Loading whole cert chain into keystore for Tomcat 7 The 2019 Stack Overflow Developer Survey...
Is it ok to offer lower paid work as a trial period before negotiating for a full-time job?
Is every episode of "Where are my Pants?" identical?
How to test the equality of two Pearson correlation coefficients computed from the same sample?
Keeping a retro style to sci-fi spaceships?
Typeface like Times New Roman but with "tied" percent sign
Is this wall load bearing? Blueprints and photos attached
What's the point in a preamp?
Can a 1st-level character have an ability score above 18?
Hiding Certain Lines on Table
Finding the path in a graph from A to B then back to A with a minimum of shared edges
Are my PIs rude or am I just being too sensitive?
Sort a list of pairs representing an acyclic, partial automorphism
Who or what is the being for whom Being is a question for Heidegger?
Windows 10: How to Lock (not sleep) laptop on lid close?
How did passengers keep warm on sail ships?
Is it ethical to upload a automatically generated paper to a non peer-reviewed site as part of a larger research?
What force causes entropy to increase?
Why does this iterative way of solving of equation work?
How can I define good in a religion that claims no moral authority?
How should I replace vector<uint8_t>::const_iterator in an API?
What was the last x86 CPU that did not have the x87 floating-point unit built in?
Wall plug outlet change
Python - Fishing Simulator
The variadic template constructor of my class cannot modify my class members, why is that so?
Loading whole cert chain into keystore for Tomcat 7
The 2019 Stack Overflow Developer Survey Results Are In
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Come Celebrate our 10 Year Anniversary!Create jks for tomcat using .key ,.ca and .cert fileTomcat - Exporting Private Key?Import private key and certificate into Tomcat?Installing a geotrust SSL cert on tomcatIssue replacing SSL certificate with renewed one on Tomcat 6.0 (using keytool)RapidSSL (freessl) certificate installation on red5Extract cert and private key from JKS keystore to use it in Apache2 httpdInstalling SSL Thawte Certificates for tomcat from pre-generated Private KeyCreate jks for tomcat using .key ,.ca and .cert fileCan I use openssl to generate key/cert for tomcat?sign keytool generated cert/key pairs using easy-rsa openvpn intermediate CA
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
Environment: Tomcat 7.0 on Windows 2008 R2
What to accomplish
Get Tomcat 7.0 to use a specific wildcard certificate with accompanying cert chain so customers' browsers do not throw errors.
The provided certificate is a wildcard cert. This is non-negotiable and irrelevant to getting the certificate installed.
My problem is that I cannot get tomcat to use the chain (root certificates) in addition to the main cert.
What I've tried
At first it took me forever to get the certificate working with the provided key pair. References 2 and 3 showed me these steps to import a provided key pair as a "PrivateKeyEntry" which Tomcat likes better:
#on a CentOS server cuz easier than getting a windows tool for it
openssl pkcs12 -export -in wildcard-customer-2016.crt -inkey wildcard-customer-2016.key -out wildcard-customer-2016.p12 -name wildcard -CAfile rapidssl.crt -caname root
#back on windows
C:Program FilesJavajre7binkeytool -importkeystore -deststorepass tomcat -destkeystore c:.keystore -srckeystore c:certificatewildcard-customer-2016wildcard-customer-2016.p12 -srcstoretype PKCS12 -alias wildcard
But I don't know how to add the root certificate so that it uses that as well. You can see the command I used to build the .p12 file included a CAfile command. The importkeystore command when run with a "-trustcacerts" didn't add the root certs, although it did work with the *.customer.com cert.
Possible alternatives
Somebody explain how to configure my server.xml for using APR properly. Pretend I don't know where the files from the zip file go. (Reference 4)
References
- https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
- https://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i
- http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.html
- Create jks for tomcat using .key ,.ca and .cert file
tomcat ssl-certificate openssl keystore
edited May 23 '17 at 11:33
Community♦
1
asked Jan 6 '16 at 15:14
bgStack15bgStack15
3541417
bumped to the homepage by Community♦ 4 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
Environment: Tomcat 7.0 on Windows 2008 R2
What to accomplish
Get Tomcat 7.0 to use a specific wildcard certificate with accompanying cert chain so customers' browsers do not throw errors.
