how to install ssl on tomcat 7? The 2019 Stack Overflow Developer Survey Results Are In ...
Would an alien lifeform be able to achieve space travel if lacking in vision?
Could an empire control the whole planet with today's comunication methods?
US Healthcare consultation for visitors
Are spiders unable to hurt humans, especially very small spiders?
One-dimensional Japanese puzzle
Is an up-to-date browser secure on an out-of-date OS?
Word for: a synonym with a positive connotation?
What was the last x86 CPU that did not have the x87 floating-point unit built in?
How do I design a circuit to convert a 100 mV and 50 Hz sine wave to a square wave?
how can a perfect fourth interval be considered either consonant or dissonant?
How do you keep chess fun when your opponent constantly beats you?
What can I do if neighbor is blocking my solar panels intentionally?
Homework question about an engine pulling a train
What information about me do stores get via my credit card?
Mortgage adviser recommends a longer term than necessary combined with overpayments
How did passengers keep warm on sail ships?
Is it ok to offer lower paid work as a trial period before negotiating for a full-time job?
How to determine omitted units in a publication
Deal with toxic manager when you can't quit
Is it ethical to upload a automatically generated paper to a non peer-reviewed site as part of a larger research?
Student Loan from years ago pops up and is taking my salary
Loose spokes after only a few rides
Working through the single responsibility principle (SRP) in Python when calls are expensive
My body leaves; my core can stay
how to install ssl on tomcat 7?
The 2019 Stack Overflow Developer Survey Results Are In
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Come Celebrate our 10 Year Anniversary!Tomcat - Exporting Private Key?Import private key and certificate into Tomcat?Issue replacing SSL certificate with renewed one on Tomcat 6.0 (using keytool)Activating ssl on tomcatInstalling SSL Thawte Certificates for tomcat from pre-generated Private KeyCan I use openssl to generate key/cert for tomcat?How to install/update/upgrade SSL certificate in Tomcatsign keytool generated cert/key pairs using easy-rsa openvpn intermediate CAP7b file and cer file do I need them bothKeystore + CSR created on dev system does not work on remote (AWS) Tomcat
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I know this question might sound too easy and I should had read all docs available on internet, the true is that I did, and I had no luck, its kinda confusing for me, I have installed many times this thing but for Apache, never for Tomcat.
I want to install a certificate from GoDaddy, so, I followed this instructions
http://support.godaddy.com/help/article/5239/generating-a-csr-and-installing-an-ssl-certificate-in-tomcat-4x5x6x
I created my keyfile like this
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore tomcat.keystore
I changed tomcat for mydomain.com .. is it wrong?
I created the keystore, later the csr, after that the problem comes, I add to server.xml on the config folder
<Connector port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="path to your keystore file" keystorePass="changeit" clientAuth="false" sslProtocol="TLS"/>
Later I imported the certs
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file valicert_class2_root.crt
and I did, but I dont have a gd_intermediate.crt and the last step is
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file <name of your certificate>
reading in other blogs I saw they import here the crt , but tomcat is the user I have to leave? or its for example only??
In the docs of tomcat I found this
(http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html)
Download a Chain Certificate from the Certificate Authority you
obtained the Certificate keytool -import -alias root -keystore
-trustcacerts -file
And finally import your new Certificate
keytool -import -alias tomcat -keystore <your_keystore_filename>
-file <your_certificate_filename>
but I have no idea what is a "chain certificate" ... can somebody help me? I am really confused and lost. I am using Tomcat7
Thanks.
ssl tomcat tomcat7 keytool
edited Aug 23 '13 at 9:59
Valerio Minetti
32326
asked Feb 27 '13 at 18:11
user156355user156355
59129
bumped to the homepage by Community♦ 7 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I know this question might sound too easy and I should had read all docs available on internet, the true is that I did, and I had no luck, its kinda confusing for me, I have installed many times this thing but for Apache, never for Tomcat.
I want to install a certificate from GoDaddy, so, I followed this instructions
http://support.godaddy.com/help/article/5239/generating-a-csr-and-installing-an-ssl-certificate-in-tomcat-4x5x6x
I created my keyfile like this
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore tomcat.keystore
I changed tomcat for mydomain.com .. is it wrong?
I created the keystore, later the csr, after that the problem comes, I add to server.xml on the config folder
<Connector port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="path to your keystore file" keystorePass="changeit" clientAuth="false" sslProtocol="TLS"/>
Later I imported the certs
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file valicert_class2_root.crt
and I did, but I dont have a gd_intermediate.crt and the last step is
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file <name of your certificate>
reading in other blogs I saw they import here the crt , but tomcat is the user I have to leave? or its for example only??
