Don't know what is happening but I keep getting NDR's for my reply's to this 
group. 

So in case it didn't get through:

Crypto.Sal thank you so much.  It
works!!  Openssl was so much simpler than the
jdk keytool.



I just wanted to share some quirks I ran into when installing the SSL on APR
tomcat.



Here are the commands I ran on openssl 



Step 1 create a 2048 key without a password.



openssl genrsa -out domainname.key 2048



Step 2 create a CSR to send to the ssl vendor.



openssl req -new -key domainname.key -out domainname.csr



When answering questions Common Name must be the hostname for the ssl 
certificate. 
The rest of the questions are straightforward.



Send the CSR to the ssl vendor and they will send back the ssl certificate.



Copy the .key and .crt file to the root of tomcat folder.



Change the server.xml to point to the two files.

SSLCertificateFile="${catalina.home}/SSLCERT.crt"            
SSLCertificateKeyFile="${catalina.home}/SSLKEY.key"


And it worked right off the bat.  


I found out that even though it is "Working" it is not correctly installed 
until I download an Intermediate CA certificate file and add this line to 
server.xml.

SSLCACertificateFile="${catalina.home}/sslchain.crt" />


One quirk I ran into was that Firefox 4 aggressively caches even SSL
certificates.  So even though the site was encrypted using the new ssl
certificate  Firefox 4 showed the OLD ssl certificate's information
including the expiration date.  I had to fire up IE 8 to view the new ssl
certificate.
                                          

Reply via email to