Re: renewing an ssl certificate
On 6 April 2017 at 14:18, Christopher Schultzwrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Lyllax, > > On 4/6/17 5:52 AM, Lyallex wrote: >> I get a zipped archive from Comodo containing individual files but >> I'll look into pem files > > Oh, those individual files *are* the PEM files. Er AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt www_mydomain_com.crt > LE is the answer. I run a commercial site and getting security warn offs because a CA is not recognised by the browser/user agent is not an option. I run about 20 different browsers/versions on several platforms which is about the limit for us (Americans would call us a 'mom and pop shop') I'll read up on LE and find out what they call themselves (the 'CA name' I guess) then check to see how many of my browsers know about them. Primitave maybe but it's what I got. Thanks for the info Lyallex - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: renewing an ssl certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Lyllax, On 4/6/17 5:52 AM, Lyallex wrote: > I get a zipped archive from Comodo containing individual files but > I'll look into pem files Oh, those individual files *are* the PEM files. >> Come to this year's ApacheCon NA in Miami. There will be a few >> talks about TLS, including one on the basics and another one on >> using Let's Encrypt to get free automated certs so you never have >> to manually do this process ever again -- unless you want an EV >> cert ;) > > Love to, but I'm in the UK. Plenty of folks from Europe (sorry... Mighty Independent Britain, I guess) are coming to the conference. There's also an EU conference (almost) every year. > I delegate payment to a service provider, the only external > resource I use, so I don't store users financial data, just makes > life simpler.and means I don't really need an EV cert. Cool. In that case, consider moving to Let's Encrypt. 100% free and they *force* you to automated. > Despite their vehement denial, https is a ranking signal to > Google, maybe it would be nice if they offered a free basic ssl > cert so small businesses like mine don't have to pay over GBP 100 > inc VAT every year. LE is the answer. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJY5kAQAAoJEBzwKT+lPKRYr00P/jxeYay/3HdbW1sO8S35x9S4 hVKnjPganMtH7yorfCrANwMtso1o0BOSSmjQr9lkuS8d6c5VqNPoPG7oLq+9dzdD BtQq/3EbjDBtYogTErHeWycqXY1hiNLO/YcPvnUQiu7HcyaiNhIRFJ+2jUw0NpDB wsrPUUwTlNKK7ycnHID5cQdHu7FKCQ9sU/CzZ+6O1VrjoYIo3VYrVzMw0Bsb+kOH xwz2akUNcViyGlcUnJIvYU2voGaHHfFkWYfb91cu+gQDMPci+p5PZsC+1IdNE/TN 9qOEg4uUcE2POILnpFynGxk00LdIlcJmtIqOCcr+BOzq+UjL1x6SrPzZOp4cWrT9 Tr0Be6UDCpfcgYVwqZDmETid6qNbuiza5yHCSReSo9M7n/hiDlbm7Dep2Dlwt0Gr k+kYnjd9/o4Cd5BP0qWOFbaEAnPhO89QppSw6BKR/VfNAlCz1VbdBfum4n2CW7m7 CzjoiuQyZnNORQltqRjZuzelPafs/Qruyd/Gjsz9vi0xr5tpE0dgfIv5D1XhyZ+p ATjuTRjcfOjB3DSYtrShyO5dCiNqvOz1HDCn2SmimOCOe4rkWao/MySmDo2JlgHU Xdu1gn5NHJaYSPpEUjDTOw/KC4jJ9d0XRlrils5M/20dXTRx7OcddWPp3GowbLPc +bNXjBFGJGzuTPfFt3GH =X9Di -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[OT] Re: renewing an ssl certificate
Am 06.04.2017 um 01:42 schrieb Christopher Schultz: > Great! Time to upgrade to Tomcat 8! It's really not bad at all. If you > have a testing environment, I think you'll be able to do it in about > 30 minutes. After you do it once, it'll take you more like 5 minutes. > *Everybody* has a testing environment. Some of us are lucky in that they have a completely independent production environment. (Sorry, I can't attribute this any better than "Source: Internet", saw it in some conference presentation slides) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: renewing an ssl certificate