The provided certificate is a wildcard cert. This is non-negotiable and irrelevant to getting the certificate installed.
My problem is that I cannot get tomcat to use the chain (root certificates) in addition to the main cert.
What I've tried
At first it took me forever to get the certificate working with the provided key pair. References 2 and 3 showed me these steps to import a provided key pair as a "PrivateKeyEntry" which Tomcat likes better:
#on a CentOS server cuz easier than getting a windows tool for it
openssl pkcs12 -export -in wildcard-customer-2016.crt -inkey wildcard-customer-2016.key -out wildcard-customer-2016.p12 -name wildcard -CAfile rapidssl.crt -caname root
#back on windows
C:Program FilesJavajre7binkeytool -importkeystore -deststorepass tomcat -destkeystore c:.keystore -srckeystore c:certificatewildcard-customer-2016wildcard-customer-2016.p12 -srcstoretype PKCS12 -alias wildcard
But I don't know how to add the root certificate so that it uses that as well. You can see the command I used to build the .p12 file included a CAfile command. The importkeystore command when run with a "-trustcacerts" didn't add the root certs, although it did work with the *.customer.com cert.
Possible alternatives
Somebody explain how to configure my server.xml for using APR properly. Pretend I don't know where the files from the zip file go. (Reference 4)
References
- https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
- https://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i
- http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.html
- Create jks for tomcat using .key ,.ca and .cert file
tomcat ssl-certificate openssl keystore
edited May 23 '17 at 11:33
Community♦
1
asked Jan 6 '16 at 15:14
bgStack15bgStack15
3541417
bumped to the homepage by Community♦ 4 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
Environment: Tomcat 7.0 on Windows 2008 R2
What to accomplish
Get Tomcat 7.0 to use a specific wildcard certificate with accompanying cert chain so customers' browsers do not throw errors.
The provided certificate is a wildcard cert. This is non-negotiable and irrelevant to getting the certificate installed.
My problem is that I cannot get tomcat to use the chain (root certificates) in addition to the main cert.
What I've tried
At first it took me forever to get the certificate working with the provided key pair. References 2 and 3 showed me these steps to import a provided key pair as a "PrivateKeyEntry" which Tomcat likes better:
#on a CentOS server cuz easier than getting a windows tool for it
openssl pkcs12 -export -in wildcard-customer-2016.crt -inkey wildcard-customer-2016.key -out wildcard-customer-2016.p12 -name wildcard -CAfile rapidssl.crt -caname root
#back on windows
C:Program FilesJavajre7binkeytool -importkeystore -deststorepass tomcat -destkeystore c:.keystore -srckeystore c:certificatewildcard-customer-2016wildcard-customer-2016.p12 -srcstoretype PKCS12 -alias wildcard
But I don't know how to add the root certificate so that it uses that as well. You can see the command I used to build the .p12 file included a CAfile command. The importkeystore command when run with a "-trustcacerts" didn't add the root certs, although it did work with the *.customer.com cert.
Possible alternatives
Somebody explain how to configure my server.xml for using APR properly. Pretend I don't know where the files from the zip file go. (Reference 4)
References
- https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
- https://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i
- http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.html
- Create jks for tomcat using .key ,.ca and .cert file
tomcat ssl-certificate openssl keystore
edited May 23 '17 at 11:33
Community♦
1
asked Jan 6 '16 at 15:14
bgStack15bgStack15
3541417
Environment: Tomcat 7.0 on Windows 2008 R2
What to accomplish
Get Tomcat 7.0 to use a specific wildcard certificate with accompanying cert chain so customers' browsers do not throw errors.
The provided certificate is a wildcard cert. This is non-negotiable and irrelevant to getting the certificate installed.
My problem is that I cannot get tomcat to use the chain (root certificates) in addition to the main cert.
What I've tried
At first it took me forever to get the certificate working with the provided key pair. References 2 and 3 showed me these steps to import a provided key pair as a "PrivateKeyEntry" which Tomcat likes better:
#on a CentOS server cuz easier than getting a windows tool for it
openssl pkcs12 -export -in wildcard-customer-2016.crt -inkey wildcard-customer-2016.key -out wildcard-customer-2016.p12 -name wildcard -CAfile rapidssl.crt -caname root
#back on windows
C:Program FilesJavajre7binkeytool -importkeystore -deststorepass tomcat -destkeystore c:.keystore -srckeystore c:certificatewildcard-customer-2016wildcard-customer-2016.p12 -srcstoretype PKCS12 -alias wildcard
But I don't know how to add the root certificate so that it uses that as well. You can see the command I used to build the .p12 file included a CAfile command. The importkeystore command when run with a "-trustcacerts" didn't add the root certs, although it did work with the *.customer.com cert.
