For over a year I've been looking for a tool to show the RFC 822 name and the PEM
Thanks craig! Martin > Date: Mon, 28 Oct 2013 16:43:53 -0400 > Subject: Re: Secure Tomcat With SSL > From: craig.tay...@drivedominion.com > To: users@tomcat.apache.org > > This tool has saved me a few times over: > http://sourceforge.net/projects/portecle/ > > > On Mon, Oct 28, 2013 at 4:41 PM, Ognjen Blagojevic < > ognjen.d.blagoje...@gmail.com> wrote: > > > Chris, > > Leo, > > > > On 28.10.2013 18:23, Leo Donahue - OETX wrote: > > > >> I've been having some trouble lately converting keys and certs from > >>> OpenSSL > >>> format into Java's JKS format. I follow all of the magical incantations > >>> I can find > >>> online to convert key+cert into a Java keystore but I get no love. Is > >>> there a > >>> decent guide anywhere for how to do this? > >>> > >> > >> From my book of spells. > >> > >> Used this to configure SSL in Apache httpd for subversion edge. > >> > >> openssl pkcs12 -export -in C:/server.crt -inkey C:/server.key -name > >> svnedge -out C:/server.p12 > >> > >> keytool -importkeystore -srckeystore C:/server.p12 -srcstoretype PKCS12 > >> -destkeystore C:/svnedge.jks > >> > > > > During TLS handshake, server may respond with complete certificate chain > > (server certificate with all intermediate certificates) or with incomplete > > certificate chain (e.g. server certificate, without any/some intermediate > > certificates). Most servers, around 88% of them, deliver full certificate > > chain, according to research mentioned here [1]. > > > > Complete certificate chain is being recognized as valid by every client > > that implements TLS (assuming that root CA certificate is in the client > > keystore). Incomplete certificate chain may be recognized as valid by some > > TLS clients (e.g. Internet Explorer), using information from X.509v3 > > extension called Authority Information Access (AIA), or using previously > > validated certificate chains. Some clients will not recognize incomplete > > certificate chain as valid (e.g. openssl or Apache HTTPCommons Client). > > Even the same client may sometimes recognize incomplete certificate chains > > as valid and sometimes as invalid, thanks to caching of intermediate > > certificates. Therefore, it is best practice always to deliver complete > > certificate chain to the client. > > > > Having root CA certificate in the chain is unnecessary, as it wastes your > > bandwidth during TLS handshake (your client already have root CA > > certificate in its own keystore). > > > > Assuming that intermediate certificates (intermediates.pem), server > > certificate (server.pem) and private key (server.key) are all in PEM > > format, you need to add option -certfile to command Leo provided: > > > > openssl pkcs12 -export -out keystore.p12 -name myserver -in server.pem > > -inkey server.key -certfile intermediates.pem > > > > > > Verify that the contents of the p12 keystore with: > > > > openssl pkcs12 -in keystore.p12 -nokeys > > > > You should verify that the certificate chain is complete (up to, but > > without root CA certificate). > > > > Now, you may use that keystore for BIO and NIO connectors: > > > > keystoreFile="keystore.p12" keyAlias="myserver" keystoreType="pkcs12" > > > > Or you may convert it to JKS keystore as Leo suggests. > > > > -Ognjen > > > > [1] > > https://bugzilla.mozilla.org/**show_bug.cgi?id=399324#c72<https://bugzilla.mozilla.org/show_bug.cgi?id=399324#c72> > > > > ------------------------------**------------------------------**--------- > > To unsubscribe, e-mail: > > users-unsubscribe@tomcat.**apache.org<users-unsubscr...@tomcat.apache.org> > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > >
