED]> wrote: > Well, after wasting much time trying to get the SSL running on 5.5.12, > on XP, and finding out about the bad tcnative-1.dll, I thought I was > out of the woods on my SSL configuration. But it appears I have one > last issue (hopefully) Since I renamed the tcnative-1.dll, I am > getting logs in regards to my SSL (I was not getting those prior, see > earlier posts) and I am receiving this error: I believe I have a good > keystore, because my public key from Verisign was happy with it, but for some reason, Tomcat is stikll n
RE: SSL InvalidKeystore Format?
Hi, I should have mention that I am running tomcat as a standalone server. I mentioned the link (http://www.fatofthelan.com/articles/articles.php?pid=12) as a reference to generate self-signed certificate with OpenSSL on windows. Even though it is very nice article about how to setup SSL with Apache. I only applied part-3 (Generate a test certificate) from that article to my Tomcat+SSL procedure. One thing that I found intersting on that article is part-4 (Configuring Apache and mod_ssl). In this part, if you look at changes in httpd.conf, as mentioned below, SSLEngine on SSLCertificateFile conf/ssl/server.cert SSLCertificateKeyFile conf/ssl/server.key which is the same parameter that Remy has suggested. If I have found this article early, I may be able to solve the issue. But again since I figured it out, I like it now. Regards. D --- Scott Purcell <[EMAIL PROTECTED]> wrote: > Hello Dhaval, > > I was reading the article below, and it looks you you are not running Tomcat > as standalone? Are > you running Apache behind the scenes? > > I was just curious. > > Scott > > > -Original Message- > From: Dhaval Patel [mailto:[EMAIL PROTECTED] > Sent: Thursday, December 01, 2005 8:49 AM > To: Tomcat Users List > Subject: Re: SSL InvalidKeystore Format? > > > Hi Scott, > > I am not tomcat expert as well as I can not help you about the error you > are getting. > After Remy's last message on SSL with APR, I finally got my windows xp + > tomcat 5.5.12 + APR + > SSL working. Following are the steps that I have followed: > > (1) Install Tomcat 5.5.12 and make sure it is working. > (2) Download APR component (openssl.exe and tcnative-1.dll) and put it in > %TOMCAT_HOME%\bin. > (http://tomcat.heanet.ie/native/1.1.0/binaries/win32/) > (3) I generated server.key and server.cert following guide at > http://www.fatofthelan.com/articles/articles.php?pid=12 .I have put them in > %TOMCAT_HOME%\bin > only. > (Make sure you follow the guide. I had trouble setting openssl.exe on windows > xp. The answer is > on > that page only. You have to download openssl.cnf from google and place it in > some folder and > make > a new environment OPENSSL_CONF pointing to that file. Trust me that link is > very good.) > (4) Change the server.xml in following way: > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" >enableLookups="false" disableUploadTimeout="true" > scheme="https" secure="true" >SSLEngine="on" >SSLCertificateFile="C:\Tomcat5.5\bin\server.crt" >SSLCertificateKeyFile="C:\Tomcat5.5\bin\server.key" /> > (5) Restart the tomcat and SSL is enabled. > >I dont know if you have did the same way and you have issues. If you want > to try, you can > follow the above steps on some other windows xp machine. It worked for me so > it should work for > you. If you start from scratch, it may take about 30-40 mins to setup above > things. > >Let me know how it goes. > > Regards, > D > > --- Scott Purcell <[EMAIL PROTECTED]> wrote: > > > Well, after wasting much time trying to get the SSL running on 5.5.12, on > > XP, and finding out > > about the bad tcnative-1.dll, I thought I was out of the woods on my SSL > > configuration. But it > > appears I have one last issue (hopefully) > > Since I renamed the tcnative-1.dll, I am getting logs in regards to my SSL > > (I was not getting > > those prior, see earlier posts) and I am receiving this error: I believe I > > have a good > keystore, > > because my public key from Verisign was happy with it, but for some reason, > > Tomcat is stikll > not > > happy with it. > > Any ideas why this error may occur? > > Nov 30, 2005 10:44:53 PM org.apache.coyote.http11.Http11BaseProtocol init > > INFO: Initializing Coyote HTTP/1.1 on http-80 > > Nov 30, 2005 10:44:54 PM org.apache.coyote.http11.Http11BaseProtocol init > > SEVERE: Error initializing endpoint > > java.io.IOException: Invalid keystore format > > at sun.security.provider.JavaKeyStore.engineLoad(Unknown Source) > > at java.security.KeyStore.load(Unknown Source) > > at > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:282) > > at > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESocketFactory.java:256) > > at > > > org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getTrustManagers(JSSE14SocketFactory.
