"Scott Purcell" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Thanks Bill for the info. > > Verisign gave me a cert.cer file. So I am not sure how to handle this. My > connector currently is this: > <Service name="Catalina"> > <Connector port="80" // the normal http port /> > // here is what I am working with that is currently commented out > // I was able to add the cert to the keystore using this: > > keytool -import -alias <your alias> -keystore > <your_keystore> -trustcacerts -file <cert.cer> > > <Connector port="8443" maxHttpHeaderSize="8192" > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" > enableLookups="false" disableUploadTimeout="true" > acceptCount="100" scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" /> > > // but this is the one that is working using openSSL and the certificate > made from the below link: > <Connector port="443" maxHttpHeaderSize="8192" > maxThreads="15" minSpareThreads="25" > maxSpareThreads="75" > enableLookups="false" disableUploadTimeout="true" > scheme="https" secure="true" > SSLEngine="on" > SSLCertificateFile="C:\Tomcat\bin\server.crt" > SSLCertificateKeyFile="C:\Tomcat\bin\server.key" /> > > I am getting messed up because I am not sure what is the private key and > what is the public key as I am reading. > Verisign made me create a "keystore", then a "csr" file which I posted to > them, and then I received a "cert.cer" file back.
Ok, then your private key is living in the keystore file that you created. This strongly suggests that you should give up on the APR Connector (on Windows, the performance improvement is minimal from all of the benchmarks I've seen posted on [EMAIL PROTECTED]). If you want to go this route, then rename the tcnative-1.dll file in $CATALINA_HOME/bin to anything else. Then if you imported your Verisign cert into the same keystore that you used to create the CSR (and imported the int-cert as well, for good measure :), you should be good to go using keystoreFile="c:\path\to\keystore\file" If you want to continue with APR, then you'll have to write a Java program that loads the keystore file, calls getKey(...).getEncoded(), base64 encodes it, and writes it to another file. You can see now why I'm recommeding using the Java Connector ;-). > Originally I tried just doing this: > <Connector port="443" maxHttpHeaderSize="8192" > keystoreFile="C:/Tomcat/bin/uniqueKeystore" > keystorePass="unique10" > truststoreFile="C:/Tomcat/bin/cert.cer" > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" > enableLookups="true" disableUploadTimeout="true" > acceptCount="100" scheme="https" secure="true" > clientAuth="true" sslProtocol="TLS" /> > > But it hung and never responded. That is when I tried doing the example > from > the openssl notes. > > ?Thanks > Scott > > > ----- Original Message ----- > From: "Bill Barker" <[EMAIL PROTECTED]> > To: <users@tomcat.apache.org> > Sent: Saturday, December 03, 2005 6:09 PM > Subject: Re: Verisign Certificate Still Giving Me Troubles: > > >> Well, firstly, Verisign should have given you a cert.crt file :). >> >> Verisign uses an intermediate cert to sign with (available from their > site). >> Based on configuring mod_ssl I'm guessing that you need to download it >> and >> set: >> SSLCertificateChainFile="/path/to/int/cert.crt" >> in your <Connector> element. >> >> From the previous threads, I'm assuming that you are still using the APR >> connector. If you are using the Java connector, then simply import the >> intermediate cert into your keystore (and ignore the above). >> >> "Scott Purcell" <[EMAIL PROTECTED]> wrote in message >> news:[EMAIL PROTECTED] >> >> >> >> Hello, >> >> A few people helped me out last week, to get simple SSL running. IN >> particular Dhaval, Remy and Nate. Anyway, I have followed the directions >> from here: http://www.fatofthelan.com/articles/articles.php?pid=12 >> section > 3 >> and all works well. >> >> So that means my tomcat is all configured and happy. >> >> But this was a "generic" certificate. I gave Verisign a certreq.csr file > and >> they gave me a certificate last week and it was called cert.cer. >> >> I cannot for the life of me figure out how to get the certreq.csr >> working? >> >> I have been following these steps here: >> Based upon my knowledge,to incorporate Verisign certificate, steps are >> as >> follows: >> (Derived from http://www.fatofthelan.com/articles/articles.php?pid=12 ) >> (1) openssl req -new -out server.csr (This will generate csr and private >> key. Make sure you feel >> the values correctly on openssl command prompt. ) >> (2) openssl rsa -in privkey.pem -out server.key (This removes the > passphrase >> from the private key. >> Also delete generated .rnd file) >> (3) Here there are two (either or) possibilities: >> >> >> But honestly do not know where to substitute my "certreq.csr" that > verisign >> gave me in this equation. >> >> Regards >> >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
