Jason,
On 6/28/22 20:41, Jason Tan wrote:
Looks good, Chris. I'll give it a try when I need to generate some
keys and cert next. SSL keys and certs concepts sounds logical and
easy but generating them is such a pain. No GUI tool to consolidate
and perform the lot for self signed. I started using keystore
explorer to examine the generated certs and keystore to understand it
better.
Does KSE not handle self-signed certs? By default, Java's keytool
produces self-signed certs, and Keystore Explorer was written to work
primarily with Java keystores (I think).
It doesn't help things that different app and different app
versions may have different security requirements which means old
keys and certs no longer work in the newer version. Or work for one
app but not a different app.
Every product should work with PKCS12 files. Forget JKS and JCEKS. KSE
should be able to export to PEM, which is IMO the easiest possible file
format to work with. Every product should work with X.509 certs, but
some may have different requirements for what they will accept in terms
of bit-strength-levels and stuff like that. For example, minting a
512-bit RSA key is not acceptable these days, but it's possible to do.
I think you just need to become more familiar with "industry standard"
acceptable practices if you are going to be responsible for generating
your own keys and certs.
My tool tries to make it difficult for you to create garbage. For
example, it doesn't allow you to create an RSA key with less than 3072
bits, or an EC key with less than 128 bits. It encourages you to use
4096 / 256 (but should include 384, honestly) because those are fairly
forward-looking big-strengths.
-chris
[1] https://keystore-explorer.org/
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Wednesday, 29 June 2022 2:44 AM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: JS fiddle for generating TLS keys and certs
All,
I recently built this into an application at $work and I figured I would give
it away for anyone who might get some use out of it.
https://jsfiddle.net/ny1egwaz/
It doesn't actually generate a key + cert – nor should you ever trust another
site to generate your keys for you!. Instead, it gives you copy/paste commands
that you can use to generate those keys + certs on your own computer, and spits
them out on standard output you can can install them wherever you need them.
Suggestions welcome.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
