On 26/10/12 13:24, Daniel Mikusa wrote:
On Oct 26, 2012, at 5:11 AM, Brian Burch wrote:
My production tomcat 7.0.26 (and its predecessors back as far as tc 5) have
been running with its original SSL server certificate in a JKS keystore for
many years.
I decided to retire my ancient java-based Certificate Authority and create a
new CA using openssl 1.0.1 under ubuntu linux.
Just my $0.02, but if you are just using Java based applications, stick with
keytool. It will save you time.
Well, yes, that was true for me too Dan (see case 2 below). But the
tomcat wiki describes how to support pkcs12 and it ought to work (or say
under what circumstances it will not).
I followed the guidance in
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File
I thought it would be sensible to generate all my new certificates and
keystores using only openssl, so that I could use the same procedures for java
and non-java applications. This meant I needed to produce a PKCS12 keystore for
tomcat to use.
I hit a succession of problems and resolved them, so I thought it would be
helpful to update the wiki once I had a keystore that worked properly (details
of tips and gotchas available).
There are a lot of variables that I've explored, but I haven't yet succeeded with my
"pure openssl" approach.
I believe that what you are trying to do should work. It might be easier to
debug if we could see a list of the commands that you've run. Maybe just copy
and paste your shell session?
Thanks for your interest, Dan. I've gone through all the steps in my
notes carefully, and done my best to confirm these results.
1. Verify the openssl self-signed CA certificate (rsa 2048 bit key)
1.1. openssl x509 -noout -text cacert.pem displays OK.
1.2. strip all lines before "-----BEGIN CERTIFICATE-----" and after
"-----END CERTIFICATE-----"
1.3. keytool -printcert -file cacert-bare.pem displays the self-signed
certificate and extensions.
------------------------
2. create a JKS keystore and issue a cert with the openssl CA
2.1. keytool -genkeypair -alias tomcat -keyalg RSA -keysize 1024
-keystore jks-keystore -validity 2000 -dname
"CN=www.mydomain.com,OU=servers,O=mydomain.com"
.. using the same passphrase for the private key and the keystore.
2.2. keytool -list -v -keystore jks-keystore displays the RSA key
wrapped with a self-signed certificate.
2.3. keytool -certreq -keystore jks-keystore -file jks-req -alias tomcat
2.4. issue the new certificate from the openssl CA, AND THEN strip
everything from the file outside the delimiters.
2.5. keytool -printcert -file jks-servercert-bare.pem displays the
ca-signed certificate and extensions.
2.6. keytool -importcert -keystore jks-keystore -file cacert-bare.pem
-alias "Certificate Authority"
2.7. keytool -importcert -keystore jks-keystore -file
jks-servercert-bare.pem -alias "tomcat"
2.8. keytool -list -v -keystore jks-keystore shows the keystore contents
as two entries:
2.8.1. the first has an alias of tomcat, a private key entry and the two
certificates which comprise the complete chain.
2.8.2. the second has an alias of "Certificate Authority", with only the
CA's certificate.
Observation 2.8.2 indicates that I have put too much into this
certificate store and that step 2.6 was redundant. Nevertheless, tomcat
is perfectly happy to start its SSL Connector using this keystore.
------------------------
3. create a PKCS12 keystore and issue a cert with the openssl CA
3.1. CA.pl -newreq, with appropriate parameter values for the DN of the
server and an RSA 1024 bit key pair. This command creates newkey.pem and
newreq.pem files, both without any text before or after the delimiter lines.
3.2. openssl rsa -noout -text -in newkey.pem opens and prints the
contents of the key pair.
3.3. openssl req -noout -text -in newreq.pem opens and prints the
contents of the certificate request, including the server's new public key.
3.4. CA.pl -sign, issues the server certificate. It is prefixed with a
text representation of the contents.
3.5. Strip everything outside the delimiters from the newcert.pem file.
3.6. openssl x509 -noout -text -in newcert-bare.pem opens and prints the
contents of the certificate, including the server's public key.
3.7. openssl pkcs12 -export -in newcert-bare.pem -inkey newkey.pem -name
"tomcat" -chain -CAfile cacert-bare.pem -caname "Certificate Authority"
-out keystore-pkcs12 (using the same password for the keystore as the key).
3.8. openssl pkcs12 -noout -info -in keystore-pkcs12 -- displays the
kinds of things in the binary file, i.e.
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
3.9. keytool -list -keystore keystore-pkcs12 -storetype pkcs12 --
displays the kinds of things in the binary file, i.e.
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
tomcat, 30-Oct-2012, PrivateKeyEntry,
Certificate fingerprint (MD5):
80:4A:98:FD:73:DB:9B:E0:EE:3D:C6:82:75:7A:95:DE
However, tomcat fails to start its SSL Connector using this keystore
with the log messages below:
I do have a PKCS12 keystore that keytool (with the -storetype pkcs12 option) can list
perfectly, but tomcat cannot open (with keystoreType="pkcs12" in the
Connector). Both tomcat, and keytool are running from java-6-sun-1.6.0.26/jre/lib/i386.
The log shows:
17-Oct-2012 15:33:51 org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler
["http-bio-443"]
java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
at sun.security.util.DerInputStream.getLength(DerInputStream.java:544)
Please include your connector configuration.
<Connector port="443"
protocol="HTTP/1.1"
maxThreads="150"
sessionTimeout="7200"
scheme="https"
secure="true"
SSLEnabled="true"
sslProtocol="TLS"
keystoreFile="conf/keystore-pkcs12"
keystoreType="pkcs12"
keyAlias="tomcat"
keystorePass="secret"
clientAuth="false"
truststoreFile="/etc/java-6-sun/security/jssecacerts"
truststorePass="secret" />
Oh yes, I should also point out that I realise clientAuth="false"
probably renders the truststore parameters redundant. However, this same
jssecacerts file is acceptable to tomcat when successfully opening the
JKS keystore.
Dan
I'm sorry to post such a long reply, but it should probably have been
even longer!
While writing this reply and thinking about my sequence of commands, I
suspect the problem might boil down to some difference between the two
keystores when they are initially created. Unfortunately, their
different formats mean I have to use different tools to inspect their
contents, which makes comparison difficult.
I'm beginning to think that I will have to hang a debugger on to tomcat
and follow the logic when the pkcs keystore is unwrapped.
<snip/>
Thanks for your thoughts,
Brian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
