> From: owner-openssl-us...@openssl.org On Behalf Of David Patricola
> Sent: Tuesday, 29 March, 2011 15:26
> I've found plenty of google results but I am having a disconnect
> with the install. My server has it's own server.crt, server.key and
> root.crt files. My desktop (which I connect successfully to) has
> postgresql.crt, postgresql.key and the same root.crt, which I used to
> securely connect via pgAdmin just fine. So, I'm using those 3 same files
> on my machine and copying them to the other client machine.
Unless someone chose really nonsensical filenames, that presumably
means you have a server key+cert, and a (one) client key+cert
(ambiguously named postgresql), both certs issued under one root,
probably your own private one (but that doesn't matter here).
I don't know if postgresql requires all clients to have a client cert,
aka client authentication, or not. I can imagine it might require
it for admin without requiring it for 'normal' purposes. I know
*MySQL* is configurable per client user+host: e.g. some clients
always need a cert; some clients don't need a cert 'inhouse' but
do remotely; others never do (but may have other limitations,
like not permitted to do any update operations).
> Every tutorial I go to shows me to insert a .crt file into
> the cacerts keystore. Which .crt I don't know because all examples
> use generic examples. And me knowing zero about Java doesn't help
> so I'm using everything I read as gospel. This is what I've done so far:
> E:\JRun4\jre\bin>keytool -importcert -alias dca -file
C:\dcacerts\postgresql.crt
> -keystore E:\Jrun4\jre\lib\security\cacerts
There are two different concepts (possibly) involved here.
First, your Java client must trust the server cert, either directly
or by trusting its CA; the latter is more common and usually better.
You do that by putting your root.crt in the truststore used by your
Java app. The default truststore is either jre/lib/security/cacerts
(as you did here) OR jre/lib/security/jssecacerts (if you want to
keep SSL trust separate from codesigning trust).
Or an app can have its own truststore. You identified ColdFusion
earlier and I have no idea whether that uses the default.
Second, if the server requires a client cert (for this client),
you must put your client key AND cert (or cert chain if applicable)
in a keystore used by the app. cacerts, or even jssecacerts, is not
a very good place for this because it could allow other apps running
on the same machine to impersonate you (at least to this server).
If your app (or ColdFusion?) has a way to configure its keystore
specifically, use that; otherwise to use the Java default you
must set system properties javax.net.ssl.keyStore and
javax.net.ssl.keyStorePassword before opening a connection.
If you control the starting of the JVM, you can use -Dprop=value
on the command line or equivalent to do this, otherwise you
may need code in your app that runs sufficiently early.
Either way, to get a key+cert PAIR to Java keystore, you need to
first create a PKCS12 in openssl. Assuming as above the files
named postgresql are your client, and keeping the naming scheme:
/somepath/openssl pkcs12 -in postgresql.crt -inkey postgresql.key
-export -out postgresql.p12 -name somename
then determine the file you want to put this into for Java,
let's assume JRE/lib/security/davidkey:
keytool -importkeystore -srckeystore postgresql.key
-srcstoretype pkcs12 -destkeystore JRE/lib/security/davidkey
> Thomas Jefferson Universtiy | Philadelphia, PA | 215.503.1715
(Office)
PS- You've got University misspelled.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
