www.openssl.org is the website for OpenSSL. It's an open source implementation of SSL / TLS together with a tremendous amount of other stuff (such as X.509, S/MIME, every cryptographic algorithm you ever heard of). You can also use it to set up your own CA - it's not the easiest software to use as it takes a terrific number of command line switches, but it's probably more convenient than having to wait on Verisign and renew your certificates every couple of weeks.
----- Original Message ----- From: "Adam Hardy" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Sunday, September 07, 2003 10:43 AM Subject: Re: SSL/Verisign Confusion > Hi Dave, > how much does it cost at Verisign, and how long is it valid for? And is > this 'openssl' you mentioned a free alternative? > > Adam > > On 09/06/2003 03:21 PM Dave Wood wrote: > > FINALLY! > > > > I still don't know what I did wrong in the first place, but after starting > > over with VeriSign, all is well now. I thought I'd share the (simple!) > > steps I took to get SSL running using keytool/tomcat in case anyone else > > might find this useful: > > > > # keytool -genkey -alias tomcat -keyalg RSA > > [enter a password and all necessary information, then just <enter> at next > > password prompt] > > # cp ~/.keystore ~/.keystore-backup > > # keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr > > [enter same password] > > [give contents of certreq.csr to VeriSign and wait for response...] > > [NOTE: when asked to select my server software, I chose "apache" since they > > didn't have Tomcat in their list...I don't know if this matters, but it > > worked] > > # keytool -import -trustcacerts -file intermediate.crt -alias root > > [enter same password] > > [NOTE: intermediate.crt is the file found here: > > http://www.verisign.com/support/install/intermediate.html] > > # keytool -import trustcacerts -file public.crt -alias tomcat > > [enter same password] > > [where public.crt is the certificate sent from VeriSign after they complete > > their approval process] > > [finally, edit ...tomcat/conf/server.xml and enable the SSL connector > > section, adding keystorePass="[password]" > > as an attribute to the Factory tag] > > > > Hope this helps. > > > > Thanks to all who provided suggestions along the way. > > > > Dave > > > > -----Original Message----- > > From: Dave Wood [mailto:[EMAIL PROTECTED] > > Sent: Friday, September 05, 2003 11:40 AM > > To: Tomcat Users List > > Subject: RE: SSL/Verisign Confusion > > > > > > Well, after all this, I just discovered that VeriSign will basically let you > > start over if it's within 30 days (which it is). So, for now, I'm going > > down this path. Just talked to someone at V/S who said it would take just a > > couple hours. > > > > Oh, and I made a BACKUP of my new keystore file this time that now contains > > a single "keyEntry" with the alias "tomcat". I try to avoid being stupid in > > the same way more than once! :) > > > > As for the programmatic approach, FWIW, I started down that path as well, > > but somehow I had no private key entry in the keystore (best I can tell). > > Still not sure how I got in that messed up state. > > > > Thanks, > > Dave > > > > -----Original Message----- > > From: Christopher Williams [mailto:[EMAIL PROTECTED] > > Sent: Friday, September 05, 2003 9:43 AM > > To: Tomcat Users List > > Subject: Re: SSL/Verisign Confusion > > > > > > Have you thought of manipulating the keystore programmatically? Here's what > > you'd do: > > > > 1. Open your existing keystore > > 2. Find the entry with your private key and (presumably) a temporary > > self-signed certificate. > > 3. Open the certificate you got from Versign. > > 4. Change the certificate in your key entry to your Verisign certificate. > > 5. Save and close the keystore. > > > > OpenSSL doesn't understand most of the Java keystore formats, although it > > can manipulate PKCS#12 files which Keytool can handle. If you download the > > BouncyCastle crypto provider, then you can use keytool to write PKCS#12 > > files as well. > > > > Also, if the person who originally posted the question doesn't feel up to > > monkeying around with the Keystore classes, I have some code that I can > > adapt to stick your Verisign certificate in your keystore. Get in touch > > with me personally and I'll see what I can do. > > > > ----- Original Message ----- > > From: "Jay Garala" <[EMAIL PROTECTED]> > > To: "'Tomcat Users List'" <[EMAIL PROTECTED]> > > Sent: Friday, September 05, 2003 3:36 PM > > Subject: RE: SSL/Verisign Confusion > > > > > > NOTE: You cannot export private key from keystore. > > > > -----Original Message----- > > From: Dave Wood [mailto:[EMAIL PROTECTED] > > Sent: Friday, September 05, 2003 10:32 AM > > To: Tomcat Users List > > Subject: RE: SSL/Verisign Confusion > > > > Thanks. With the exception of the openssl doc, I've been over these quite a > > bit. The result is the problem I've mentioned where keytool says it can't > > import my certificate because the alias already exists. > > > > After some help I got last night, I think the question boils down to this: > > > > * once I have extracted my private key from keytool (haven't done this yet), > > how