On Wed, Nov 26, 2014 at 5:33 PM, Christopher Schultz < ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > To whom it may concern, > > On 11/26/14 9:03 AM, Kernel freak wrote: > > After arguing with the admins for all this time, I finally have the > > few files ready. I have the following files : > > > > keystore.p12 > > That should contain your key. Can you confirm that with a 'keytool -list'? > > > server.crt > > Is this the certificate that was signed by the CA? > Yes, this is certificated signed by CA, but its a servercertificate, the domain certificate is below. > > > ssl-cert-snakeoil.key > > Uh, oh. That looks like one of OpenSSL's built-in CAs that are used > for documentation and instructional purposes. I hope this isn't being > used for anything at all. > > > domainname.com.ca-bundle > > This should be the bundle of certificates for your domain, which may > include intermediate certificates. Are you using your own internal CA > or something? > > > domainname.com.crt > > Which certificate is this? > This is the SSL certificate which has to be deployed. > > > domainname.com.csr > > Is this the CSR that you generated yourself? > No, this is also provided by hosting guys > > > domainname.com.key > > Weird. Okay, I would expect domainname.com.key to have the key that > was used to generate domainname.com.csr, and that domainname.com.crt > is a signed version of that CSR. That should be all you need... I'm > not sure what all the other stuff is. > > > vsftpd.pem. > > What is this? > > > I did the following as Christoph said: > > > > root@domainname:/etc/ssl/private# openssl pkcs12 -export -in > > server.crt -inkey ssl-cert-snakeoil.key -certfile > > domainname.com.crt -out keystore.p12 -chain (pressed enter here) > > unable to load certificates // This is the error. > > I think you might want to do this: > > $ openssl pkcs12 -export -in domainname.com.crt \ > -inkey domainname.com.key \ > -certfile domainname.com.ca-bundle \ > -out keystore.p21 -chain > > $ keytool -importkeystore -srckeystore keystore.p12 \ > -srcstoretype pkcs12 \ > -destkeystore keystore.jks > > You are supposed to be able to use PKCS12 keystores directly with > Tomcat, but IIRC it's a pain and a bit more finicky than with just a > "normal" JKS-format keystore. > > > If i just plain import the .crt file like this : > > > > keytool -import -alias tomcat -file domainname.com.crt -keystore > > /root/.keystore > > A couple of things: > > 1. Don't run as root. Not for anything. Not even to run keytool. > 2. Don't store your keystore under /root/.keystore, or you'll (likely) > have to run Tomcat as root. You can put your keystore anywhere you > want and point Tomcat to it explicitly. > 3. If you import a certificate into a keystore and there is nothing > else in it (the keystore), then you can't perform a handshake because > the key is required for secure communication. > > > Then firefox gives me this error : > > > > An error occurred during a connection to domainname.com:8443. > > Cannot communicate securely with peer: no common encryption > > algorithm(s). (Error code: ssl_error_no_cypher_overlap) > > > > The page you are trying to view cannot be shown because the > > authenticity of the received data could not be verified. Please > > contact the website owners to inform them of this problem. > > The no_cipher_overlap error is likely to be incorrect... the real > problem is that the server can't decrypt the client's handshake > because the key is unavailable. > > I think you might need to get some help with this from someone else at > your organization... someone who is a bit more versed in PKI and > configuring TLS for web servers. > I have told you what key is for what, can you give me the updated commands please, unfortunately there is no one here who knows this. > > - -chris > > > On Tue, Nov 25, 2014 at 10:24 PM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > To whom it may concern, > > > > On 11/25/14 3:32 AM, Kernel freak wrote: > >>>> I don't have the server.key and server.crt. I have root > >>>> access to server, I can generate my own if necessary. I only > >>>> have .crt and .ca-bundle file. Can you tell me what to do. > >>>> Thank you very much for your help. > > > > If you don't have the server's key but you have the server's > > certificate, then