Do you think Verisign should be able to supply me with a openSSL certificate? Maybe that would help. I just don't know enough about this to make any logical sense. I will email Verisign and see what they say.
Thanks, Scott PS, did you have Nates earlier email you described below? If so could you email me it? Thanks ----- Original Message ----- From: "Dhaval Patel" <[EMAIL PROTECTED]> To: "Tomcat Users List" <users@tomcat.apache.org> Sent: Saturday, December 03, 2005 1:13 PM Subject: Re: SSL InvalidKeystore Format? > Scott, > > You might have to use OpenSSL instead of keytool. OpenSSL is recommended in production > environment. Also if you want to use APR+SSL, you might have to use OpenSSL (I am not sure about > it). So you have to generate key using openssl and then supplied key to Verisign. If you have > time, read my and Nate's previous messages. Nate's message explains a lot about key, certificate > and encoding. > > I am not quite sure wheter this key+certificate will work with APR+SSL since they were > generated using keytool. But you can try. > > Let us know if it works or not. > > Regards, > D > > --- Scott Purcell <[EMAIL PROTECTED]> wrote: > > > Just found this in my email mess: Thanks for responding: > > Here is what I supplied to verisign for my certificate: > > > > 1) Prepared the Keystore: > > keytool -genkey -keystore myKeystore -alias keystoreAlias > > (it asked for me for passwords, etc.); > > > > 2) Generated a CSR > > a) keytool -genkey -alias keystoreAlias -keyalg RSA -keystore myKeystore > > b) keytool -certreq -keyalg RSA -alias keystoreAlias -file > > certreq.csr -keystore myKeystore > > > > .... so it looks like I used keytool, and not openssl. > > > > Then they send me back a > > cert.cer file in my email: > > > > ####### > > 2) I was not able to download it from anywhere, as it came in my email: > > > > 3) I was able to get the SSL running in a ssl format using the supplied link > > from fatofthelan.com article pid=12 > > and currently have a generic certificate running. > > > > > > Thanks, > > Scott > > > > > > > > > > > > > > ----- Original Message ----- > > From: "Nate Rock" <[EMAIL PROTECTED]> > > To: "Tomcat Users List" <users@tomcat.apache.org> > > Sent: Friday, December 02, 2005 8:50 AM > > Subject: RE: SSL InvalidKeystore Format? > > > > > > Dhaval your explincation was excellent! I think with a bit more information > > about how exactly Scott got his certificate from verisign, I think we can > > help him out a bit more. > > > > 1. What did you use to create your Certificate Request (csr) to verisign? > > > > -IIS > > -java keytool > > -openssl > > > > 2. after you received your signed certificate back from verisign, what > > format did you download it in? > > > > -PKCS7 - signed cert only - DER binary encoding > > -PEM - signed cert only > > > > 3. After you got the signed certificate what format is your keystore? > > > > -PKCS12 - pub/priv keys + signed certificate > > -JKS - pub/priv keys + signed certificate (sun specific format > > -PEM - single file with both PEM encoded (RSA formatted, non encrypted!) > > private key concatinated on to the PEM encoded signed cert > > -PEM - two files > > 1. one contain the PEM encoded (RSA formattd, non-encrypted private key - > > server.key > > 2. one containing the PEM encoded signed cert > > > > The native ARP connector only supports the last two file formats, so if you > > have a PKCS12 refer to my previous posting expliaining how to split a PKCS12 > > file into multiple PEM Encoded files. > > > > Just for the record, I belive you can go back to verisign and download your > > signed certificate in multiple formats... > > > > I am also in the process of parsing out a signed by verisign certificate to > > see if it's even possible. We may be stuck using self signed certificates > > for now because the APR connector doesn't support he following attributes > > yet: > > > > SSLCACertificateFile > > SSLCACertificatePath > > > > These attributes are supported allowing you to specify which CA's you accept > > outside of the "default" ones (who's location I am still trying to > > trackdown). > > > > -rOcK > > > > -----Original Message----- > > From: Dhaval Patel [mailto:[EMAIL PROTECTED] > > Sent: Thursday, December 01, 2005 8:48 PM > > To: Tomcat Users List > > Subject: Re: SSL InvalidKeystore Format? > > > > Hi Scott, > > > > Good to hear that it works. Thank also go to Remy and Nate