On 18 December 2014 at 14:06, Christopher Schultz <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Duncan, > > On 12/18/14 4:18 AM, Lyallex wrote: >> On 17 December 2014 at 22:37, Christopher Schultz >> <[email protected]> wrote: Duncan, >> >> On 12/17/14 12:32 PM, Lyallex wrote: >>>>> Yea I thought of this, the problem is I currently have a user >>>>> area that requires a login and all this is currently >>>>> configured in web.xml and I'm not sure how all this will fit >>>>> together. I'll try a few things out and see what happens. >> >> You can have multiple, overlapping security-constraints. One of >> them (which covers the whole site) will require HTTPS, the other >> (existing one) will require authentication and authorization, but >> only for certain (again, existing) URL patterns. >> >> Should be no problem. >> >>> You are correct, I followed Marks instructions, set up a new >>> security constraint and restarted the server now when I access >>> localhost I get 'redirected' to https://localhost which is what I >>> wanted, it was the whole overlapping security-constraint thing >>> that was vexing me somewhat. >> >>> I can also log into my user and admin areas as normal which is a >>> relief but I'm getting some problems with AJAX not updating the >>> live areas of my site so I'll have to look into that. >> >>> Now I know this is probably OT but I'm in the UK and was >>> wondering if anyone has found a UK certification co that has >>> decent customer support as I now have to figure out how to buy >>> and install a certificate with the right params in a standalone >>> Tomcat instance. My server hosts don't offer support in this area >>> as they seem to be obsessed with Apache httpd :-( > > You can use keytool to create your CSR and give it to the CA, and when > they give you back a PEM-encoded .crt file, you can import it back > into keytool, you just need to know the magic words to do it. So it > doesn't matter what the CA says they officially support; you should be > able to handle whatever they give you, since it's all X.509 no matter > what.
I have the keytool stuff working now, I can create keystores and CSRs and what have you and access my site on staging (with the obvious warnings etc) Actually some of the CAs have tools on their websites example: https://www.digicert.com/csr-creation.htm I use the tool then take the resulting command string to bits so I can figure out what's going on, great fun. (I really must get a life). > If you want to get a free certificate, try StartCom (startssl.com). > They are trusted by most browsers and offer no-cost standard SSL > certificates. You have to pay if you want EV certs, or if you want to > revoke a cert you've requested in the past. They can also do > code-signing certs and other things, for a fee. OK, thanks for the heads up. Obviously the cert I end up with needs to be as widely recognized as possible so I'm currently looking at all the browsers I have here (on laptops, tablets, smart phones, whatever gizmo) to see which CAs appear most frequently. Thanks to all for the advice, I'll probably be back when it all goes horribly wrong :-) Duncan --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