In the docs of tomcat I found this
(http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html)
Download a Chain Certificate from the Certificate Authority you
obtained the Certificate keytool -import -alias root -keystore
-trustcacerts -file
And finally import your new Certificate
keytool -import -alias tomcat -keystore <your_keystore_filename>
-file <your_certificate_filename>
but I have no idea what is a "chain certificate" ... can somebody help me? I am really confused and lost. I am using Tomcat7
Thanks.
ssl tomcat tomcat7 keytool
edited Aug 23 '13 at 9:59
Valerio Minetti
32326
asked Feb 27 '13 at 18:11
user156355user156355
59129
bumped to the homepage by Community♦ 7 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
I know this is more like a workaround, but as you have experience with setting up SSL on Apache, you could consider serving your Tomcat webapp through Apache (as a reverse proxy), and Apache should be able to encrypt at that level.
– Psymøn
Sep 8 '18 at 1:48
add a comment |
I know this question might sound too easy and I should had read all docs available on internet, the true is that I did, and I had no luck, its kinda confusing for me, I have installed many times this thing but for Apache, never for Tomcat.
I want to install a certificate from GoDaddy, so, I followed this instructions
http://support.godaddy.com/help/article/5239/generating-a-csr-and-installing-an-ssl-certificate-in-tomcat-4x5x6x
I created my keyfile like this
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore tomcat.keystore
I changed tomcat for mydomain.com .. is it wrong?
I created the keystore, later the csr, after that the problem comes, I add to server.xml on the config folder
<Connector port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="path to your keystore file" keystorePass="changeit" clientAuth="false" sslProtocol="TLS"/>
Later I imported the certs
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file valicert_class2_root.crt
and I did, but I dont have a gd_intermediate.crt and the last step is
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file <name of your certificate>
reading in other blogs I saw they import here the crt , but tomcat is the user I have to leave? or its for example only??
In the docs of tomcat I found this
(http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html)
Download a Chain Certificate from the Certificate Authority you
obtained the Certificate keytool -import -alias root -keystore
-trustcacerts -file
And finally import your new Certificate
keytool -import -alias tomcat -keystore <your_keystore_filename>
-file <your_certificate_filename>
but I have no idea what is a "chain certificate" ... can somebody help me? I am really confused and lost. I am using Tomcat7
Thanks.
ssl tomcat tomcat7 keytool
edited Aug 23 '13 at 9:59
Valerio Minetti
32326
asked Feb 27 '13 at 18:11
user156355user156355
59129
I know this question might sound too easy and I should had read all docs available on internet, the true is that I did, and I had no luck, its kinda confusing for me, I have installed many times this thing but for Apache, never for Tomcat.
I want to install a certificate from GoDaddy, so, I followed this instructions
http://support.godaddy.com/help/article/5239/generating-a-csr-and-installing-an-ssl-certificate-in-tomcat-4x5x6x
I created my keyfile like this
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore tomcat.keystore
I changed tomcat for mydomain.com .. is it wrong?
I created the keystore, later the csr, after that the problem comes, I add to server.xml on the config folder
<Connector port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="path to your keystore file" keystorePass="changeit" clientAuth="false" sslProtocol="TLS"/>
Later I imported the certs
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file valicert_class2_root.crt
and I did, but I dont have a gd_intermediate.crt and the last step is
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file <name of your certificate>
reading in other blogs I saw they import here the crt , but tomcat is the user I have to leave? or its for example only??
In the docs of tomcat I found this
(http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html)
Download a Chain Certificate from the Certificate Authority you
obtained the Certificate keytool -import -alias root -keystore
-trustcacerts -file
And finally import your new Certificate
keytool -import -alias tomcat -keystore <your_keystore_filename>
-file <your_certificate_filename>
but I have no idea what is a "chain certificate" ... can somebody help me? I am really confused and lost. I am using Tomcat7
Thanks.
ssl tomcat tomcat7 keytool
ssl tomcat tomcat7 keytool
edited Aug 23 '13 at 9:59
Valerio Minetti
32326
asked Feb 27 '13 at 18:11
user156355user156355
59129
edited Aug 23 '13 at 9:59
Valerio Minetti
32326
asked Feb 27 '13 at 18:11
user156355user156355
59129
edited Aug 23 '13 at 9:59
Valerio Minetti
32326
edited Aug 23 '13 at 9:59
Valerio Minetti
32326
edited Aug 23 '13 at 9:59
Valerio Minetti
32326
32326
asked Feb 27 '13 at 18:11
user156355user156355
59129
asked Feb 27 '13 at 18:11
user156355user156355
59129
asked Feb 27 '13 at 18:11
user156355user156355
59129
59129
bumped to the homepage by Community♦ 7 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 7 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
I know this is more like a workaround, but as you have experience with setting up SSL on Apache, you could consider serving your Tomcat webapp through Apache (as a reverse proxy), and Apache should be able to encrypt at that level.
– Psymøn
Sep 8 '18 at 1:48
add a comment |
I know this is more like a workaround, but as you have experience with setting up SSL on Apache, you could consider serving your Tomcat webapp through Apache (as a reverse proxy), and Apache should be able to encrypt at that level.
– Psymøn
Sep 8 '18 at 1:48
I know this is more like a workaround, but as you have experience with setting up SSL on Apache, you could consider serving your Tomcat webapp through Apache (as a reverse proxy), and Apache should be able to encrypt at that level.