Rock. > > > > You have purchased SSL. In this purchase process, did you submit > > Certificate Request (csr) to Verisign? As far as I know the process of > > getting signed SSL certificate is first you have to generate certificate > > request (csr), then you have to submit this csr to Verisign or Thawte, then > > they will give you actual signed certificate (.crt) and then you have to use > > that crt in this process. > > > > Based upon my knowledge,to incorporate Verisign certificate, steps are as > > follows: > > (Derived from http://www.fatofthelan.com/articles/articles.php?pid=12 ) > > (1) openssl req -new -out server.csr (This will generate csr and private > > key. Make sure you feel the values correctly on openssl command prompt. ) > > (2) openssl rsa -in privkey.pem -out server.key (This removes the passphrase > > from the private key. > > Also delete generated .rnd file) > > (3) Here there are two (either or) possibilities: > > > > (a) save the key and submit this csr to Verisign. They will sign it and > > give you the final certificate (.crt format may be). You may also need to > > give them key. (this is paid option but mostly used in production > > environment) > > (b) create self-signed certificate. > > openssl x509 -in server.csr -out server.crt -req -signkey server.key -days > > 365 > > (this is free but it can be used in production environment. You dont need > > to perform this step if you have certificate from Versign) > > > > Is the self signed certificate good? Yes and may be no. > > > > Yes. It is nearly same as Verisign certificate and if you use it, the SSL > > will be enabled as it is going to be enabled using Verisign. The only > > problem you will face, is when you open the website in any browser it will > > complain about authenticity of the certificate. Browser can not verify it > > and so it will ask user if he/she wants to proceed further or not. The > > communication is still SSL enabled and secure. This method is more preferred > > in testing environment. I have seen many web projects using it in production > > environment also. > > > > May be no. Again if you have good professional website, it is almost > > standard now that you use signed certificate from Verisign or Thawte. For > > example, if you do any online shopping from amazon or any store, you will > > visit the SSL page and they dont display any warning or anything. > > > > So the choice is in your hand. There is no harm involved in any of the > > above method. > > > > Again all of above explanation is based upon my reading. I would like > > users to comment about it so that I also can update myself and you have > > correct and better answer. > > > > Hope it helps you understanding SSL a bit further. > > > > Regards, > > D > > > > --- Scott Purcell <[EMAIL PROTECTED]> wrote: > > > > > Hard to believe ... but Dhaval the below steps actually worked, and my > > > site appears to have SSL. Thank you so much. But of course this draws > > > me to another question. > > > > > > I had just purchased a "Verisign" certificate and do not know how to > > > handle this? Can I just call the Verisign certificate when doing this: > > > openssl x509 -in server.csr -out server.crt -req -signkey server.key > > > -days > > > 365 and using the one verisign gave me here? > > > > > > Also, is this a good certificate? Do I need the Verisign one? > > > > > > As you may be able to tell, I am very confused and could use a little > > > explanation if possible. > > > > > > Thanks much > > > Scott > > > > > > > > > > > > ----- Original Message ----- > > > From: "Dhaval Patel" <[EMAIL PROTECTED]> > > > To: "Tomcat Users List" <users@tomcat.apache.org> > > > Sent: Thursday, December 01, 2005 2:08 PM > > > Subject: RE: SSL InvalidKeystore Format? > > > > > > > > > > Hi, > > > > > > > > I should have mention that I am running tomcat as a standalone > > > > server. I > > > mentioned the link > > > > (http://www.fatofthelan.com/articles/articles.php?pid=12) as a > > > > reference > > > to generate self-signed > > > > certificate with OpenSSL on windows. Even though it is very nice > > > > article > > > about how to setup SSL > > > > with Apache. I only applied part-3 (Generate a test certificate) > > > > from that > > > article to my > > > > Tomcat+SSL procedure. > > > > > > > > One thing that I found intersting on that article is part-4 > > > > (Configuring > > > Apache and mod_ssl). In > > > > this