RE: SSL InvalidKeystore Format?
Hello Dhaval, I was reading the article below, and it looks you you are not running Tomcat as standalone? Are you running Apache behind the scenes? I was just curious. Scott -Original Message- From: Dhaval Patel [mailto:[EMAIL PROTECTED] Sent: Thursday, December 01, 2005 8:49 AM To: Tomcat Users List Subject: Re: SSL InvalidKeystore Format? Hi Scott, I am not tomcat expert as well as I can not help you about the error you are getting. After Remy's last message on SSL with APR, I finally got my windows xp + tomcat 5.5.12 + APR + SSL working. Following are the steps that I have followed: (1) Install Tomcat 5.5.12 and make sure it is working. (2) Download APR component (openssl.exe and tcnative-1.dll) and put it in %TOMCAT_HOME%\bin. (http://tomcat.heanet.ie/native/1.1.0/binaries/win32/) (3) I generated server.key and server.cert following guide at http://www.fatofthelan.com/articles/articles.php?pid=12 .I have put them in %TOMCAT_HOME%\bin only. (Make sure you follow the guide. I had trouble setting openssl.exe on windows xp. The answer is on that page only. You have to download openssl.cnf from google and place it in some folder and make a new environment OPENSSL_CONF pointing to that file. Trust me that link is very good.) (4) Change the server.xml in following way: (5) Restart the tomcat and SSL is enabled. I dont know if you have did the same way and you have issues. If you want to try, you can follow the above steps on some other windows xp machine. It worked for me so it should work for you. If you start from scratch, it may take about 30-40 mins to setup above things. Let me know how it goes. Regards, D --- Scott Purcell <[EMAIL PROTECTED]> wrote: > Well, after wasting much time trying to get the SSL running on 5.5.12, on XP, > and finding out > about the bad tcnative-1.dll, I thought I was out of the woods on my SSL > configuration. But it > appears I have one last issue (hopefully) > Since I renamed the tcnative-1.dll, I am getting logs in regards to my SSL (I > was not getting > those prior, see earlier posts) and I am receiving this error: I believe I > have a good keystore, > because my public key from Verisign was happy with it, but for some reason, > Tomcat is stikll not > happy with it. > Any ideas why this error may occur? > Nov 30, 2005 10:44:53 PM org.apache.coyote.http11.Http11BaseProtocol init > INFO: Initializing Coyote HTTP/1.1 on http-80 > Nov 30, 2005 10:44:54 PM org.apache.coyote.http11.Http11BaseProtocol init > SEVERE: Error initializing endpoint > java.io.IOException: Invalid keystore format > at sun.security.provider.JavaKeyStore.engineLoad(Unknown Source) > at java.security.KeyStore.load(Unknown Source) > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:282) > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESocketFactory.java:256) > at > org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getTrustManagers(JSSE14SocketFactory.java:174) > at > org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109) > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88) > at > org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292) > at > org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:137) > at org.apache.catalina.connector.Connector.initialize(Connector.java:1016) > at > org.apache.catalina.core.StandardService.initialize(StandardService.java:580) > at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:762) > at org.apache.catalina.startup.Catalina.load(Catalina.java:488) > at org.apache.catalina.startup.Catalina.load(Catalina.java:508) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > at java.lang.reflect.Method.invoke(Unknown Source) > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:247) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412) > Nov 30, 2005 10:44:54 PM org.apache.catalina.startup.Catalina load > SEVERE: Catalina.start > LifecycleException: Protocol handler initialization failed: > java.io.IOException: Invalid > keystore format > at org.apache.catalina.connector.Connector.initialize(Connector.java:1018) > at > org.apache.catalina.core.StandardService.initialize(StandardService.java:580) > at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:762) > at org.apache.catalina.startup.Catalina.load(Catalina.java:488) > at org.apache.catalina.startup.Catalina.load(Catalina.java:508) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Re: SSL InvalidKeystore Format?