– Psymøn
Sep 8 '18 at 1:48
I know this is more like a workaround, but as you have experience with setting up SSL on Apache, you could consider serving your Tomcat webapp through Apache (as a reverse proxy), and Apache should be able to encrypt at that level.
– Psymøn
Sep 8 '18 at 1:48
add a comment |
2 Answers
2
active
oldest
votes
I spend hours trying to figure this out and here are the fruits of my labor
Problem
You are unable to create a valid Tomcat Keystore using a GoDaddy crt and key file
Curl output may look like this:
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Getting the Script
curl -O https://raw.github.com/ssstonebraker/braker-scripts/master/working-scripts/crt_to_keystore.sh
chmod +x crt_to_keystore.sh
Using the script
./crt_to_keystore.sh <path_to_crt> <path_to_key>
RAW Contents of Script
#!/bin/bash
# Filename: crt_to_keystore.sh
# Description: create tomcat keystore from cert and key
# Usage: "Usage: ./crt_to_keystore.sh <path_to_crt> <path_to_key>"
# Author: Steve Stonebraker
# pretty printing functions
function print_status { echo -e "x1B[01;34m[*]x1B[0m $1"; }
function print_good { echo -e "x1B[01;32m[*]x1B[0m $1"; }
function print_error { echo -e "x1B[01;31m[*]x1B[0m $1"; }
function print_notification { echo -e "x1B[01;33m[*]x1B[0m $1"; }
function printline { hr=-------------------------------------------------------------------------------------------------------------------------------
printf '%sn' "${hr:0:${COLUMNS:-$(tput cols)}}"
}
####################################
# print message and exit program
function die { print_error "$1" >&2;exit 1; }
####################################
# function that is called when the script exits
function finish {
[ -f $(dirname $0)/temp.p12 ] && shred -u $(dirname $0)/temp.p12;
}
#whenver the script exits call the function "finish"
trap finish EXIT
#######################################
# if file exists remove it
function move_file_if_exist {
[ -e $1 ] && mv $1 $1.old && print_status "moved file $1 to $1.old";
}
#######################################
# Verify user provided valid file
function file_must_exist {
[ ! -f $1 ] && die "$1 is not a valid file, please provide a valid file name! Exiting....";
print_status "$1 is a valid file"
}
#######################################
# Verify user provided two arguments
# Verify user provided two arguments
[ $# -ne 2 ] && die "Usage: ./crt_to_keystore.sh <path_to_crt> <path_to_key>";
# Assign user's provided input to variables
crt=$1
key=$2
#read -p "Provide password to export .crt and .key: " key_pw
read -p "Provide password for new keystore: " pw
# Define some Variables
readonly ourPath="$(dirname $0)"
readonly gdbundle="$ourPath/gd_bundle.crt"
readonly keystore="$ourPath/tomcat.keystore"
readonly p12="$ourPath/temp.p12"
readonly KEYTOOL=$(which keytool)
readonly OPENSSL=$(which openssl)
#######################################
# Functions used by main execution
function gd_check_cert {
# Verify gd_bundle.crt exists
[ ! -f "$1" ] && print_error "$1 not found! Downloading..." && wget https://certs.godaddy.com/repository/$1;
[ ! -f "$1" ] && die "$1 must exist in current path! Exiting....";
[ -f "$1" ] && print_status "found $1 in current path"
}
function verify_before_execution {
printline
#verify godaddy cert
gd_check_cert $gdbundle
#Check to make sure the user provided valid files
file_must_exist ${crt}
file_must_exist ${key}
move_file_if_exist ${keystore}
}
function import_godaddy_root {
print_status "Importing gd_bundle.crt to java key store..."
${KEYTOOL} -import
-alias root
-keystore ${keystore}
-trustcacerts
-file ${gdbundle}
-keypass ${pw}
-storepass ${pw} >/dev/null 2>/dev/null
[ ! $? -eq 0 ] && die "Error running command... Exiting!";
}
function export_to_p12 {
printline
print_status "Exporting your key and cert to pkcs12 format..."
${OPENSSL} pkcs12 -export -chain -CAfile gd_bundle.crt -inkey ${key} -in ${crt} -out ${p12} -password pass:${pw}
[ ! $? -eq 0 ] && die "Error running command... Exiting!";
}
function import_p12_file {
print_status "Importing p12 file to java key store..."
${KEYTOOL} -importkeystore
-srcalias 1
-destalias tomcat
-srckeystore ${p12}
-srcstoretype PKCS12
-srcstorepass ${pw}
-destkeystore ${keystore}
-keypass ${pw}
-storepass ${pw}
-dest‐storepass ${pw} >/dev/null 2>/dev/null
[ ! $? -eq 0 ] && die "Error running command... Exiting!";
}
function print_msg_after_creation {
printline
print_good "Keystore ${keystore} creation complete!"
printline
print_status "Don't forget to copy ${keystore} to /etc/tomcat7/tomcat.keystore and update server.xml"
printline
}
#######################################
# Main Execution
verify_before_execution
export_to_p12
import_godaddy_root
import_p12_file
print_msg_after_creation
Source: http://brakertech.com/convert-valid-godaddy-cert-key-to-java-keystore/
answered Oct 24 '13 at 19:30
brakertechbrakertech
225411
add a comment |
I'll try to clarify a bit the signing procedure:
- Key generation: you create a private key
- CSR generation: with your private key you create a request to a Certification Autority that contains a cert to be signed
- CA signature: CA signs your certificate and send it back to you (it now has inside your fingerprint and ca one).
