-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Lyllax,
On 4/4/17 3:11 PM, Lyallex wrote: > After some sterling support from this list a while ago which > included a code change I have been successfully running Apache > Tomcat 7.0.70 stand alone (no httpd front end) with SSL/TLS for a > year now without problems, it just works, it never falls over and > it has withstood some concerted attacks by all sorts of scallywags. > Impressive. Great! Time to upgrade to Tomcat 8! It's really not bad at all. If you have a testing environment, I think you'll be able to do it in about 30 minutes. After you do it once, it'll take you more like 5 minutes. > It is now time to renew my ssl certificate and I'm getting a bit > jumpy. No sweat. > I managed to get everything working first time around following the > docs at > http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#General_Tips_on _Running_SSL > > According to my service provider (comodo) I have to submit a new > certificate signing request which (I think) means creating a self > signed certificate. > > Will this mess up me existing cert, it still has 10 days to go? That depends upon exactly how you do things. > Is the process the same as installing first time or are there some > gotchas I need to be aware of I would start from scratch every time. Here's why: 1. Java keystores are ... an abomination. The less you have to mess with them, the better. 2. In the unlikely event that your private key has been compromised (e.g. someone broke into your server and copied it off there). 3. For conversations that aren't using "forward security", the RSA private key is the master key to all of those conversations. If someone (e.g. US-NSA) has compromised your private key and is recoring all your conversations with your clients, then a compromised key means a compromise of all of those conversations, past or future. Generating a new private key limits the amount of damage that can be caused by this kind of compromise. 4. If you break something, you'll have the old keystore as a backup and can roll-back immediately without worrying if you have broken anything in the original keystore. (Of course, you could just make a backup copy of the keystore, but this start-fresh process has a built-in backup, so you don't have to remember it.) > [From a followup post] > > actually all I was asking was 'is it possible to use an existing > keystore (and therefor an existing private key)' to install a new > certification chain' You can, but see above. > In the end I created a brand new keystore, generated a new private > key and CSR, submitted the CSR to Comodo then installed the new > chain when it arrived. Then I simply switched the server > (../conf/server.xml) to look at the new keystore and it just > worked. Result. It should be that simple every time. Again, always keep a backup... just in case. > I was under the impression the certs were 'installed' in the > keystore but I don't think this is right so now I have to figure > out where they are as I'd like to remove the old ones. Every time I > mess about with this SSL/TLS stuff I age several years :-) This is the thing about Java keystores: they merge concepts together in a way that I dislike. If you crack-open your keystore, you'll end up finding the following: 1. a private key 2. a self-signed certificate 3. the CA-signed certificate 4. the CA's intermediate certificate (usually) But "keytool" makes it look like #1 and #2 are the same thing. When you are using PEM files, it's very clear what everything is, and, if you have a one-PEM-file-to-rule-them-all, then you can at least see everything labelled appropriately with a simple text editor. You can also get your private key out of the bundle without resorting to chicanery. Come to this year's ApacheCon NA in Miami. There will be a few talks about TLS, including one on the basics and another one on using Let's Encrypt to get free automated certs so you never have to manually do this process ever again -- unless you want an EV cert ;) - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJY5YDeAAoJEBzwKT+lPKRYhsAQAIQf3n1wMXOCMR/vPbTfrmgC WprNU79oVAOEi9ZRzYTsK502tVwawvs78u/p7r4GtzcILW0/Ne8ZK61iNWNOxb7E AHGWVCP5h5gkSdTCcNDpoGIHuEQSisXZA4/X/oYJ/d9vYOEZE8DCdLudq1BPWnkw 4RvGr6aWJKaG13lnYS6GNRTZDavFGWrVYIzGdi/qCLnVKkQwUWANXxMd6iPF2FEp 3ZFeK+X6Go8t9Y7mwRuAd6uwPgTKZx26UazH1qtIMBcgYk7bcmu7wp4mDBKqa/Rh UUy49qqwKxmKs611bYYlsnYVWCOBcI1KZKFskXqLgF3HWXgJsvUxi6dz1rxvNaMI qLrC3xlCNVH4sCIhVYPKwQT0r3GBGYh08MBRycg+afd9ac2VZtIJm4W7fEhLF6qa WJESqbaznczCx6vrNsxlBQbiLAcFhWEEE5i/o2+mQx32PZeFDtPjydUdS8ezIdhU uY83aRLaTWEIwSN/5aNwd7zyKpTx4qLDdv8sLyq8bXa2LbXcn3HTiPX6qUkj0A/S 2Qq+4z/flYIOi5JYHvcBGh8+xsU3aKqBe7maZH+gakgXvo3Ib3YsaciNQjoKAsNM ai9jhWlA67bknd818NSlq85iimrtjJhQs9kLgku5Db7NWZ8LXxZTRVzH809912// EXvaht0R+11VUZHk7hwR =OMjh -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