On 6 April 2017 at 00:42, Christopher Schultzwrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Lyllax, > > On 4/4/17 3:11 PM, Lyallex wrote: >> After some sterling support from this list a while ago which >> included a code change I have been successfully running Apache >> Tomcat 7.0.70 stand alone (no httpd front end) with SSL/TLS for a >> year now without problems, it just works, it never falls over and >> it has withstood some concerted attacks by all sorts of scallywags. >> Impressive. > > Great! Time to upgrade to Tomcat 8! It's really not bad at all. If you > have a testing environment, I think you'll be able to do it in about > 30 minutes. After you do it once, it'll take you more like 5 minutes. Already runnung on my dev and stage boxes > It should be that simple every time. Again, always keep a backup... All I do is create a brand new keystore in a new location and do everything from there When I'm happy I simply change the location of the keystore in the relevant connector in conf/server.xml and restart tomcat. If it all goes belly up I simply change the config to point to the old keystore. Of course this only works if you don't leave everything to the last minute and the old cert times out :-) > > When you are using PEM files, it's very clear what everything is, and, > if you have a one-PEM-file-to-rule-them-all, then you can at least see > everything labelled appropriately with a simple text editor. You can > also get your private key out of the bundle without resorting to > chicanery. I get a zipped archive from Comodo containing individual files but I'll look into pem files > Come to this year's ApacheCon NA in Miami. There will be a few talks > about TLS, including one on the basics and another one on using Let's > Encrypt to get free automated certs so you never have to manually do > this process ever again -- unless you want an EV cert ;) Love to, but I'm in the UK. I delegate payment to a service provider, the only external resource I use, so I don't store users financial data, just makes life simpler.and means I don't really need an EV cert. Despite their vehement denial, https is a ranking signal to Google, maybe it would be nice if they offered a free basic ssl cert so small businesses like mine don't have to pay over GBP 100 inc VAT every year. I won't hold my breath. Thanks for taling the time to reply Lyallex - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: renewing an ssl certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Lyllax, On 4/4/17 3:11 PM, Lyallex wrote: > After some sterling support from this list a while ago which > included a code change I have been successfully running Apache > Tomcat 7.0.70 stand alone (no httpd front end) with SSL/TLS for a > year now without problems, it just works, it never falls over and > it has withstood some concerted attacks by all sorts of scallywags. > Impressive. Great! Time to upgrade to Tomcat 8! It's really not bad at all. If you have a testing environment, I think you'll be able to do it in about 30 minutes. After you do it once, it'll take you more like 5 minutes. > It is now time to renew my ssl certificate and I'm getting a bit > jumpy. No sweat. > I managed to get everything working first time around following the > docs at > http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#General_Tips_on _Running_SSL > > According to my service provider (comodo) I have to submit a new > certificate signing request which (I think) means creating a self > signed certificate. > > Will this mess up me existing cert, it still has 10 days to go? That depends upon exactly how you do things. > Is the process the same as installing first time or are there some > gotchas I need to be aware of I would start from scratch every time. Here's why: 1. Java keystores are ... an abomination. The less you have to mess with them, the better. 2. In the unlikely event that your private key has been compromised (e.g. someone broke into your server and copied it off there). 3. For conversations that aren't using "forward security", the RSA private key is the master key to all of those conversations. If someone (e.g. US-NSA) has compromised your private key and is recoring all your conversations with your clients, then a compromised key means a compromise of all of those conversations, past or future. Generating a new private key limits the amount of damage that can be caused by this kind of compromise. 