-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 9/13/13 5:29 PM, James H. H. Lampert wrote: > On 9/11/13 5:22 AM, Christopher Schultz wrote: >> Okay, great: you have a chain of certificates and could, with a >> bit of effort, convert that into a Java keystore or a PEM-encoded >> file for use with OpenSSL (and httpd, tcnative, etc.). >> >> Without the private key, though, you aren't going to get very >> far. Go back to the client and tell them that you need that, >> too. > > FINALLY! > > (And this is why we discourage our customers from building their > own keystores: there's enough chance of screwing it up if I do it, > and I've done it a few times; unless the customer has a Tomcat > expert on staff, they're going to be as lost as I was the first > time.) Well, one could argue that the server key really is the key to the kingdom, so exercising a certain amount of caution about sharing it around is appropriate in general. It sounds like this wasn't a security consideration, though, but basic incompetence on their part. > We got the customer to send us the originating keystore (on the > second try!), and the non-default password for it, and I managed to > marry it to the signed certificate in the P7B file, and get it > installed (screwing up the syntax of server.xml, the first time I > tried to adjust it from our choice of keystore name and alias to > their choices and their non-default password), and finally managed > to get it to come up. > > Thanks, Mr. Schultz, et al. You were more helpful than you might > realize. Uh.. sure! I suspect I just confirmed something that you already knew: you didn't have everything you needed to do the job you were asked to do. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSM4TEAAoJEBzwKT+lPKRYjG0QAKfXB9F9VjpKZJkCmrnbaq3w EVtvlDPtiA5fEgOETgAXbrMhyb78SFvBg2rGVvjpZ9uGLebahI7tjQgRX1pAWDfA 1V4BmSX86kx49TWEYi11rsC+KzxGbVZBidj8C0iVIdW7msNfPdW6PXpO8u4T9v86 CQkY2TxVQ91pNadWOddzgnWuEfXmgFHhsYinLiyOMQVGKTAGckTeV3BLH06YkTM3 wZVe231zDluQXm1NtPXS0ReCiugGOIeKvptnxWL2VnnXj0reh8FieniW2+zZ+7F6 k15Xu53Gc2Mu3N1DH80JM2kkMygJBAxDVPXrKcvuZ+JUL9kuwBMcOCQf+TrnZrIk R+9qK1SY5tGR4cNZpM2O6A2v9ixrOrNYBGpYfB3RrqV7XQPrtCZbvoaL8Ai+6TKN Jpqyu9STxsbMLaxo/9uDKwo1SCINW99vOG0eKFXrfC1+S2HJdhTot/SvzTqrN660 mP0TOgS5XPjJeCgt54LYRsMcIllSHIteFU1YyPpVPJbGkYQSB20j5p2wLOljpk4X oPyV+XcxzT/AyAKQGQ1lFiw8NmkIMUvS6xzbYDeQU2RojJWQaSR23eMPYG6XyRGN nLe74doyrtArcRQiiWskkltJiTCgl+Ow+H7lEurql2OogVI7iTg4WGo7VmXIecF5 D/zOFGVBzTw1Brzs7Xex =n+rP -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
