Now you only need to configure tomcat to recognize the keystore. See http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html for details. Specifically, you will need to add keystoreType="PKCS12" attribute in your SSL Connector among a whole bunch of others.
On 5/25/2004 1:21 PM, Chris Purcell wrote:
I want to make sure we're on the same page here. I have a certificate that looks like this...
-----BEGIN CERTIFICATE----- MIID/DCCAuSgAwIBAgIEAIXW1jANBgkqhkiG9w0BAQQFADCBozELMAkGA1UEBhMC blablablabla /WeCY0ZzyRYuHhQYIm3R+A== -----END CERTIFICATE-----
I copied it to a plain text file called domain.cert and then ran this command and received this below error...
[EMAIL PROTECTED] root# /usr/java/bin/keytool -import -file domain.cert -storetype pkcs12 keytool error: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
Am I doing this right?
Thanks, Chris
I saw your original post but forgot to reply ...
You can use keytool to import the certificate using pkcs12 certificate store (add a '-storetype pkcs12' to keytool's arguments), which is supported by tomcat.
Also, if your certificate is signed by an intermediate CA (meaning more than 2 certs on the chain), you will have to give each cert an alias name when you export it from openssl, otherwise the keytool won't recognize the chain. This really took me a while to figure out ...
HTH,
Dennis
On 5/25/2004 12:30 PM, Chris Purcell wrote:Thanks for the link Jim, I'm just getting around to this certificate now, I got swamped with some extra work that I had to complete first. I looked at the link you sent, but there is a small problem, I don't know anything about Java:) What do I do with the source code given on the page? Should I copy it into a text file and run it with the java command? The only programming language I'm familiar with is Perl.
Thanks, Chris
Hi Chris-
I had to do this myself a month ago.
You can't use Sun's keytool to import private keys into keystores. You'll need to use something else to load the private key and corresponding cert into a keystore which Tomcat can then read.
See the program and notes at http://www.comu.de/docs/tomcat_ssl.htm - it
will explain how to use openssl to convert an existing private key and
cert into a format that can then be loaded (using source code they provide) into a Java JKS keystore.
Let me know if you need more details.
-Jim
Chris Purcell wrote:
I have an Apache server with an SSL certificate installed from a CA. Its just a plain text certificate that looks like this..
-----BEGIN CERTIFICATE----- MIID/DCCAuSgAwIBAgIEAIXW1jANBgkqhkiG9w0BAQQFADCBozELMAkGA1UEBhMC blablablba /WeCY0ZzyRYuHhQYIm3R+A== -----END CERTIFICATE-----
I want to move this certificate to a new server that only runs Tomcat in standalone mode. I tried to convert it like this (below) but am getting an error...
[EMAIL PROTECTED] cert# openssl pkcs12 -export -inkey host-privkey.pem -in server.cert -out host.foo.org.pfx [EMAIL PROTECTED] cert# /usr/java/bin/keytool -import -file host.foo.org.pfx Enter keystore password: changeit keytool error: java.lang.Exception: Input not an X.509 certificate
Am I doing something wrong here?
Thanks, Chris
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
