Mark,
On 5/30/24 08:46, Fung-A-Fat, Mark wrote:
I am running a java web app on windows 2019 server and need some help
getting the SSL certificate installed into my keystore.
I am running tomcat 9.x and java 11
I am able to generate a certificate request using both keytool and/or
openssl
For both the CSR file looks like this, but the openssl also generates a
private key xxx.
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC2TCCAcECAQAwZDELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAm1hMRAwDgYDVQQH
-----END NEW CERTIFICATE REQUEST-----
Private key from OPENSSL
-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC5EqmuGM9nRQ5n
-----END PRIVATE KEY-----
You may have compromised your private key by posting it like this. I
would start everything over again from scratch, starting with generating
a new private key and CSR.
I use the CSR to submit a request to my company’s certificate server and
I am able to download 2 files in DER format
The downloaded certificate has a name certnew.cer, the downloaded chain
certificate has a name cernew.p7b and both appear to be binary because
when I open them in notepad++ they are unreadable
.p12 and .p7 files are always binary. Are you able to get the files as
PEM? That is, IMHO, the most convenient package format.
Not sure how I go about importing converting and importing these into my
keystore using keytool.
The documenation is confusing to me as to what needs to be done.
https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
<https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html>the section on
importing the certificate does nto go into how to convert or merge the
certificate or the certificate chain and also does not say anyting about
a private keyfile
Has anyone out there done this consistenly and successfully.
You should be able to use keytool -importcert as described here:
https://stackoverflow.com/questions/15814569/import-pkcs7-chained-certificate-using-keytool-command-to-jks
When you do all of this start-to-finish, basically you do the following:
1. $ keytool -genkeypair -alias 'mykey' (creates key + self-signed cert
in keystore, plus CSR)
2. Send CSR to CA for signing, get signed cert in return
3. $ keytool -importcert -alias 'mykey'
This will UPDATE THE CERT in your keystore with the one signed by the
CA. Now, you are ready to use the signed certificate with Tomcat.
But definitely start over with a new private key. The one you posted
shouldn't be trusted anymore.
Hope that helps,
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