4. If you break something, you'll have the old keystore as a backup and can roll-back immediately without worrying if you have broken anything in the original keystore. (Of course, you could just make a backup copy of the keystore, but this start-fresh process has a built-in backup, so you don't have to remember it.) > [From a followup post] > > actually all I was asking was 'is it possible to use an existing > keystore (and therefor an existing private key)' to install a new > certification chain' You can, but see above. > In the end I created a brand new keystore, generated a new private > key and CSR, submitted the CSR to Comodo then installed the new > chain when it arrived. Then I simply switched the server > (../conf/server.xml) to look at the new keystore and it just > worked. Result. It should be that simple every time. Again, always keep a backup... just in case. > I was under the impression the certs were 'installed' in the > keystore but I don't think this is right so now I have to figure > out where they are as I'd like to remove the old ones. Every time I > mess about with this SSL/TLS stuff I age several years :-) This is the thing about Java keystores: they merge concepts together in a way that I dislike. If you crack-open your keystore, you'll end up finding the following: 1. a private key 2. a self-signed certificate 3. the CA-signed certificate 4. the CA's intermediate certificate (usually) But "keytool" makes it look like #1 and #2 are the same thing. When you are using PEM files, it's very clear what everything is, and, if you have a one-PEM-file-to-rule-them-all, then you can at least see everything labelled appropriately with a simple text editor. You can also get your private key out of the bundle without resorting to chicanery. Come to this year's ApacheCon NA in Miami. There will be a few talks about TLS, including one on the basics and another one on using Let's Encrypt to get free automated certs so you never have to manually do this process ever again -- unless you want an EV cert ;) - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJY5YDeAAoJEBzwKT+lPKRYhsAQAIQf3n1wMXOCMR/vPbTfrmgC WprNU79oVAOEi9ZRzYTsK502tVwawvs78u/p7r4GtzcILW0/Ne8ZK61iNWNOxb7E AHGWVCP5h5gkSdTCcNDpoGIHuEQSisXZA4/X/oYJ/d9vYOEZE8DCdLudq1BPWnkw 4RvGr6aWJKaG13lnYS6GNRTZDavFGWrVYIzGdi/qCLnVKkQwUWANXxMd6iPF2FEp 3ZFeK+X6Go8t9Y7mwRuAd6uwPgTKZx26UazH1qtIMBcgYk7bcmu7wp4mDBKqa/Rh UUy49qqwKxmKs611bYYlsnYVWCOBcI1KZKFskXqLgF3HWXgJsvUxi6dz1rxvNaMI qLrC3xlCNVH4sCIhVYPKwQT0r3GBGYh08MBRycg+afd9ac2VZtIJm4W7fEhLF6qa WJESqbaznczCx6vrNsxlBQbiLAcFhWEEE5i/o2+mQx32PZeFDtPjydUdS8ezIdhU uY83aRLaTWEIwSN/5aNwd7zyKpTx4qLDdv8sLyq8bXa2LbXcn3HTiPX6qUkj0A/S 2Qq+4z/flYIOi5JYHvcBGh8+xsU3aKqBe7maZH+gakgXvo3Ib3YsaciNQjoKAsNM ai9jhWlA67bknd818NSlq85iimrtjJhQs9kLgku5Db7NWZ8LXxZTRVzH809912// EXvaht0R+11VUZHk7hwR =OMjh -END PGP SIGNATURE-
Re: renewing an ssl certificate
Drat ... missed the list Martin Thank you for your comprehensive reply ... actually all I was asking was 'is it possible to use an existing keystore (and therefor an existing private key)' to install a new certification chain' In the end I created a brand new keystore, generated a new private key and CSR, submitted the CSR to Comodo then installed the new chain when it arrived. Then I simply switched the server (../conf/server.xml) to look at the new keystore and it just worked. Result. Ii was under the impression the certs were 'installed' in the keystore but I don't think this is right so now I have to figure out where they are as I'd like to remove the old ones. Every time I mess about with this SSL/TLS stuff I age several years :-) Thanks again On 4 April 2017 at 22:21, Martin Gainty <mgai...