Hi Dan
if you reference this simple test.jsp does every version of every browser
accept the cert as CA cert and properly installs your certificate?
<%@ page contentType="text/html"%>
<html>
<head>
<!-- wait 1 second then download and install cert -->
<meta http-equiv="refresh" content="1;
URL=http://DanMachine:8080/Danwebapp/DanCertificate.cer";>
</head>
<body>
</body>
</html>
Martin Gainty
______________________________________________
Jogi és Bizalmassági kinyilatkoztatás/Verzicht und
Vertraulichkeitanmerkung/Note de déni et de confidentialité
Ez az
üzenet bizalmas. Ha nem ön az akinek szánva volt, akkor kérjük, hogy
jelentse azt nekünk vissza. Semmiféle továbbítása vagy másolatának
készítése nem megengedett. Ez az üzenet csak ismeret cserét szolgál és
semmiféle jogi alkalmazhatósága sincs. Mivel az electronikus üzenetek
könnyen megváltoztathatóak, ezért minket semmi felelöség nem terhelhet
ezen üzenet tartalma miatt.
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung.
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est
interdite. Ce message sert à l'information seulement et n'aura pas n'importe
quel effet légalement obligatoire. Étant donné que les email peuvent facilement
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité
pour le contenu fourni.
> Subject: Re: SSL BIO/NIO setup with openssl CA puzzle
> From: dmik...@vmware.com
> Date: Fri, 26 Oct 2012 08:24:44 -0400
> To: users@tomcat.apache.org
>
> On Oct 26, 2012, at 5:11 AM, Brian Burch wrote:
>
> > My production tomcat 7.0.26 (and its predecessors back as far as tc 5) have
> > been running with its original SSL server certificate in a JKS keystore for
> > many years.
> >
> > I decided to retire my ancient java-based Certificate Authority and create
> > a new CA using openssl 1.0.1 under ubuntu linux.
>
> Just my $0.02, but if you are just using Java based applications, stick with
> keytool. It will save you time.
>
> >
> > I followed the guidance in
> > http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File
> >
> > I thought it would be sensible to generate all my new certificates and
> > keystores using only openssl, so that I could use the same procedures for
> > java and non-java applications. This meant I needed to produce a PKCS12
> > keystore for tomcat to use.
> >
> > I hit a succession of problems and resolved them, so I thought it would be
> > helpful to update the wiki once I had a keystore that worked properly
> > (details of tips and gotchas available).
> >
> > There are a lot of variables that I've explored, but I haven't yet
> > succeeded with my "pure openssl" approach.
>
> I believe that what you are trying to do should work. It might be easier to
> debug if we could see a list of the commands that you've run. Maybe just
> copy and paste your shell session?
>
> > I do have a PKCS12 keystore that keytool (with the -storetype pkcs12
> > option) can list perfectly, but tomcat cannot open (with
> > keystoreType="pkcs12" in the Connector). Both tomcat, and keytool are
> > running from java-6-sun-1.6.0.26/jre/lib/i386. The log shows:
> >
> > 17-Oct-2012 15:33:51 org.apache.coyote.AbstractProtocol init
> > SEVERE: Failed to initialize end point associated with ProtocolHandler
> > ["http-bio-443"]
> > java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
> > at
> > sun.security.util.DerInputStream.getLength(DerInputStream.java:544)
>
> Please include your connector configuration.
>
> Dan
>
>
> >
> >
> > To understand the problem better, I started again by using keytool
> > -genkeypair and then -certreq. I issued the new certificate with openssl
> > and then imported the certificate chain into the JKS keystore.
> >
> > At this point I don't actually have a problem, because both keytool and
> > tomcat are satisfied with the new keystore and my production system has
> > been converted successfully.
> >
> > I hit some problems with this second approach (keytool genkepair), and so I
> > could add a few notes to the wiki entry. However, I'm bothered that I
> > couldn't get the first approach to work (pure openssl with pkcs12).
> >
> > google throws up a lot of matches for the DerInputStream.getLength error -
> > even one from Mark Thomas about tomcat 4! I found a lot of red herrings,
> > and a few useful ideas, but nothing to resolve my problem.
> >
> > It isn't encouraging to see "man pkcs12" ending with the sentence "Some
> > would argue that the PKCS#12 standard is one big bug :-)", and yet JKS has
> > to be a dead-end approach because it only applies to java.
> >
> > I have another system with java-7-openjdk-i386, but I haven't yet done any
> > work on it. This openjdk does not ship with a keytool program, and so I
> > presume it will use openssl.
> >
> > I wonder whether I have hit a sun java 6 (and 7?) bug that is of limited
> > interest - does anyone have any thoughts?
> >
> > Thanks..
> >
> > Brian
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
