Hi Nate. I am not sure if this is relevant, but think it is - the private keys, CSRs and certificates I am using with tomcat (as per my email from yesterday -- although I have not posted my mechanism for exporting PFX and PEM certificates -with Private Keys etc) have been used as is imported into IIS, Apache, etc with no problems. I will post my export function (as well as the import functions for PFX and PEM with private keys attached) later (or tomorrow) - just a little busy right now.
I have a large number of actual certificates (purchased from a number of CAs including verisign) in production use. Anyway - will post my other steps/functions etc as soon as I have a moment! Regards, Carl -----Original Message----- From: Nate Rock [mailto:[EMAIL PROTECTED] Sent: 05 December 2005 05:11 To: Tomcat Users List; [EMAIL PROTECTED] Subject: RE: SSL InvalidKeystore Format? I think the issue Scott is getting caught up on is the same issue I have been having for the last week: Using APR + SSL with anything but a self signed certificate isn't clearly defined as of yet. Scott, my recommendation to you at this point is to uninstall tomcat, and then reinstall it making sure to NOT check the "native" checkbox when given installation options. This will install tomcat without the APR connector and the steps listed on Verisign (and on the tomcat site) using java keytores will work fine. I know Carl and Dhaval have been giving awesome information about how to generate csrs/keystores etc. but none of us (including me) has a rock solid example using an actual verisign certificate that they have set up and have running right now in production using APR. (Remy?) I think that using OpenSSL for generating the private key/csr will end up being the "way it's done" because of the difference between RSA and PKCS8 private key encodings. (OpenSSL vs java keystore default encodings) If any of you have actually used a verisign (NOT a self signed OpenSSL certificate from http://www.fatofthelan.com/articles/articles.php?pid=12.) with APR+SSL please post the exact steps you used from generating the primary key/csr file down to the connector you used. We would also like to know exactly what encoding the primary key/cert is in because as I found out this week, PEM is different if you are using OpenSSL vs JSSE. =P I will be getting a verisign certificate early this week to try out some things I discovered over the weekend involving some un-documented APR params that are part of mod_ssl that may be the missing link (SSLCACertificateFile attribute ;). I think part of the issue with APR + verisign certificates is the location for the trusted CA certificates. How does one point the APR connector so that it trusts the verisign root CA cert(s) (the APR doesn't use the cacerts java keystore... Where is it getting it's list of trusted CAs?) The mod_ssl doc points to the attribute SSLCACertificateFile for giving it a list of trusted CAs. http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslcacertificatefile But it's not listed on the APR page under the SSL section. After checking out the source code, it looks like this attribute is "supported" just not documented so I decided to try it out using my self signed certificate as the CA certificate. Using my self-signed server.crt, I copied it and renamed it to ca.crt (it can be it's own ca, since it's self signed ;) <Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" scheme="https" secure="true" SSLEngine="on" SSLCertificateFile="${catalina.base}/bin/server.crt" SSLCertificateKeyFile="${catalina.base}/bin/server.key" SSLCACertificateFile="${catalina.base}/bin/ca.crt" SSLVerifyClient="require" /> No errors were thrown and I was indeed prompted for a client certificate. I can experiment with this a bit more later on this week but for now I am recommending to our company to hold off on the APR connector under windows until the APR+SSL thing is ironed out a bit more. Guess I get to go uninstall/re-install tomcat(without the APR connector) on our test server bright and early tommorrow morning. Thanks to Carl, Dhaval and Remey for all their input this week... I know I have learned a lot and have hopefully thrown out some something informative. I know we can get it figured out, I just have a few other projects I put off towards the end of last week that need to get done before wed but I will still try to monitor the SSL threads. -rOcK --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