- cert import: import signed cert in keystore thus making it available to tomcat
- chain-cert import: import certs that defines the trust-chain
CA can delegate signing so in order to be sure that a signed cert is valid, clients should be able to check every CA identity. (i.e your cert is signed by ca.contoso and contoso uses verisign as cert authority; client will check then contoso and then verisign one, if all are OK your cert is considered valid)
edited Jun 3 '18 at 4:55
arieljannai
171118
answered Aug 23 '13 at 8:38
Valerio MinettiValerio Minetti
32326
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f483130%2fhow-to-install-ssl-on-tomcat-7%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
I spend hours trying to figure this out and here are the fruits of my labor
Problem
You are unable to create a valid Tomcat Keystore using a GoDaddy crt and key file
Curl output may look like this:
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Getting the Script
curl -O https://raw.github.com/ssstonebraker/braker-scripts/master/working-scripts/crt_to_keystore.sh
chmod +x crt_to_keystore.sh
Using the script
./crt_to_keystore.sh <path_to_crt> <path_to_key>
RAW Contents of Script
#!/bin/bash
# Filename: crt_to_keystore.sh
# Description: create tomcat keystore from cert and key
# Usage: "Usage: ./crt_to_keystore.sh <path_to_crt> <path_to_key>"
# Author: Steve Stonebraker
# pretty printing functions
function print_status { echo -e "x1B[01;34m[*]x1B[0m $1"; }
function print_good { echo -e "x1B[01;32m[*]x1B[0m $1"; }
function print_error { echo -e "x1B[01;31m[*]x1B[0m $1"; }
function print_notification { echo -e "x1B[01;33m[*]x1B[0m $1"; }
function printline { hr=-------------------------------------------------------------------------------------------------------------------------------
printf '%sn' "${hr:0:${COLUMNS:-$(tput cols)}}"
}
####################################
# print message and exit program
function die { print_error "$1" >&2;exit 1; }
####################################
# function that is called when the script exits
function finish {
[ -f $(dirname $0)/temp.p12 ] && shred -u $(dirname $0)/temp.p12;
}
#whenver the script exits call the function "finish"
trap finish EXIT
#######################################
# if file exists remove it
function move_file_if_exist {
[ -e $1 ] && mv $1 $1.old && print_status "moved file $1 to $1.old";
}
#######################################
# Verify user provided valid file
function file_must_exist {
[ ! -f $1 ] && die "$1 is not a valid file, please provide a valid file name! Exiting....";
print_status "$1 is a valid file"
}
#######################################
# Verify user provided two arguments
# Verify user provided two arguments
[ $# -ne 2 ] && die "Usage: ./crt_to_keystore.sh <path_to_crt> <path_to_key>";
# Assign user's provided input to variables
crt=$1
key=$2
#read -p "Provide password to export .crt and .key: " key_pw
read -p "Provide password for new keystore: " pw
# Define some Variables
readonly ourPath="$(dirname $0)"
readonly gdbundle="$ourPath/gd_bundle.crt"
readonly keystore="$ourPath/tomcat.keystore"
readonly p12="$ourPath/temp.p12"
readonly KEYTOOL=$(which keytool)
readonly OPENSSL=$(which openssl)
#######################################
# Functions used by main execution
function gd_check_cert {
# Verify gd_bundle.crt exists
[ ! -f "$1" ] && print_error "$1 not found! Downloading..." && wget https://certs.godaddy.com/repository/$1;
[ ! -f "$1" ] && die "$1 must exist in current path! Exiting....";
[ -f "$1" ] && print_status "found $1 in current path"
}
function verify_before_execution {
printline
#verify godaddy cert
gd_check_cert $gdbundle
#Check to make sure the user provided valid files
file_must_exist ${crt}
file_must_exist ${key}
move_file_if_exist ${keystore}
}
function import_godaddy_root {
print_status "Importing gd_bundle.crt to java key store..."
${KEYTOOL} -import
-alias root
-keystore ${keystore}
-trustcacerts
-file ${gdbundle}
-keypass ${pw}
-storepass ${pw} >/dev/null 2>/dev/null
[ ! $? -eq 0 ] && die "Error running command... Exiting!";
}
function export_to_p12 {
printline
print_status "Exporting your key and cert to pkcs12 format..."
${OPENSSL} pkcs12 -export -chain -CAfile gd_bundle.crt -inkey ${key} -in ${crt} -out ${p12} -password pass:${pw}
[ ! $? -eq 0 ] && die "Error running command... Exiting!";
}
function import_p12_file {
print_status "Importing p12 file to java key store..."