part, if you look at changes in httpd.conf, as mentioned below, > > > > > > > > SSLEngine o���n > > > > SSLCertificateFile conf/ssl/server.cert SSLCertificateKeyFile > > > > conf/ssl/server.key > > > > > > > > which is the same parameter that Remy has suggested. If I have > > > > found > > > this article early, I may > > > > be able to solve the issue. But again since I figured it out, I like > > > > it > > > now. > > > > > > > > Regards. > > > > D > > > > > > > > > > > > > > > > --- Scott Purcell <[EMAIL PROTECTED]> wrote: > > > > > > > > > Hello Dhaval, > > > > > > > > > > I was reading the article below, and it looks you you are not > > > > > running > > > Tomcat as standalone? Are > > > > > you running Apache behind the scenes? > > > > > > > > > > I was just curious. > > > > > > > > > > Scott > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Dhaval Patel [mailto:[EMAIL PROTECTED] > > > > > Sent: Thursday, December 01, 2005 8:49 AM > > > > > To: Tomcat Users List > > > > > Subject: Re: SSL InvalidKeystore Format? > > > > > > > > > > > > > > > Hi Scott, > > > > > > > > > > I am not tomcat expert as well as I can not help you about the > > > > > error > > > you are getting. > > > > > After Remy's last message on SSL with APR, I finally got my > > > > > windows xp > > > + tomcat 5.5.12 + APR + > > > > > SSL working. Following are the steps that I have followed: > > > > > > > > > > (1) Install Tomcat 5.5.12 and make sure it is working. > > > > > (2) Download APR component (openssl.exe and tcnative-1.dll) and > > > > > put it > > > in %TOMCAT_HOME%\bin. > > > > > (http://tomcat.heanet.ie/native/1.1.0/binaries/win32/) > > > > > (3) I generated server.key and server.cert following guide at > > > > > http://www.fatofthelan.com/articles/articles.php?pid=12 .I have > > > > > put them > > > in %TOMCAT_HOME%\bin > > > > > only. > > > > > (Make sure you follow the guide. I had trouble setting openssl.exe > > > > > on > > > windows xp. The answer is > > > > > on > > > > > that page only. You have to download openssl.cnf from google and > > > > > place > > > it in some folder and > > > > > make > > > > > a new environment OPENSSL_CONF pointing to that file. Trust me > > > > > that link > > > is very good.) > > > > > (4) Change the server.xml in following way: > > > > > <Connector port="443" maxHttpHeaderSize="8192" > > > > > maxThreads="150" minSpareThreads="25" > > > maxSpareThreads="75" > > > > > enableLookups="false" disableUploadTimeout="true" > > > > > scheme="https" secure="true" > > > > > SSLEngine="on" > > > > > SSLCertificateFile="C:\Tomcat5.5\bin\server.crt" > > > > > SSLCertificateKeyFile="C:\Tomcat5.5\bin\server.key" > > > > > /> > > > > > (5) Restart the tomcat and SSL is enabled. > > > > > > > > > > I dont know if you have did the same way and you have issues. > > > > > If you > > > want to try, you can > > > > > follow the above steps on some other windows xp machine. It worked > > > > > for > > > me so it should work for > > > > > you. If you start from scratch, it may take about 30-40 mins to > > > > > setup > > > above things. > > > > > > > > > > Let me know how it goes. > > > > > > > > > > Regards, > > > > > D > > > > > > > > > > --- Scott Purcell <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > Well, after wasting much time trying to get the SSL running on > > > > > > 5.5.12, > > > on XP, and finding out > > > > > > about the bad tcnative-1.dll, I thought I was out of the woods > > > > > > on my > > > SSL configuration. But it > > > > > > appears I have one last issue (hopefully) Since I renamed the > > > > > > tcnative-1.dll, I am getting logs in regards to my > > > SSL (I was not getting > > > > > > those prior, see earlier posts) and I am receiving this error: I > > > believe I have a good > > > > > keystore, > > > > > > because my public key from Verisign was happy with it, but for > > > > > > some > > > reason, Tomcat is stikll > > > > > not > > > > > > happy with it. > > > > > > Any ideas why this error may occur? > > > > > > Nov 30, 2005 10:44:53 PM > > > > > > org.apache.coyote.http11.Http11BaseProtocol > > > init > > > > > > INFO: Initializing Coyote HTTP/1.1 on http-80 Nov 30, 2005 > > > > > > 10:44:54 PM org.apache.coyote.http11.Http11BaseProtocol > > > init > > > > > > SEVERE: Error initializing endpoint > > > > > > java.io.IOException: Invalid keystore format at > > > > > > sun.security.provider.JavaKeyStore.engineLoad(Unknown