Possible alternatives
Somebody explain how to configure my server.xml for using APR properly. Pretend I don't know where the files from the zip file go. (Reference 4)
References
- https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
- https://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i
- http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.html
- Create jks for tomcat using .key ,.ca and .cert file
tomcat ssl-certificate openssl keystore
tomcat ssl-certificate openssl keystore
edited May 23 '17 at 11:33
Community♦
1
asked Jan 6 '16 at 15:14
bgStack15bgStack15
3541417
edited May 23 '17 at 11:33
Community♦
1
asked Jan 6 '16 at 15:14
bgStack15bgStack15
3541417
edited May 23 '17 at 11:33
Community♦
1
edited May 23 '17 at 11:33
Community♦
1
edited May 23 '17 at 11:33
Community♦
1
1
asked Jan 6 '16 at 15:14
bgStack15bgStack15
3541417
asked Jan 6 '16 at 15:14
bgStack15bgStack15
3541417
asked Jan 6 '16 at 15:14
bgStack15bgStack15
3541417
3541417
bumped to the homepage by Community♦ 4 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 4 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
I use the following steps to accomplish this where
- HOSTNAME.key containing the unencrypted private key
- HOSTNAME.cer containing the public cert + CA chain.
The $HOSTNAME should be the FQDN of the host (important in steps 2 & 3for the alias).
openssl pkcs12 -export -out $HOSTNAME.pfx -inkey $HOSTNAME.key -in $HOSTNAME.cer
Then using $HOSTNAME.pfx
keytool -importkeystore -srckeystore $HOSTNAME.pfx -srcstoretype pkcs12 -srcstorepass pazzword -destkeystore $HOSTNAME.jks -deststoretype JKS -deststorepass pazzword -srcalias 1 -destalias $HOSTNAME
Finally in Tomcat's server.xml
keystoreFile="/etc/tomcat7/security/$HOSTNAME.jks"
keystorePass="pazzword"
keyAlias="$HOSTNAME"
truststoreFile="/etc/tomcat7/security/mastercert.jks"
truststorePass="changeit"
The final part (truststore) is if you need Tomcat to trust an extra CA so may not be needed for your setup. So the Keystore is where the server's cert is and the trust store is who the server will trust (incase you want to do mutual auth etc).
answered Jan 6 '16 at 20:08
TheFiddlerWinsTheFiddlerWins
2,8151820
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f747135%2floading-whole-cert-chain-into-keystore-for-tomcat-7%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I use the following steps to accomplish this where
- HOSTNAME.key containing the unencrypted private key
- HOSTNAME.cer containing the public cert + CA chain.
The $HOSTNAME should be the FQDN of the host (important in steps 2 & 3for the alias).
openssl pkcs12 -export -out $HOSTNAME.pfx -inkey $HOSTNAME.key -in $HOSTNAME.cer
Then using $HOSTNAME.pfx
keytool -importkeystore -srckeystore $HOSTNAME.pfx -srcstoretype pkcs12 -srcstorepass pazzword -destkeystore $HOSTNAME.jks -deststoretype JKS -deststorepass pazzword -srcalias 1 -destalias $HOSTNAME
Finally in Tomcat's server.xml
keystoreFile="/etc/tomcat7/security/$HOSTNAME.jks"
keystorePass="pazzword"
keyAlias="$HOSTNAME"
truststoreFile="/etc/tomcat7/security/mastercert.jks"
truststorePass="changeit"
The final part (truststore) is if you need Tomcat to trust an extra CA so may not be needed for your setup. So the Keystore is where the server's cert is and the trust store is who the server will trust (incase you want to do mutual auth etc).
answered Jan 6 '16 at 20:08
TheFiddlerWinsTheFiddlerWins
2,8151820
add a comment |
I use the following steps to accomplish this where
- HOSTNAME.key containing the unencrypted private key
- HOSTNAME.cer containing the public cert + CA chain.