Hi Scott, I am not tomcat expert as well as I can not help you about the error you are getting. After Remy's last message on SSL with APR, I finally got my windows xp + tomcat 5.5.12 + APR + SSL working. Following are the steps that I have followed: (1) Install Tomcat 5.5.12 and make sure it is working. (2) Download APR component (openssl.exe and tcnative-1.dll) and put it in %TOMCAT_HOME%\bin. (http://tomcat.heanet.ie/native/1.1.0/binaries/win32/) (3) I generated server.key and server.cert following guide at http://www.fatofthelan.com/articles/articles.php?pid=12 .I have put them in %TOMCAT_HOME%\bin only. (Make sure you follow the guide. I had trouble setting openssl.exe on windows xp. The answer is on that page only. You have to download openssl.cnf from google and place it in some folder and make a new environment OPENSSL_CONF pointing to that file. Trust me that link is very good.) (4) Change the server.xml in following way: (5) Restart the tomcat and SSL is enabled. I dont know if you have did the same way and you have issues. If you want to try, you can follow the above steps on some other windows xp machine. It worked for me so it should work for you. If you start from scratch, it may take about 30-40 mins to setup above things. Let me know how it goes. Regards, D --- Scott Purcell <[EMAIL PROTECTED]> wrote: > Well, after wasting much time trying to get the SSL running on 5.5.12, on XP, > and finding out > about the bad tcnative-1.dll, I thought I was out of the woods on my SSL > configuration. But it > appears I have one last issue (hopefully) > Since I renamed the tcnative-1.dll, I am getting logs in regards to my SSL (I > was not getting > those prior, see earlier posts) and I am receiving this error: I believe I > have a good keystore, > because my public key from Verisign was happy with it, but for some reason, > Tomcat is stikll not > happy with it. > Any ideas why this error may occur? > Nov 30, 2005 10:44:53 PM org.apache.coyote.http11.Http11BaseProtocol init > INFO: Initializing Coyote HTTP/1.1 on http-80 > Nov 30, 2005 10:44:54 PM org.apache.coyote.http11.Http11BaseProtocol init > SEVERE: Error initializing endpoint > java.io.IOException: Invalid keystore format > at sun.security.provider.JavaKeyStore.engineLoad(Unknown Source) > at java.security.KeyStore.load(Unknown Source) > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:282) > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESocketFactory.java:256) > at > org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getTrustManagers(JSSE14SocketFactory.java:174) > at > org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109) > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88) > at > org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292) > at > org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:137) > at org.apache.catalina.connector.Connector.initialize(Connector.java:1016) > at > org.apache.catalina.core.StandardService.initialize(StandardService.java:580) > at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:762) > at org.apache.catalina.startup.Catalina.load(Catalina.java:488) > at org.apache.catalina.startup.Catalina.load(Catalina.java:508) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > at java.lang.reflect.Method.invoke(Unknown Source) > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:247) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412) > Nov 30, 2005 10:44:54 PM org.apache.catalina.startup.Catalina load > SEVERE: Catalina.start > LifecycleException: Protocol handler initialization failed: > java.io.IOException: Invalid > keystore format > at org.apache.catalina.connector.Connector.initialize(Connector.java:1018) > at > org.apache.catalina.core.StandardService.initialize(StandardService.java:580) > at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:762) > at org.apache.catalina.startup.Catalina.load(Catalina.java:488) > at org.apache.catalina.startup.Catalina.load(Catalina.java:508) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > at java.lang.reflect.Method.invoke(Unknown Source) > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:247) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412) > Nov 30, 2005 10:44:54 PM org.apache.catalina.startup.Catalina load > INFO: Initialization processed in 1890 ms > Nov 30, 2005 10:44:54 PM org.apache.catalina.core.StandardService start > > >
