Chris,
Leo,
On 28.10.2013 18:23, Leo Donahue - OETX wrote:
I've been having some trouble lately converting keys and certs from OpenSSL
format into Java's JKS format. I follow all of the magical incantations I can
find
online to convert key+cert into a Java keystore but I get no love. Is there a
decent guide anywhere for how to do this?
From my book of spells.
Used this to configure SSL in Apache httpd for subversion edge.
openssl pkcs12 -export -in C:/server.crt -inkey C:/server.key -name svnedge
-out C:/server.p12
keytool -importkeystore -srckeystore C:/server.p12 -srcstoretype PKCS12
-destkeystore C:/svnedge.jks
During TLS handshake, server may respond with complete certificate chain
(server certificate with all intermediate certificates) or with
incomplete certificate chain (e.g. server certificate, without any/some
intermediate certificates). Most servers, around 88% of them, deliver
full certificate chain, according to research mentioned here [1].
Complete certificate chain is being recognized as valid by every client
that implements TLS (assuming that root CA certificate is in the client
keystore). Incomplete certificate chain may be recognized as valid by
some TLS clients (e.g. Internet Explorer), using information from
X.509v3 extension called Authority Information Access (AIA), or using
previously validated certificate chains. Some clients will not recognize
incomplete certificate chain as valid (e.g. openssl or Apache
HTTPCommons Client). Even the same client may sometimes recognize
incomplete certificate chains as valid and sometimes as invalid, thanks
to caching of intermediate certificates. Therefore, it is best practice
always to deliver complete certificate chain to the client.
Having root CA certificate in the chain is unnecessary, as it wastes
your bandwidth during TLS handshake (your client already have root CA
certificate in its own keystore).
Assuming that intermediate certificates (intermediates.pem), server
certificate (server.pem) and private key (server.key) are all in PEM
format, you need to add option -certfile to command Leo provided:
openssl pkcs12 -export -out keystore.p12 -name myserver -in server.pem
-inkey server.key -certfile intermediates.pem
Verify that the contents of the p12 keystore with:
openssl pkcs12 -in keystore.p12 -nokeys
You should verify that the certificate chain is complete (up to, but
without root CA certificate).
Now, you may use that keystore for BIO and NIO connectors:
keystoreFile="keystore.p12" keyAlias="myserver" keystoreType="pkcs12"
Or you may convert it to JKS keystore as Leo suggests.
-Ognjen
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=399324#c72
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
