Hello Rick, I tried your method and everything seemed to work till I
restarted the server. My keystore.tomcat is outside of the ofbiz directory,
would this make a difference? The log says the following:
2008-05-28 13:03:16,740 (main) [ Http11BaseProtocol.java:141:ERROR] Error
initializing endpoint
java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
at
sun.security.util.DerInputStream.getLength(DerInputStream.java:530)
at sun.security.util.DerValue.init(DerValue.java:346)
at sun.security.util.DerValue.<init>(DerValue.java:302)
at
com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1198)
at java.security.KeyStore.load(KeyStore.java:1150)
Richard Fleming wrote:
>
> Hi all-
>
> Finally got it working w/ GoDaddy certificate. This is what I did -
>
> <!--Download openssl developer for win32 or unix-->
>
> 1. Create private key file.
> openssl genrsa -out privkey.pem 4096
>
> 2. Create CSR
> openssl req -new -key privkey.pem -out cert.csr
>
> 3. Submit CSR to godaddy.
>
> 4. Create keystore w/ new certificate.
>
>
> openssl pkcs12 -export -chain -CAfile gd_bundle.crt -in <name of your
> certificate> -inkey <name of your certificate private key file> -out
> keystore.tomcat -name tomcat -passout pass:changeit
>
>
> When you have completed installing your certificate, you must configure
> your framework/base/config/ofbiz-containers.xml configuration file to
> point to the correct pkcs12 keystore file:
>
> 1. Open the ofbiz-containers.xml file.
>
> 2. Add the following directives to the https-connector tag(towards the
> bottom of the file):
>
> keystoreFile=<path to>\keystore.tomcat
> keystorePass="changeit"
> keystoreType="PKCS12"
>
> 4. Restart Tomcat.
>
> Hope this can help someone out at some point.
>
> Rick
>
> Three sources helped:
> http://www.openssl.org/docs/HOWTO/certificates.txt
> http://docs.ofbiz.org/display/OFBTECH/Apache+OFBiz+Technical+Production+Setup+Guide
> GoDaddy.com installation instructions.
>
>
> Richard Fleming <[EMAIL PROTECTED]> wrote: Joe - Thanks for the reply.
>
> First off, according to GoDaddy, thier certificates are downloaded in
> PKCS#7 format using x.509.
>
> First I created the keystore...
> c:\java\jdk1.5\bin\ keytool -genkey -keyalg RSA -alias ssl -keystore
> eparts.keystore
>
> Second the CSR..
> c:\java\jdk1.5\bin\ keytool -certreq -alias ssl -keyalg RSA -file
> certreq.csr -keystore eparts.keystore
>
> Third, submitted to GoDaddy and downloaded 4 files from them..
> valicert_class2_root
> gd_cross_intermediate.crt
> gd_intermediate.crt
> www.epartsbiz.com.crt
>
> Forth, I ran the following to import them into the keystore...
>
> keytool -import -alias root -keystore eparts.keystore -trustcacerts
>
> -file valicert_class2_root.crt
>
> keytool -import -alias cross -keystore eparts.keystore
> -trustcacerts -file gd_cross_intermediate.crt
>
> keytool -import -alias intermed -keystore eparts.keystore
> -trustcacerts -file gd_intermediate.crt
>
> keytool -import -alias tomcat -keystore eparts.keystore -trustcacerts
>
> -file www.epartsbiz.com.crt
>
> I get success at the end of each import. I then copied the eparts.keystore
> into base/config/ and changed the password and file directive in
> ofbiz_container.xml. Restarted tomcat.
>
> Thanks for any help!
> Rick
>
>
>
>
> Joe Eckard wrote: Can you describe the process you used to import the
> certificate into a
> keystore?
>
> I always start with a .key and a .crt and follow "Step 3: Loading Keys
> and Certificates" here:
>
>
> http://docs.codehaus.org/display/JETTY/How+to+configure+SSL#HowtoconfigureSSL-step3
>
> to convert them to pkcs12 and load them into a JKS keystore. (may
> require that you download jetty to use their pcks12 import utility
> class, depending on your certificate format)
>
> -Joe
>
> On May 17, 2008, at 3:39 PM, Richard Fleming wrote:
>
>> Hi all -
>>
>> I've created a keystore and downloaded a signed certificate from
>> Godaddy.com. I've imported both intermediate and new cert into my
>> keystore. I configured the containers.xml to use the new keystore
>> and restarted ofbiz. But still both Firefox and IE see the new cert
>> as issued by me and it seems therefore that a warning pops up about
>> a problem with the certificate not be issued by a trusted authority.
>>
>> Any pointers about how to go about correcting this would really
>> appreciated. I'v followed the ofbiz technical guide for setting up
>> SSL.
>>
>> Do we still need to download in PKCS#7 format? I haven't asked
>> Godaddy which format they provide. I'll do that next.
>>
>> Thanks for any and all pointers.
>>
>> Rick
>>
>>
>
>
>
>
>
--
View this message in context:
http://www.nabble.com/SSL-certificate-installation-tp17295499p17518954.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
