-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dan,
On 5/1/14, 11:53 AM, Daniel Mikusa wrote:
> On May 1, 2014, at 7:56 AM, Christopher Schultz
> <ch...@christopherschultz.net> wrote:
>
> All,
>
> I've been trying to convert an OpenSSL-generated key and
> certificate into a keystore for use with Tomcat. I had given up on
> this months ago and now I'm resuming my attempts.
>
> What I've done so far:
>
> 1. Created an RSA private key using openssl 2. Created a
> certificate request using openssl 3. Obtained a signed certificate
> from a CA 4. Attempted to combine my key and certificate into a
> PKCS12 file using openssl:
>
> $ openssl pkcs12 -export -in ${HOSTNAME}.crt \ -inkey
> ${HOSTNAME}.key > ${HOSTNAME}.p12
>
> 5. Import the PKCS12 store into a Java keystore using keytool:
>
> $ keytool -importkeystore -srckeystore ${HOSTNAME}.p12 \
> -destkeystore ${HOSTNAME}.jks -srcstoretype pkcs12
>
> This is what my keytool now says is in the store:
>
> $ keytool -list -keystore conf/${HOSTNAME}.jks Enter keystore
> password:
>
> Keystore type: JKS Keystore provider: SUN
>
> Your keystore contains 1 entry
>
> 1, May 1, 2014, PrivateKeyEntry, Certificate fingerprint (MD5):
> EC:FE:0A:7F:12:3D:19:39:DD:82:7A:7D:F9:AE:18:9A
>
> I set the password for the Java keystore to "changeit". Now, in
> Tomcat:
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> keystoreFile="${catalina.base}/conf/${HOSTNAME}.jks"
> keystorePass=“changeit"
>
>> Have you tried setting keyAlias and keyPass?
Nope.
Looks like that did the trick. Just adding the keyPass was sufficient;
Tomcat chooses the first thingamajig in the keystore as the one its
going to use, so setting the alias wasn't necessary in this case.
I didn't realize that the key itself had a password distinct from the
keystore itself. I had used "changeme" instead of "changeit" (Tomcat's
default) when setting the password for the key at some point during
the whole conversion process.
Java keystores are weird: the key and the certificate seem to occupy a
single entry in the keystore. Using Portecle, I was able to see that
the certificate seems to "contain" a 2048-bit key.
Weird. Well, now that I've done that, perhaps I'll try to use a PKCS12
keystore as well. It would be good to have done that.
Thanks!
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTYnzJAAoJEBzwKT+lPKRYX1kP/2roozz3OifXHd5V4nTKOj0v
6Pp1Yj+lS7DRyHxdQ1WIwE3xbVxkdGGLUBts+uYsiZlbzV8jYOdwyQMslUxVv/09
hoGltG7nmvWvU7xSyPlqLVuuitEvSNE498fHlbTSaTqVbG7tVSuo9PDgh5qdrwZ3
u4R/SbcgJVTrAfqDrE1dVnC6G8lzwr4szvyO3EouI/PB0OJAwEhJduRU5HmefID2
NmmGu2Q9swBgUrbLYZNE+Hzxb6L+3+oO6HIvDf3AXQdsDRQhqpz+jXl44yooyuQv
GHfbo+QBZ+rOqciteSYGH7/yhfMqbMJ2jdIBKgPOKIYk0oMIW2ECa1Art7PEYFtW
iLCWIf7ZuIvk2B1fPbfEP/iTMLtT9VS1ndu/zuJYAHAxCJaAEYjyWme2ZV9CNk7G
XTkS01oWlFvgAfTRnZF5Zk5W4eC2Ik62aroPPxS/8kwf7KdSMdCf+XgDUbz366Zg
k/hIP0iMM9D9uw1zJhfj2c2RbBxzaif6WL3OlnYsMVBdfw31mBg1oRyAdy6VLTTJ
YIiz1YwukcX0ycLBaeSlVsMpjRGjTuy/gq5z5kLywdkELvjO0kAWc9ta521eU92g
7+ntH0zlrrNLuLXr3ySdtIrasjTDeTwOgndeftJjwkqXiYMsj+XgVBo87KT9nshp
fy77A/pbWQRaCu36+M0W
=kV7z
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