you must start all over again because the key is > > half of a paired key. > > > > Did you generate the CSR yourself? With what key did you generate > > that CSR? If someone else generated the CSR, go ask them where the > > key is that they used. > > > > If you have lost the key then you must redo the whole process, > > starting with generating a new key and CSR, then get the CSR > > signed. Then, import the signed certificate back into the same > > keystore. Then, configure Tomcat to use that keystore. > > > > The instructions on the Tomcat users' guide are fairly > > straightforward even if they don't explain the intricacies of > > public key infrastructure -- that's outside the scope of the users' > > guide. > > > > Thanks, -chris > > > >>>> On Mon, Nov 24, 2014 at 7:48 PM, Christopher Schultz < > >>>> ch...@christopherschultz.net> wrote: > >>>> > >>>> Niranjan, > >>>> > >>>> On 11/24/14 10:51 AM, Niranjan Babu Bommu wrote: > >>>>>>> I think you have create a keystore from the cert, > >>>>>>> please follow these instruction and ket me know. > >>>>>>> > >>>>>>> Create store with temporary key inside: > >>>>>>> > >>>>>>> keytool -genkey -alias <alias name> -keystore > >>>>>>> yourkeystore.jks -storepass Hello1 Then delete > >>>>>>> existing entry: > >>>>>>> > >>>>>>> keytool -delete -alias temp -keystore yourkeystore.jks > >>>>>>> -storepass Hello1 Now you've got empty store. You can > >>>>>>> check that it's empty: > >>>>>>> > >>>>>>> keytool -list -keystore yourkeystore.jks -storepass > >>>>>>> Hello1 Then import your certificate to the store: > >>>>>>> > >>>>>>> keytool -import -alias <alias name> -file > >>>>>>> cert_file.crt -keypass > >>>> keypass > >>>>>>> -keystore yourkeystore.jks -storepass Hello1 > >>>> > >>>> Nope: the existing key *and* cert need to be imported > >>>> simultaneously into the keystore. If the OP already has a > >>>> cert, he's already got a key, too. > >>>> > >>>> The problem is that you probably started with OpenSSL to > >>>> generate your keys and stuff. Here is the proper procedure to > >>>> import your key, certificate, and CA bundle into a Java > >>>> keystore. > >>>> > >>>> You'll need these files: > >>>> > >>>> server.key (this is your server's secret key) server.crt > >>>> (this is your server's certificate, signed by the CA) ca.crt > >>>> (this is your CA's certificate) > >>>> > >>>> Here is the incantation: > >>>> > >>>> $ openssl pkcs12 -export -in server.crt -inkey server.key \ > >>>> -certfile ca.crt -out keystore.p12 -chain > >>>> > >>>> $ $JAVA_HOME/bin/keytool -importkeystore -srckeystore > >>>> keystore.p12 \ -srcstoretype pkcs12 \ -destkeystore > >>>> keystore.jks > >>>> > >>>> Now, use keystore.jks in Tomcat's server.xml. > >>>> > >>>> If you already had created your key and cert request using > >>>> Java's 'keytool', then you can instead just import the signed > >>>> certificate into your keystore: > >>>> > >>>> $ $JAVA_HOME/bin/keytool -importcert -file server.crt \ > >>>> -keystore keystore.jks \ -alias [alias] > >>>> > >>>> If you used an alias to create the certificate signing > >>>> request (CSR), then use the same alias in the above command. > >>>> > >>>> -chris > >>>>> > >>>>> --------------------------------------------------------------------- > >>>>> > >>>>> > > > >>>>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>>>> For additional commands, e-mail: > >>>>> users-h...@tomcat.apache.org > >>>>> > >>>>> > >>>> > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJUdgDwAAoJEBzwKT+lPKRYcy8QALp3Yf9mDWAZa6DvbG9bRUD9 > ADUGDlAip0uroCgKtQ/8kqP36ExF1YNmOj6JN1Tii0KUBByB7P+NNzBNTsYb1JaY > iLog7tpPRCj50AoJ8+RWPvHPmgwBT8wr+wHESPaqgARMhX53vMxv9oJmyvxvcXNU > bybs4rdud2bSneo3e6trrKGY2Eq3LFE6cJs21VPrbQVhoZYhlOghEuCXjBg4CgAU > Ss2ZZJxchNA0ugwK0iKonoQ8j2eg0Vvu7xGrBqMwpmHw5CXS+3YCuoKwIVPovW03 > 6nrTygYzPAUuRlixBGAUIYOvkT7IyM3LoFkY0cBnczuzoldtjCOP+V3u8QhqvsZS > M7K7ahxchFjlLk61HGo7EnnLxeiBaTvNpCHRg2HGtTiuiNv1t9Qw0QYxVurOgD+E > X7lzq+lMCNOGC8WYVnRoMEKd2ze8aVABUnFDmCxH4ocf6t8NUOgBsNkKFsyX1ln3 > JfVtxPaAhok/7/ob0/+FWlx9JZSz7BeccaFAxzAKf4xIqY7IlER9lc8cTH/2alZP > D9+tZ3VLB0UE711zOrGw2DmtxdHfeCxbab5Vr8kF6VMlEeTDYYGF9vt0MN+K4SCa > 5GMM6NH43Hegi5N6ZyrIxH2uX78QEkHkTFsnhlLrcwLucJtEqFg02IRSUnQDYf41 > /yek4SHkomHSa4qInIEf > =1/Mr > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