${KEYTOOL} -importkeystore
-srcalias 1
-destalias tomcat
-srckeystore ${p12}
-srcstoretype PKCS12
-srcstorepass ${pw}
-destkeystore ${keystore}
-keypass ${pw}
-storepass ${pw}
-dest‐storepass ${pw} >/dev/null 2>/dev/null
[ ! $? -eq 0 ] && die "Error running command... Exiting!";
}
function print_msg_after_creation {
printline
print_good "Keystore ${keystore} creation complete!"
printline
print_status "Don't forget to copy ${keystore} to /etc/tomcat7/tomcat.keystore and update server.xml"
printline
}
#######################################
# Main Execution
verify_before_execution
export_to_p12
import_godaddy_root
import_p12_file
print_msg_after_creation
Source: http://brakertech.com/convert-valid-godaddy-cert-key-to-java-keystore/
answered Oct 24 '13 at 19:30
brakertechbrakertech
225411
add a comment |
I spend hours trying to figure this out and here are the fruits of my labor
Problem
You are unable to create a valid Tomcat Keystore using a GoDaddy crt and key file
Curl output may look like this:
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Getting the Script
curl -O https://raw.github.com/ssstonebraker/braker-scripts/master/working-scripts/crt_to_keystore.sh
chmod +x crt_to_keystore.sh
Using the script
./crt_to_keystore.sh <path_to_crt> <path_to_key>
RAW Contents of Script
#!/bin/bash
# Filename: crt_to_keystore.sh
# Description: create tomcat keystore from cert and key
# Usage: "Usage: ./crt_to_keystore.sh <path_to_crt> <path_to_key>"
# Author: Steve Stonebraker
# pretty printing functions
function print_status { echo -e "x1B[01;34m[*]x1B[0m $1"; }
function print_good { echo -e "x1B[01;32m[*]x1B[0m $1"; }
function print_error { echo -e "x1B[01;31m[*]x1B[0m $1"; }
function print_notification { echo -e "x1B[01;33m[*]x1B[0m $1"; }
function printline { hr=-------------------------------------------------------------------------------------------------------------------------------
printf '%sn' "${hr:0:${COLUMNS:-$(tput cols)}}"
}
####################################
# print message and exit program
function die { print_error "$1" >&2;exit 1; }
####################################
# function that is called when the script exits
function finish {
[ -f $(dirname $0)/temp.p12 ] && shred -u $(dirname $0)/temp.p12;
}
#whenver the script exits call the function "finish"
trap finish EXIT
#######################################
# if file exists remove it
function move_file_if_exist {
[ -e $1 ] && mv $1 $1.old && print_status "moved file $1 to $1.old";
}
#######################################
# Verify user provided valid file
function file_must_exist {
[ ! -f $1 ] && die "$1 is not a valid file, please provide a valid file name! Exiting....";
print_status "$1 is a valid file"
}
#######################################
# Verify user provided two arguments
# Verify user provided two arguments
[ $# -ne 2 ] && die "Usage: ./crt_to_keystore.sh <path_to_crt> <path_to_key>";
# Assign user's provided input to variables
crt=$1
key=$2
#read -p "Provide password to export .crt and .key: " key_pw
read -p "Provide password for new keystore: " pw
# Define some Variables
readonly ourPath="$(dirname $0)"
readonly gdbundle="$ourPath/gd_bundle.crt"
readonly keystore="$ourPath/tomcat.keystore"
readonly p12="$ourPath/temp.p12"
readonly KEYTOOL=$(which keytool)
readonly OPENSSL=$(which openssl)
#######################################
# Functions used by main execution
function gd_check_cert {
# Verify gd_bundle.crt exists
[ ! -f "$1" ] && print_error "$1 not found! Downloading..." && wget https://certs.godaddy.com/repository/$1;
[ ! -f "$1" ] && die "$1 must exist in current path! Exiting....";
[ -f "$1" ] && print_status "found $1 in current path"
}
function verify_before_execution {
printline
#verify godaddy cert
gd_check_cert $gdbundle
#Check to make sure the user provided valid files
file_must_exist ${crt}
file_must_exist ${key}
move_file_if_exist ${keystore}
}
function import_godaddy_root {
print_status "Importing gd_bundle.crt to java key store..."
${KEYTOOL} -import
-alias root
-keystore ${keystore}
-trustcacerts
-file ${gdbundle}
-keypass ${pw}
-storepass ${pw} >/dev/null 2>/dev/null
[ ! $? -eq 0 ] && die "Error running command... Exiting!";
}
function export_to_p12 {
printline
print_status "Exporting your key and cert to pkcs12 format..."
${OPENSSL} pkcs12 -export -chain -CAfile gd_bundle.crt -inkey ${key} -in ${crt} -out ${p12} -password pass:${pw}
[ ! $? -eq 0 ] && die "Error running command... Exiting!";
}
function import_p12_file {
print_status "Importing p12 file to java key store..."