do I take that key, the VeriSign intermediate certificate and my public > > key certificate and get them to play together. I'm hoping the openssl stuff > > will take care of this, because keytool doesn't really seem to recognize > > private keys as things that you can work with directly. > > > > Thanks again, > > Dave > > > > -----Original Message----- > > From: Jay Garala [mailto:[EMAIL PROTECTED] > > Sent: Friday, September 05, 2003 7:12 AM > > To: 'Tomcat Users List' > > Subject: RE: SSL/Verisign Confusion > > > > > > Try the Java keytool help: > > http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html > > > > Tomcat how-to: > > http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html > > > > If you have OpenSSL: > > http://forum.java.sun.com/thread.jsp?forum=2&thread=4240 > > > > Jay > > -----Original Message----- > > From: Dave Wood [mailto:[EMAIL PROTECTED] > > Sent: Friday, September 05, 2003 1:04 AM > > To: Tomcat Users List > > Subject: RE: SSL/Verisign Confusion > > > > Thanks Bill. I think this highlights something I'm really not > > understanding... > > > > Didn't I generate an important "private key" somewhere along the line that I > > can't just regenerate if I blow away my keystore? I assumed the certificate > > I got back from verisign would only work if I still had the original private > > key I generated before sending them my request. Is that wrong? > > > > (I'll take a look at the link you sent...at first glance, it looks a little > > hard to follow, but hopefully not). > > > > Thanks again. > > > > Dave > > > > -----Original Message----- > > From: news [mailto:[EMAIL PROTECTED] Behalf Of Bill Barker > > Sent: Thursday, September 04, 2003 11:06 PM > > To: [EMAIL PROTECTED] > > Subject: Re: SSL/Verisign Confusion > > > > > > Firstly, it looks like you should wipe you keystore and start again. To use > > a VS cert with Tomcat, the two options I know are: > > 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm. > > 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and > > use that as your keystore (remember to set 'keystoreType="pkcs12"' on the > > Factory in server.xml). > > > > > > "Dave Wood" <[EMAIL PROTECTED]> wrote in message > > news:[EMAIL PROTECTED] > > > >>I'm having a problem getting an SSL certificate from Verisign working > >>correctly. I'm going to include everything I can think of that MIGHT be a > >>problem. Unfortunately, there are a couple things I can't quite remember > >>for certain. Here's the situation: > >> > >>1. I generated the initial key using an alias other than "tomcat" (we'll > >>call it "company") > >>2. I generated the CSR and sent it to verisign. I still have this file. > >>3. Verisign changed the company name during the verification process (from > >>an acronym to the full spelling of the name) > >>4. I now have the certificate that they sent back after the validation > >>process. > >>5. One thing I can't account for is why when I see this: > >> > >>$ keytool -list > >> > >>Keystore type: jks > >>Keystore provider: SUN > >> > >>Your keystore contains 4 entries: (...others removed...) > >> > >>company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry, > >>Certificate fingerprint (MD5): > >>00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really > >>0's) > >> > >>...I think I must have self-signed or something (I was doing a couple of > >>these things and don't recall exactly), but I'm surprised to see > >>"trustedCertEntry" here. > >> > >>The problem I'm having is this: > >> > >>$ keytool -import -trustcacerts -alias company -file public.crt > >>Enter keystore password: xxx > >>keytool error: java.lang.Exception: Certificate not imported, alias > >><company> already exists > >> > >>(but I'm thinking it should be REPLACING this entry, so the fact that it > >>exists shouldn't be a problem???) > >> > >>So, I have several questions: > >> > >>1. Am I hosed completely because I didn't use "tomcat" as the alias? > >>2. How does the private key get stored exactly? I assume that if I delete > >>the current entry for the "company" alias, I'll be losing the private key, > >>right? > >>3. Can someone provide steps I should take to get this working given what > > > > I > > > >>have said above. > >> > >>Thanks so much in advance. Sorry to be so long-winded. > >> > >>-Dave > >>--- > >>Outgoing mail is certified Virus Free. > >>Checked by AVG anti-virus system (http://www.grisoft.com). > >>Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --- > > Incoming mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 > > > > --- > > Outgoing mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --- > > Incoming mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 > > > > --- > > Outgoing mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --- > > Incoming mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 > > > > --- > > Outgoing mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --- > > Incoming mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 > > > > --- > > Outgoing mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > -- > struts 1.1 + tomcat 4.1.27 + java 1.4.2 > Linux 2.4.20 RH9 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]