@hotmail.com> wrote: > I dont know who from the list said you could replace a valid SSL > Certificate (that has since expired) > > with a self-signed but they are wrong > > > you are MUCH better off by purchasing a valid Thawte/Verisign Certificate > with public keys signed by a Certificate Authority which will be recognised by > ALL browsers > > > Mucking around with create-your-own self-signed certs will lead you to > justifiable grief and aggravation > > First step is to create a CSR for X509 (named)certs embedded in pfx > > https://en.wikipedia.org/wiki/X.509 > X.509 - Wikipedia <https://en.wikipedia.org/wiki/X.509> > en.wikipedia.org > In cryptography, X.509 is a standard that defines the format of public key > certificates. X.509 certificates are used in many Internet protocols, > including TLS/SSL ... > > the pfx will contain Asymmetric private/public keys: > > https://www.ciphercloud.com/blog/cloud-information- > protection-symmetric-vs-asymmetric-encryption/ > > <https://www.ciphercloud.com/blog/cloud-information-protection-symmetric-vs-asymmetric-encryption/> > Symmetric vs. Asymmetric Encryption | CipherCloud > <https://www.ciphercloud.com/blog/cloud-information-protection-symmetric-vs-asymmetric-encryption/> > www.ciphercloud.com > One of the basic questions in considering encryption is to understand the > differences between symmetric and asymmetric encryption methods, and where > to apply each ... > > first step is to send the CSR to your CA provider Verisign or Thawte > > https://knowledge.symantec.com/support/ssl-certificates- > support/index?page=content=CROSSLINK=INFO227 > Certificate Signing Request (CSR) Generation Instructions ... > <https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content=CROSSLINK=INFO227> > knowledge.symantec.com > To generate a CSR, you will need to create a key pair for your server. > These two items are a digital certificate key pair and cannot be separated. > > > > yes you can create self-signed certs but CHROME stops transmission when > they do not recognise certifying authority > https://www.ibm.com/support/knowledgecenter/SSCP65_5.0.0/ > com.ibm.rational.rrdi.admin.doc/topics/t_browser_ss_cert.html > Configuring a browser to work with self-signed certificates > <https://www.ibm.com/support/knowledgecenter/SSCP65_5.0.0/com.ibm.rational.rrdi.admin.doc/topics/t_browser_ss_cert.html> > www.ibm.com > When self-signed certificates are installed on the server, configure > Internet Explorer or Mozilla Firefox to work with these self-signed > certificates. > > > Let me know if you need further assistance > > Martin > __ > > _ _ _ _ _ ___ _ > _ _ _ _ |_ _| |_ ___ | _ |___ > ___ ___| |_ ___ | __|___| _| |_ _ _ _ ___ ___ ___ | __|___ _ _ ___ > _| |___| |_|_|___ ___| | | | -_| | | . | .'| _| | -_| |__ | > . | _| _| | | | .'| _| -_| | __| . | | | | . | .'| _| | . | | > |_| |_|_|___| |__|__| _|__,|___|_|_|___| |_|___|_| |_| |_____|__,|_| > |___| |__| |___|___|_|_|___|__,|_| |_|___|_|_||_| > > > > > -- > *From:* Lyallex <lyal...@gmail.com> > *Sent:* Tuesday, April 4, 2017 3:11 PM > *To:* Tomcat Users List > *Subject:* renewing an ssl certificate > > Tomcatters > > After some sterling support from this list a while ago which included > a code change I have been successfully running > Apache Tomcat 7.0.70 stand alone (no httpd front end) with SSL/TLS for > a year now without problems, it just works, it never falls over > and it has withstood some concerted attacks by all sorts of > scallywags. Impressive. > > It is now time to renew my ssl certificate and I'm getting a bit
renewing an ssl certificate
Tomcatters After some sterling support from this list a while ago which included a code change I have been successfully running Apache Tomcat 7.0.70 stand alone (no httpd front end) with SSL/TLS for a year now without problems, it just works, it never falls over and it has withstood some concerted attacks by all sorts of scallywags. Impressive. It is now time to renew my ssl certificate and I'm getting a bit jumpy. I managed to get everything working first time around following the docs at http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#General_Tips_on_Running_SSL According to my service provider (comodo) I have to submit a new certificate signing request which (I think) means creating a self signed certificate. Will this mess up me existing cert, it still has 10 days to go? Is the process the same as installing first time or are there some gotchas I need to be aware of Thanks, nervously Lyallex - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org