${KEYTOOL} -importkeystore
-srcalias 1
-destalias tomcat
-srckeystore ${p12}
-srcstoretype PKCS12
-srcstorepass ${pw}
-destkeystore ${keystore}
-keypass ${pw}
-storepass ${pw}
-dest‐storepass ${pw} >/dev/null 2>/dev/null
[ ! $? -eq 0 ] && die "Error running command... Exiting!";
}
function print_msg_after_creation {
printline
print_good "Keystore ${keystore} creation complete!"
printline
print_status "Don't forget to copy ${keystore} to /etc/tomcat7/tomcat.keystore and update server.xml"
printline
}
#######################################
# Main Execution
verify_before_execution
export_to_p12
import_godaddy_root
import_p12_file
print_msg_after_creation
Source: http://brakertech.com/convert-valid-godaddy-cert-key-to-java-keystore/
answered Oct 24 '13 at 19:30
brakertechbrakertech
225411
add a comment |
I spend hours trying to figure this out and here are the fruits of my labor
Problem
You are unable to create a valid Tomcat Keystore using a GoDaddy crt and key file
Curl output may look like this:
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Getting the Script
curl -O https://raw.github.com/ssstonebraker/braker-scripts/master/working-scripts/crt_to_keystore.sh
chmod +x crt_to_keystore.sh
Using the script
./crt_to_keystore.sh <path_to_crt> <path_to_key>
RAW Contents of Script
#!/bin/bash
# Filename: crt_to_keystore.sh
# Description: create tomcat keystore from cert and key
# Usage: "Usage: ./crt_to_keystore.sh <path_to_crt> <path_to_key>"
# Author: Steve Stonebraker
# pretty printing functions
function print_status { echo -e "x1B[01;34m[*]x1B[0m $1"; }
function print_good { echo -e "x1B[01;32m[*]x1B[0m $1"; }
function print_error { echo -e "x1B[01;31m[*]x1B[0m $1"; }
function print_notification { echo -e "x1B[01;33m[*]x1B[0m $1"; }
function printline { hr=-------------------------------------------------------------------------------------------------------------------------------
printf '%sn' "${hr:0:${COLUMNS:-$(tput cols)}}"
}
####################################
# print message and exit program
function die { print_error "$1" >&2;exit 1; }
####################################
# function that is called when the script exits
function finish {
[ -f $(dirname $0)/temp.p12 ] && shred -u $(dirname $0)/temp.p12;
}
#whenver the script exits call the function "finish"
trap finish EXIT
#######################################
# if file exists remove it
function move_file_if_exist {
[ -e $1 ] && mv $1 $1.old && print_status "moved file $1 to $1.old";
}
#######################################
# Verify user provided valid file
function file_must_exist {
[ ! -f $1 ] && die "$1 is not a valid file, please provide a valid file name! Exiting....";
print_status "$1 is a valid file"
}
#######################################
# Verify user provided two arguments
# Verify user provided two arguments
[ $# -ne 2 ] && die "Usage: ./crt_to_keystore.sh <path_to_crt> <path_to_key>";
# Assign user's provided input to variables
crt=$1
key=$2
#read -p "Provide password to export .crt and .key: " key_pw
read -p "Provide password for new keystore: " pw
# Define some Variables
readonly ourPath="$(dirname $0)"
readonly gdbundle="$ourPath/gd_bundle.crt"
readonly keystore="$ourPath/tomcat.keystore"
readonly p12="$ourPath/temp.p12"
readonly KEYTOOL=$(which keytool)
readonly OPENSSL=$(which openssl)
#######################################
# Functions used by main execution
function gd_check_cert {
# Verify gd_bundle.crt exists
[ ! -f "$1" ] && print_error "$1 not found! Downloading..." && wget https://certs.godaddy.com/repository/$1;
[ ! -f "$1" ] && die "$1 must exist in current path! Exiting....";
[ -f "$1" ] && print_status "found $1 in current path"
}
function verify_before_execution {
printline
#verify godaddy cert
gd_check_cert $gdbundle
#Check to make sure the user provided valid files
file_must_exist ${crt}
file_must_exist ${key}
move_file_if_exist ${keystore}
}
function import_godaddy_root {
print_status "Importing gd_bundle.crt to java key store..."
${KEYTOOL} -import
-alias root
-keystore ${keystore}
-trustcacerts
-file ${gdbundle}
-keypass ${pw}
-storepass ${pw} >/dev/null 2>/dev/null
[ ! $? -eq 0 ] && die "Error running command... Exiting!";
}
function export_to_p12 {
printline
print_status "Exporting your key and cert to pkcs12 format..."
${OPENSSL} pkcs12 -export -chain -CAfile gd_bundle.crt -inkey ${key} -in ${crt} -out ${p12} -password pass:${pw}
[ ! $? -eq 0 ] && die "Error running command... Exiting!";
}
function import_p12_file {
print_status "Importing p12 file to java key store..."
