-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Igor,
On 2/23/18 4:45 AM, Igor Cicimov wrote: > Hi all, > > I have the following setup in the tomcat default file on > Ubunntu-14.04: > > JAVA_OPTS="$JAVA_OPTS > -Djavax.net.ssl.keyStore=/opt/encompass/keystore/keystore.jks" > JAVA_OPTS="$JAVA_OPTS > -Djavax.net.ssl.trustStore=/opt/encompass/keystore/truststore.jks" > > The keystore.jks holds dozen of SSL keys our app uses to > authenticate to various web services. One of these certificates > expired and I used openssl to create new private key (key.pem) and > CSR, that the other side signed and sent back (cert.pem). Then I > concatenated the certificate and the private key into single file: > > $ cat cert.pem key.pem > cert2.pem > > and imported the file into the existing keystore using keytool: > > $ keytool -delete -alias client-cert -keystore keystore.jks > -storepass xxxx $ keytool -import -alias client-cert -file > cert2.pem -keystore keystore.jks -storepass xxxx > > The signing root CA and the intermediate certificate already exist > in the truststore.jks keystore. > > Does this procedure sound sane? Is there a better (or maybe proper) > way of doing it? Are you just sanity-checking your process for importing certs into a JKS bundle? Does the process result in the items you expected to be in the keystore? I'd personally be very paranoid if the JKS file was the only place all of those key/cert pairs were stored, because of my (bad) experience using JKS keystores in the past. Thankfully, Oracle is finally deprecating them and making the default keystore type PKCS12 in the future. JKS (and it's surprisingly extant cousin, JSEKS) never should have existed. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqQfxMACgkQHPApP6U8 pFgyEA/9E8xItsOkifnpYSqvxfiFsJzLbEQRU7TiIAqqwl3rD0uhDkulnUHtO0h7 mk9bekd7YuWFu3JSm8ht2HklyDbTkEJyRJLHcQupLXE3mj427neeTT2p1oOJxwwu nuMJ9NQw2Nofas3TlyyvkkIfZddk/Afuq7D4JuXgnKU6DPc2I9YB0RxsMnPmVCn9 ApiGWakOnxeLapAGHdYXg+e1qDOmuYn0VLkr3hkrS07cPuzRTKjmCVBrI8locpUx MOBYtdEF8rKmEWvTzJI0EM43FEGQaamKaYxBo4LLT0esaE1sM9D8tU/ckgsmTWWN 6pjO4JI0d/yXmeMuTtdspvdoXiLDtJz/krHFI/wPILO8ABMWToAMNSxZJI/s8c4T CImCz6YJ+K+lLi3638Pz7cQ8V6KXgHaOsj7aaB4jqWyF/Z1heZUg+8xJYX2xo3cn 11br7rXWX5cFPJr7QeS/nZU194/SdGxe2XvpVgCnb6cXVgLd9UKPO/8htp6PmBya t7RAEE25o/I0ew/ankjRxqz3iwcVWjRZF+r83gisaj3ZltJ+pJx9PPsc9Kd+gc0f c/iscO/Bt9Jyb/lcJzR1lZ0EMU70RLhLrtGFPYd99Lp5ONsgnYgG3+7NdE5Jw01p MMy5zTlN8Mm5/xQjopECn3Bfl385UH6dbtLlK/sPZaVElwhySxM= =F4jp -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