The $HOSTNAME should be the FQDN of the host (important in steps 2 & 3for the alias).
openssl pkcs12 -export -out $HOSTNAME.pfx -inkey $HOSTNAME.key -in $HOSTNAME.cer
Then using $HOSTNAME.pfx
keytool -importkeystore -srckeystore $HOSTNAME.pfx -srcstoretype pkcs12 -srcstorepass pazzword -destkeystore $HOSTNAME.jks -deststoretype JKS -deststorepass pazzword -srcalias 1 -destalias $HOSTNAME
Finally in Tomcat's server.xml
keystoreFile="/etc/tomcat7/security/$HOSTNAME.jks"
keystorePass="pazzword"
keyAlias="$HOSTNAME"
truststoreFile="/etc/tomcat7/security/mastercert.jks"
truststorePass="changeit"
The final part (truststore) is if you need Tomcat to trust an extra CA so may not be needed for your setup. So the Keystore is where the server's cert is and the trust store is who the server will trust (incase you want to do mutual auth etc).
answered Jan 6 '16 at 20:08
TheFiddlerWinsTheFiddlerWins
2,8151820
add a comment |
I use the following steps to accomplish this where
- HOSTNAME.key containing the unencrypted private key
- HOSTNAME.cer containing the public cert + CA chain.
The $HOSTNAME should be the FQDN of the host (important in steps 2 & 3for the alias).
openssl pkcs12 -export -out $HOSTNAME.pfx -inkey $HOSTNAME.key -in $HOSTNAME.cer
Then using $HOSTNAME.pfx
keytool -importkeystore -srckeystore $HOSTNAME.pfx -srcstoretype pkcs12 -srcstorepass pazzword -destkeystore $HOSTNAME.jks -deststoretype JKS -deststorepass pazzword -srcalias 1 -destalias $HOSTNAME
Finally in Tomcat's server.xml
keystoreFile="/etc/tomcat7/security/$HOSTNAME.jks"
keystorePass="pazzword"
keyAlias="$HOSTNAME"
truststoreFile="/etc/tomcat7/security/mastercert.jks"
truststorePass="changeit"
The final part (truststore) is if you need Tomcat to trust an extra CA so may not be needed for your setup. So the Keystore is where the server's cert is and the trust store is who the server will trust (incase you want to do mutual auth etc).
answered Jan 6 '16 at 20:08
TheFiddlerWinsTheFiddlerWins
2,8151820
I use the following steps to accomplish this where
- HOSTNAME.key containing the unencrypted private key
- HOSTNAME.cer containing the public cert + CA chain.
The $HOSTNAME should be the FQDN of the host (important in steps 2 & 3for the alias).
openssl pkcs12 -export -out $HOSTNAME.pfx -inkey $HOSTNAME.key -in $HOSTNAME.cer
Then using $HOSTNAME.pfx
keytool -importkeystore -srckeystore $HOSTNAME.pfx -srcstoretype pkcs12 -srcstorepass pazzword -destkeystore $HOSTNAME.jks -deststoretype JKS -deststorepass pazzword -srcalias 1 -destalias $HOSTNAME
Finally in Tomcat's server.xml
keystoreFile="/etc/tomcat7/security/$HOSTNAME.jks"
keystorePass="pazzword"
keyAlias="$HOSTNAME"
truststoreFile="/etc/tomcat7/security/mastercert.jks"
truststorePass="changeit"
The final part (truststore) is if you need Tomcat to trust an extra CA so may not be needed for your setup. So the Keystore is where the server's cert is and the trust store is who the server will trust (incase you want to do mutual auth etc).
answered Jan 6 '16 at 20:08
TheFiddlerWinsTheFiddlerWins
2,8151820
answered Jan 6 '16 at 20:08
TheFiddlerWinsTheFiddlerWins
2,8151820
answered Jan 6 '16 at 20:08
TheFiddlerWinsTheFiddlerWins
2,8151820
answered Jan 6 '16 at 20:08
TheFiddlerWinsTheFiddlerWins
2,8151820
2,8151820
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f747135%2floading-whole-cert-chain-into-keystore-for-tomcat-7%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