${KEYTOOL} -importkeystore
-srcalias 1
-destalias tomcat
-srckeystore ${p12}
-srcstoretype PKCS12
-srcstorepass ${pw}
-destkeystore ${keystore}
-keypass ${pw}
-storepass ${pw}
-dest‐storepass ${pw} >/dev/null 2>/dev/null
[ ! $? -eq 0 ] && die "Error running command... Exiting!";
}
function print_msg_after_creation {
printline
print_good "Keystore ${keystore} creation complete!"
printline
print_status "Don't forget to copy ${keystore} to /etc/tomcat7/tomcat.keystore and update server.xml"
printline
}
#######################################
# Main Execution
verify_before_execution
export_to_p12
import_godaddy_root
import_p12_file
print_msg_after_creation
Source: http://brakertech.com/convert-valid-godaddy-cert-key-to-java-keystore/
answered Oct 24 '13 at 19:30
brakertechbrakertech
225411
I spend hours trying to figure this out and here are the fruits of my labor
Problem
You are unable to create a valid Tomcat Keystore using a GoDaddy crt and key file
Curl output may look like this:
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Getting the Script
curl -O https://raw.github.com/ssstonebraker/braker-scripts/master/working-scripts/crt_to_keystore.sh
chmod +x crt_to_keystore.sh
Using the script
./crt_to_keystore.sh <path_to_crt> <path_to_key>
RAW Contents of Script
#!/bin/bash
# Filename: crt_to_keystore.sh
# Description: create tomcat keystore from cert and key
# Usage: "Usage: ./crt_to_keystore.sh <path_to_crt> <path_to_key>"
# Author: Steve Stonebraker
# pretty printing functions
function print_status { echo -e "x1B[01;34m[*]x1B[0m $1"; }
function print_good { echo -e "x1B[01;32m[*]x1B[0m $1"; }
function print_error { echo -e "x1B[01;31m[*]x1B[0m $1"; }
function print_notification { echo -e "x1B[01;33m[*]x1B[0m $1"; }
function printline { hr=-------------------------------------------------------------------------------------------------------------------------------
printf '%sn' "${hr:0:${COLUMNS:-$(tput cols)}}"
}
####################################
# print message and exit program
function die { print_error "$1" >&2;exit 1; }
####################################
# function that is called when the script exits
function finish {
[ -f $(dirname $0)/temp.p12 ] && shred -u $(dirname $0)/temp.p12;
}
#whenver the script exits call the function "finish"
trap finish EXIT
#######################################
# if file exists remove it
function move_file_if_exist {
[ -e $1 ] && mv $1 $1.old && print_status "moved file $1 to $1.old";
}
#######################################
# Verify user provided valid file
function file_must_exist {
[ ! -f $1 ] && die "$1 is not a valid file, please provide a valid file name! Exiting....";
print_status "$1 is a valid file"
}
#######################################
# Verify user provided two arguments
# Verify user provided two arguments
[ $# -ne 2 ] && die "Usage: ./crt_to_keystore.sh <path_to_crt> <path_to_key>";
# Assign user's provided input to variables
crt=$1
key=$2
#read -p "Provide password to export .crt and .key: " key_pw
read -p "Provide password for new keystore: " pw
# Define some Variables
readonly ourPath="$(dirname $0)"
readonly gdbundle="$ourPath/gd_bundle.crt"
readonly keystore="$ourPath/tomcat.keystore"
readonly p12="$ourPath/temp.p12"
readonly KEYTOOL=$(which keytool)
readonly OPENSSL=$(which openssl)
#######################################
# Functions used by main execution
function gd_check_cert {
# Verify gd_bundle.crt exists
[ ! -f "$1" ] && print_error "$1 not found! Downloading..." && wget https://certs.godaddy.com/repository/$1;
[ ! -f "$1" ] && die "$1 must exist in current path! Exiting....";
[ -f "$1" ] && print_status "found $1 in current path"
}
function verify_before_execution {
printline
#verify godaddy cert
gd_check_cert $gdbundle
#Check to make sure the user provided valid files
file_must_exist ${crt}
file_must_exist ${key}
move_file_if_exist ${keystore}
}
function import_godaddy_root {
print_status "Importing gd_bundle.crt to java key store..."
${KEYTOOL} -import
-alias root
-keystore ${keystore}
-trustcacerts
-file ${gdbundle}
-keypass ${pw}
-storepass ${pw} >/dev/null 2>/dev/null
[ ! $? -eq 0 ] && die "Error running command... Exiting!";
}
function export_to_p12 {
printline
print_status "Exporting your key and cert to pkcs12 format..."
${OPENSSL} pkcs12 -export -chain -CAfile gd_bundle.crt -inkey ${key} -in ${crt} -out ${p12} -password pass:${pw}
[ ! $? -eq 0 ] && die "Error running command... Exiting!";
}
function import_p12_file {
print_status "Importing p12 file to java key store..."