Source) at > > > > > > java.security.KeyStore.load(Unknown Source) at > > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketF > > > actory > > > .java:282) > > > > > > at > > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESo > > > cketFa > > > ctory.java:256) > > > > > > at > > > > > > > > > > > > > > > > > > org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getTrustManagers(J > > > SSE14S > > > ocketFactory.java:174) > > > > > > at > > > org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketF > > > actory > > > .java:109) > > > > > > at > > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESoc > > > ketFac > > > tory.java:88) > > > > > > at > > > org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoin > > > t.java > > > :292) > > > > > > at > > > org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.ja > > > va:137 > > > ) > > > > > > at > > > org.apache.catalina.connector.Connector.initialize(Connector.java:1016 > > > ) > > > > > > at > > > org.apache.catalina.core.StandardService.initialize(StandardService.ja > > > va:580 > > > ) > > > > > > at > > > org.apache.catalina.core.StandardServer.initialize(StandardServer.java > > > :762) > > > > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:488) > > > > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:508) > > > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > > > > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > > > > > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown > > > > > > Source) at java.lang.reflect.Method.invoke(Unknown Source) at > > > > > > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:247) > > > > > > at > > > > > > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412) > > > > > > Nov 30, 2005 10:44:54 PM org.apache.catalina.startup.Catalina > > > > > > load > > > > > > SEVERE: Catalina.start > > > > > > LifecycleException: Protocol handler initialization failed: > > > java.io.IOException: Invalid > > > > > > keystore format > > > > > > at > > > org.apache.catalina.connector.Connector.initialize(Connector.java:1018 > > > ) > > > > > > at > > > org.apache.catalina.core.StandardService.initialize(StandardService.ja > > > va:580 > > > ) > > > > > > at > > > org.apache.catalina.core.StandardServer.initialize(StandardServer.java > > > :762) > > > > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:488) > > > > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:508) > > > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > > > > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > > > > > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown > > > > > > Source) at java.lang.reflect.Method.invoke(Unknown Source) at > > > > > > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:247) > > > > > > at > > > > > > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412) > > > > > > Nov 30, 2005 10:44:54 PM org.apache.catalina.startup.Catalina > > > > > > load > > > > > > INFO: Initialization processed in 1890 ms Nov 30, 2005 10:44:54 > > > > > > PM org.apache.catalina.core.StandardService > > > start > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ---------------------------------------------------------------- > > > > > > ----- To unsubscribe, e-mail: > > > > > > [EMAIL PROTECTED] > > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > __________________________________ > > > > > Yahoo! Music Unlimited > > > > > Access over 1 million songs. Try it free. > > > > > http://music.yahoo.com/unlimited/ > > > > > > > > > > ------------------------------------------------------------------ > > > > > --- To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > ------------------------------------------------------------------ > > > > > --- To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > __________________________________ > > > > Start your day with Yahoo! - Make it your home page! > > > > http://www.yahoo.com/r/hs > > > > > > > > -------------------------------------------------------------------- > > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > __________________________________________ > > Yahoo! DSL - Something to write home about. > > Just $16.99/mo. or less. > > dsl.yahoo.com > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > __________________________________ > Start your day with Yahoo! - Make it your home page! > http://www.yahoo.com/r/hs > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
