Hi Christopher,
We are still not capable to apply our self certifications...
Is there any document/guide (even a scratch notes you might have :) ) for a
walkthrough for the whole procedure (e.g A-Z from creating the
certifications and applying them)? We decided to start the procedure from
scratch...
I can see only some hints in forums but no organized document or
procedure...
Thanks,
Barc
On Sat, May 23, 2015 at 10:22 AM, Ori Raz <fcb...@gmail.com> wrote:
> Thank you Christopher.
> Appreciate all your help. Please let me know if any additional info is
> required for the issue.
> Regarding the ssl connection, if I use with and without the -tls1 flag
> with the original certificate then it both cases it works fine.
> After doing the steps I mentioned initially, both are not working.
>
> Thanks,
> Barc
>
> On Fri, May 22, 2015 at 7:13 PM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Ori,
>>
>> On 5/22/15 10:03 AM, Ori Raz wrote:
>> > Thank you Christopher for your reply.
>> >
>> > I always make a backup before changes :) luckily :)
>> >
>> > I reverted back and tried without deleting the entries and getting
>> > this:
>> >
>> > primeusr@sagi-vzadik-01 [~]# keytool -import -trustcacerts -alias
>> > tomcat -file
>> > /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
>> >
>> >
>> - -keystore /opt/primecentral/install/utils/sslgen/prime.keystore
>> > Enter keystore password: keytool error: java.lang.Exception: Public
>> > keys in reply and keystore don't match primeusr@sagi-vzadik-01 [~]#
>> > keytool -import -trustcacerts -alias tomcat -file
>> > /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
>> >
>> >
>> - -keystore /opt/primecentral/XMP_Platform/jre/lib/security/cacerts
>> > Enter keystore password: keytool error: java.lang.Exception:
>> > Certificate not imported, alias <tomcat> already exists
>> > primeusr@sagi-vzadik-01 [~]#
>> >
>> >
>> > Regarding the import you wrote - $ keytool -import -alias
>> > ${HOSTNAME} -file ${HOSTNAME}.crt -keystore${HOSTNAME}.jks
>> >
>> > Isnt that this one or am I missing something: keytool -importcert
>> > -file
>> > /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.cer
>> >
>> >
>> - -keystore /opt/primecentral/install/utils/sslgen/prime.keystore -alias
>> > tomcat
>>
>> I'll have a look at that later when I have more time.
>>
>> > as mentioned, catalina-<date>.log is empty... I cannot see any
>> > other relevant logs (if you can point me to other log -please do :)
>> > )
>> >
>> >
>> > If I try to connect to ssl localy, then with the original
>> > certificate it workes, but with the new one - here is the output:
>> > primeusr@sagi-vzadik-01 [~]# openssl s_client -connect
>> > 10.56.57.65:8443 CONNECTED(00000003) 4954:error:14077410:SSL
>> > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
>> > failure:s23_clnt.c:583: primeusr@sagi-vzadik-01 [~]# openssl
>> > s_client -connect 127.0.0.1:8443 CONNECTED(00000003)
>> > 5050:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
>> > alert handshake failure:s23_clnt.c:583:
>>
>> Try using the -tls1 flag for s_client (or -tls1_1, ot -tls1_2), since
>> ssl3 is dead and the handshake won't even work anymore.
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>> Comment: GPGTools - http://gpgtools.org
>>
>> iQIcBAEBCAAGBQJVX2O6AAoJEBzwKT+lPKRYVUMQAJPV95HUDJ/fQvd3u3O8CB4C
>> haz+SHu8MdU4Vi2qpJY0pjz2rr0p035Sk7llS2dO3ByinEkQuMPazWPW6e7Q0qpp
>> bBVwBI0k3GPII35AtEEc5r47EI9vkfDTci23qr+qVbt0V9HY6EWS3rARbHDGGK3X
>> Y8fSEXZuTFp0JCrVPf5ShuuxfVcC/BBrofOmCWGqerpaAiwdEWEBjujLg/dzv4H5
>> tFWhBQJSN7Bn8C0u+cYUaoCTy2UVD/0bWN7j6PPNb4ojAsI5grByv2akWbYedMRy
>> 4j3yt68KmGZQVAFprzNN6yuWKfSFiMQCbUTJR8qis3M+Kig/3Ikk9n3g+5vh+hGM
>> 2AD+aJCzhFWnOwecnInytNwUUz1SUs8unrg52XEaZQjQg1KRW/I6HwUfxQPlvTov
>> uIGDhZlvHom//SGNpO0bsII4n3z+okJPg+y26NksoevAQ/sOlXBOoi+CIgvr7Kvp
>> QYOmJmN3wKH0ae7IEFRlE7cOjz6cadbC6Go3yxOfsv64jsGu56lSH4IwThL3Bz24
>> YtN6GeSJne223nMJ/kJykDmU5xspcq8BnhwvG+3UVKt9GVTv83xF1FaMZHAh934G
>> j56cugNRHOIYeT46IcsyzLeYRrDZEVr4CHXiz9OwoPwOthPlobUHvagtsA669/ja
>> R3LXaV99hAp7Aj0IsPpF
>> =KyJc
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>