${KEYTOOL} -importkeystore
-srcalias 1
-destalias tomcat
-srckeystore ${p12}
-srcstoretype PKCS12
-srcstorepass ${pw}
-destkeystore ${keystore}
-keypass ${pw}
-storepass ${pw}
-dest‐storepass ${pw} >/dev/null 2>/dev/null
[ ! $? -eq 0 ] && die "Error running command... Exiting!";
}
function print_msg_after_creation {
printline
print_good "Keystore ${keystore} creation complete!"
printline
print_status "Don't forget to copy ${keystore} to /etc/tomcat7/tomcat.keystore and update server.xml"
printline
}
#######################################
# Main Execution
verify_before_execution
export_to_p12
import_godaddy_root
import_p12_file
print_msg_after_creation
Source: http://brakertech.com/convert-valid-godaddy-cert-key-to-java-keystore/
answered Oct 24 '13 at 19:30
brakertechbrakertech
225411
answered Oct 24 '13 at 19:30
brakertechbrakertech
225411
answered Oct 24 '13 at 19:30
brakertechbrakertech
225411
answered Oct 24 '13 at 19:30
brakertechbrakertech
225411
225411
add a comment |
add a comment |
I'll try to clarify a bit the signing procedure:
- Key generation: you create a private key
- CSR generation: with your private key you create a request to a Certification Autority that contains a cert to be signed
- CA signature: CA signs your certificate and send it back to you (it now has inside your fingerprint and ca one).
- cert import: import signed cert in keystore thus making it available to tomcat
- chain-cert import: import certs that defines the trust-chain
CA can delegate signing so in order to be sure that a signed cert is valid, clients should be able to check every CA identity. (i.e your cert is signed by ca.contoso and contoso uses verisign as cert authority; client will check then contoso and then verisign one, if all are OK your cert is considered valid)
edited Jun 3 '18 at 4:55
arieljannai
171118
answered Aug 23 '13 at 8:38
Valerio MinettiValerio Minetti
32326
add a comment |
I'll try to clarify a bit the signing procedure:
- Key generation: you create a private key
- CSR generation: with your private key you create a request to a Certification Autority that contains a cert to be signed
- CA signature: CA signs your certificate and send it back to you (it now has inside your fingerprint and ca one).
- cert import: import signed cert in keystore thus making it available to tomcat
- chain-cert import: import certs that defines the trust-chain
CA can delegate signing so in order to be sure that a signed cert is valid, clients should be able to check every CA identity. (i.e your cert is signed by ca.contoso and contoso uses verisign as cert authority; client will check then contoso and then verisign one, if all are OK your cert is considered valid)
edited Jun 3 '18 at 4:55
arieljannai
171118
answered Aug 23 '13 at 8:38
Valerio MinettiValerio Minetti
32326
add a comment |
I'll try to clarify a bit the signing procedure:
- Key generation: you create a private key
- CSR generation: with your private key you create a request to a Certification Autority that contains a cert to be signed
- CA signature: CA signs your certificate and send it back to you (it now has inside your fingerprint and ca one).
- cert import: import signed cert in keystore thus making it available to tomcat
- chain-cert import: import certs that defines the trust-chain
CA can delegate signing so in order to be sure that a signed cert is valid, clients should be able to check every CA identity. (i.e your cert is signed by ca.contoso and contoso uses verisign as cert authority; client will check then contoso and then verisign one, if all are OK your cert is considered valid)
edited Jun 3 '18 at 4:55
arieljannai
171118
answered Aug 23 '13 at 8:38
Valerio MinettiValerio Minetti
32326
I'll try to clarify a bit the signing procedure:
- Key generation: you create a private key
- CSR generation: with your private key you create a request to a Certification Autority that contains a cert to be signed
- CA signature: CA signs your certificate and send it back to you (it now has inside your fingerprint and ca one).
- cert import: import signed cert in keystore thus making it available to tomcat
- chain-cert import: import certs that defines the trust-chain
CA can delegate signing so in order to be sure that a signed cert is valid, clients should be able to check every CA identity. (i.e your cert is signed by ca.contoso and contoso uses verisign as cert authority; client will check then contoso and then verisign one, if all are OK your cert is considered valid)
edited Jun 3 '18 at 4:55
arieljannai
171118
answered Aug 23 '13 at 8:38
Valerio MinettiValerio Minetti
32326
edited Jun 3 '18 at 4:55
arieljannai
171118
edited Jun 3 '18 at 4:55
arieljannai
171118
edited Jun 3 '18 at 4:55
arieljannai
171118
171118
answered Aug 23 '13 at 8:38
Valerio MinettiValerio Minetti
32326
answered Aug 23 '13 at 8:38
Valerio MinettiValerio Minetti
32326
answered Aug 23 '13 at 8:38
Valerio MinettiValerio Minetti
32326
32326
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f483130%2fhow-to-install-ssl-on-tomcat-7%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I know this is more like a workaround, but as you have experience with setting up SSL on Apache, you could consider serving your Tomcat webapp through Apache (as a reverse proxy), and Apache should be able to encrypt at that level.
– Psymøn
Sep 8 '18 at 1:48