Hey Chris,
Can you please explain me these two lines you have wrote:
$ openssl pkcs12 -export -in ${HOSTNAME}.crt \
-inkey ${HOSTNAME}.key \
-certfile CA-intermediate.crt
-out ${HOSTNAME}.p12
-chain
$ $JAVA_HOME/bin/keytool -importkeystore \
-srckeystore ${HOSTNAME}.p12 \
-destkeystore ${HOSTNAME}.jks \
-srcstoretype pkcs12
Basically, what I have is 3 .pem files. One is the certificate for my server,
and the other two are the intermediate CA certificate and root CA.
So, I should run the pkcs12 for each of these 3 certificates? And if you can
explain me in a word or two what is being created with them, it would be much
appreciated as I am first time working with this.
-----Original Message-----
From: Christopher Schultz [mailto:[email protected]]
Sent: 19 May, 2015 20:08
To: Tomcat Users List
Subject: Re: Problem with APR library - Tomcat 7
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dejan,
On 5/19/15 11:58 AM, Dejan Stamenov wrote:
> Maybe I have messed up really bad, so I can't solve it now. I will
> start over with this, can you tell me if this are the steps I need to
> do for it to work:
>
> install libapr1-devinstall tcnativeWill I need to make that specific
> .sh file in the Tomcat /bin directory after I have done these 2 steps?
If it were me, I would:
1. Remove all traces of the APR source and binary that you downloaded and built
for yourself.
2. Make sure that the packages libapr1 and libapr1-dev are installed via
apt-get 3. Make sure you build tcnative such that, after:
$ make distclean
$ ./configure [...]
$ make
... you have some .so files sitting-around somewhere.
4. Copy those files into CATALINA_BASE/bin
5. When you launch, make sure that java.library.path includes CATALINA_BASE/bin
> Also, can I use something else than APR library connector?
Yes. All Tomcat connectors support TLS.
The APR-based connector will outperform all other connectors when using TLS by
an order of magnitude. If you are serious about performance, you should either
use the APR-based connector or terminate TLS elsewhere (like a reverse proxy)
and not have Tomcat do any crypto at all.
> I have been trying to make it work now with a keystore, but when I
> access my application I get "The connection was reset" error. In my
> keystore, I have my server certificate, my intermediate file and
> primary cert file which have been given to me (the last 2). Also, when
> I look into the logs of the server there is no error/warning about
> using this second Connector, but it still won't work.
Taking PEM files and putting them into a keystore is a real pain in the neck.
This is the magic formula I've been using for a while, when starting with PEM
files and creating a keystore from scratch:
$ openssl pkcs12 -export -in ${HOSTNAME}.crt \
-inkey ${HOSTNAME}.key \
-certfile CA-intermediate.crt
-out ${HOSTNAME}.p12
-chain
$ $JAVA_HOME/bin/keytool -importkeystore \
-srckeystore ${HOSTNAME}.p12 \
-destkeystore ${HOSTNAME}.jks \
-srcstoretype pkcs12
Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVW3wLAAoJEBzwKT+lPKRYhe0QAJToV385JEvVjnAujgghILzS
3/xLyrOQqbUXo6HVT9+yKtbgtmMqQj7UQ7JQjsDWl0JTrV8e0Y9nJnS91vMZMw8F
aTgf+LqAowH7lehqb0gQRVjmsS1ZSMr51epbAiytx3eZPeOJTc+sxzVyAixrfEDd
UxkEe6dYBI2JA7UnnzbO1OKvpkqYWBksUAKyF0w1X4Lp1AlUeKI+BPEheuWn8RaM
9ppwJxpjTS17GA+hLuPpqH1g4WhxOlzmXewTED1tCrLQ7l3s32/yWaj0jbcfyX+K
++1zzL2/dVdYo0iWA2vRN4udzmgZy7uNVS2i6rtzk9m2udkmWS2dOrJJjwzwu6Yn
QqwbR1/3gP6CUrvE6+8a8zFIyBhju5jVtEeQJeZAZ0KIx//EZvtdFcZPIlzTgap5
y3Wyl3NozpmIrbhjBMZ6EndaW9lUqZHq8kN6IlAH9qGB6zV1snJDw1jn6oEVZWNJ
ADUs8rFIncmrD45AlIESd6Tv8ZjHbFbWUSsrGtotRPkH/Uvm5pU8bMvI106/5IbN
t9bnjSykqpc9Lhpy7JXUlJEgqT54xP8qRXubnppIvSmMtKS5C0F9g787oceF3igS
gZmPDmLXlJcMEHvesPgLu/qWDICoIWiC6qmpPoxYbwN/qtBfyutY+CC32fLhTljw
t1zijZjngG1uamToQ3uN
=pY5F
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]