Re: converting a certificate for use on Tomcat

[Jim Hopp]

Hi Chris-
It depends on what you're trying to do.  If all you're trying to do is 
put the certificate in the keystore as a Trusted Certificate Entry, you 
can use keytool to do that (check the openssl doc to see how to export 
the cert in DER format).  This is typically done when you're using 
client authentication on the SSL connection (i.e., the client must 
present a certificate to your server that has been signed by a CA that 
your server finds acceptable).  This is pretty uncommon for public 
webservers, though.

The much more common situation is the server using the certificate *and 
the corresponding private key* to prove to clients that the server is 
who it says it is.  This is what happens when you generate a private key 
and a Certificate Signing Request (CSR) for the server, send the CSR off 
to a CA like Verisign or Thawte, and then get back a certificate signed 
by the CA.  In this case, you need to import *both*  the certificate and 
its private key into the keystore, because Tomcat needs both to do SSL 
server authentication.  This is where keytool is annoyingly broken. 
keytool can generate a private key and CSR and import the cert that the 
CA gives you, but it cannot import a private key that it did not generate.

The Java crypto api does support importing private keys into a keystore 
though, so you either need to write the code yourself or find the code 
elsewhere - that's what the website I gave below has.

If you're not a Java programmer and can't cajole one into compiling it 
for you, you might check out http://www.lazgosoftware.com/kse/.  It has 
a GUI-based keytool replacement, but it's not free.  (The original 
version was open-source; it looks like that's been pulled in favor of 
the payware version.  You may be able to find a copy of the open-source 
one somewhere.)

-Jim
Chris Purcell wrote:
I want to make sure we're on the same page here.  I have a certificate
that looks like this...
-----BEGIN CERTIFICATE-----
MIID/DCCAuSgAwIBAgIEAIXW1jANBgkqhkiG9w0BAQQFADCBozELMAkGA1UEBhMC
blablablabla
/WeCY0ZzyRYuHhQYIm3R+A==
-----END CERTIFICATE-----
I copied it to a plain text file called domain.cert and then ran this
command and received this below error...
[EMAIL PROTECTED] root# /usr/java/bin/keytool -import -file domain.cert
-storetype pkcs12
keytool error: java.io.IOException: DerInputStream.getLength():
lengthTag=109, too big.
Am I doing this right?
Thanks,
Chris

I saw your original post but forgot to reply ...
You can use keytool to import the certificate using pkcs12 certificate
store  (add a '-storetype pkcs12' to keytool's arguments), which is
supported by tomcat.
Also, if your certificate is signed by an intermediate CA (meaning more
than 2  certs on the chain), you will have to give each cert an alias
name when you  export it from openssl, otherwise the keytool won't
recognize the chain. This  really took me a while to figure out ...
HTH,
Dennis
On 5/25/2004 12:30 PM, Chris Purcell wrote:
Thanks for the link Jim, I'm just getting around to this certificate
now, I got swamped with some extra work that I had to complete first.
I looked at the link you sent, but there is a small problem, I don't
know anything about Java:)  What do I do with the source code given on
the page?  Should I copy it into a text file and run it with the java
command?  The only programming language I'm familiar with is Perl.
Thanks,
Chris


Hi Chris-
I had to do this myself a month ago.
You can't use Sun's keytool to import private keys into keystores.
You'll need to use something else to load the private key and
corresponding cert into a keystore which Tomcat can then read.
See the program and notes at http://www.comu.de/docs/tomcat_ssl.htm -
it
 will explain how to use openssl to convert an existing private key
and
cert into a format that can then be loaded (using source code they
provide) into a Java JKS keystore.
Let me know if you need more details.
-Jim
Chris Purcell wrote:

I have an Apache server with an SSL certificate installed from a CA.
Its just a plain text certificate that looks like this..
-----BEGIN CERTIFICATE-----
MIID/DCCAuSgAwIBAgIEAIXW1jANBgkqhkiG9w0BAQQFADCBozELMAkGA1UEBhMC
blablablba
/WeCY0ZzyRYuHhQYIm3R+A==
-----END CERTIFICATE-----
I want to move this certificate to a new server that only runs
Tomcat in standalone mode.   I tried to convert it like this (below)
but am getting an error...
[EMAIL PROTECTED] cert# openssl pkcs12 -export -inkey host-privkey.pem -in
server.cert -out host.foo.org.pfx
[EMAIL PROTECTED] cert# /usr/java/bin/keytool -import -file
host.foo.org.pfx Enter keystore password: changeit
keytool error: java.lang.Exception: Input not an X.509 certificate
Am I doing something wrong here?
Thanks,
Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED] For
additional commands, e-mail: [EMAIL PROTECTED]

--------------------------------------------------------------------- To
unsubscribe, e-mail: [EMAIL PROTECTED] For
additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]