[prev in list] [next in list] [prev in thread] [next in thread]
List: forgerock-opendj
Subject: Re: [Opendj] Changing SSL Certs - Using a Chained Star Cert
From: Cyril Grosjean <cgrosjean () janua ! fr>
Date: 2014-08-06 5:59:53
Message-ID: CAOuB_jv_rn_GcOhXAN2BKwS6Z2OBehxWRS35uRXxqXhG9qQgww () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
You can create a PKCS#12 keystore using "openssl pkcs12 ...". OpenDJ can
use such a keystore type. Optionally, you can then convert that keystore to
a new one using the JKS type, thanks to "keytool -importkeystore".
Whatever keystore type you end up with, " keytool -importcert" is the
command used to import you CA certificate and/or chain.
Le 6 ao=FBt 2014 02:04, "Joel Krauska" <jkrauska@gmail.com> a =E9crit :
> My OpenDJ server has been configured for self signed certificates.
>
> We have a star certificate for our domain.
> *.office.example.com
>
> I would like to use that certificate instead for TLS, etc.
>
> I read Chapter 24, and it seems I should be using the keystore named
> 'keystore'.
> (nice name collision there!)
>
> I can import the .crt, but I don't see any obvious way to import the key
> or a chained certificate.
>
> The 'apache' way to do something like this looks like this...
>
> SSLCertificateFile /etc/apache2/certs/star.office.example.com.crt
> SSLCertificateKeyFile /etc/apache2/certs/star.office.example.com.key
> SSLCertificateChainFile /etc/apache2/certs/DigiCertCA.crt
>
> Can someone point me to the proper invocation of keytool to possibly
> import the KeyFile and Chain File and 'enable' this collection of certs f=
or
> TLS?
>
> Cheers,
>
>
> Joel
>
> _______________________________________________
> OpenDJ mailing list
> OpenDJ@forgerock.org
> https://lists.forgerock.org/mailman/listinfo/opendj
>
>
[Attachment #5 (text/html)]
<p dir="ltr">You can create a PKCS#12 keystore using "openssl pkcs12 ...". \
OpenDJ can use such a keystore type. Optionally, you can then convert that keystore \
to a new one using the JKS type, thanks to "keytool -importkeystore".<br>
Whatever keystore type you end up with, " keytool -importcert" is the \
command used to import you CA certificate and/or chain.</p> <div \
class="gmail_quote">Le 6 août 2014 02:04, "Joel Krauska" <<a \
href="mailto:jkrauska@gmail.com">jkrauska@gmail.com</a>> a écrit :<br \
type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"> <div dir="ltr"><span \
style="font-family:arial,sans-serif;font-size:12.800000190734863px">My OpenDJ server \
has been configured for self signed certificates.</span><div \
style="font-family:arial,sans-serif;font-size:12.800000190734863px">
<br></div><div style="font-family:arial,sans-serif;font-size:12.800000190734863px">We \
have a star certificate for our domain.</div><div \
style="font-family:arial,sans-serif;font-size:12.800000190734863px">*.<a \
href="http://office.example.com/" target="_blank">office.example.com</a> <br>
</div><div style="font-family:arial,sans-serif;font-size:12.800000190734863px"><br></div><div \
style="font-family:arial,sans-serif;font-size:12.800000190734863px">I would like to \
use that certificate instead for TLS, etc.</div>
<div style="font-family:arial,sans-serif;font-size:12.800000190734863px"><br></div><div \
style="font-family:arial,sans-serif;font-size:12.800000190734863px">I read Chapter \
24, and it seems I should be using the keystore named 'keystore'.</div>
<div style="font-family:arial,sans-serif;font-size:12.800000190734863px">(nice name \
collision there!) </div><div \
style="font-family:arial,sans-serif;font-size:12.800000190734863px"><br></div><div \
style="font-family:arial,sans-serif;font-size:12.800000190734863px">
I can import the .crt, but I don't see any obvious way to import the key or a \
chained certificate.</div><div \
style="font-family:arial,sans-serif;font-size:12.800000190734863px"><br></div><div \
style="font-family:arial,sans-serif;font-size:12.800000190734863px">
The 'apache' way to do something like this looks like this...</div><div \
style="font-family:arial,sans-serif;font-size:12.800000190734863px"><br></div><div \
style="font-family:arial,sans-serif;font-size:12.800000190734863px">
<div><span style="white-space:pre-wrap"> </span>SSLCertificateFile \
/etc/apache2/certs/star.office.example.com.crt</div><div><span \
style="white-space:pre-wrap"> </span>SSLCertificateKeyFile \
/etc/apache2/certs/star.office.example.com.key</div>
<div><span style="white-space:pre-wrap"> </span>SSLCertificateChainFile \
/etc/apache2/certs/DigiCertCA.crt</div></div><div \
style="font-family:arial,sans-serif;font-size:12.800000190734863px"><br></div><div \
style="font-family:arial,sans-serif;font-size:12.800000190734863px">
Can someone point me to the proper invocation of keytool to possibly import the \
KeyFile and Chain File and 'enable' this collection of certs for \
TLS?</div><div style="font-family:arial,sans-serif;font-size:12.800000190734863px">
<br></div><div style="font-family:arial,sans-serif;font-size:12.800000190734863px">Cheers,</div><div \
style="font-family:arial,sans-serif;font-size:12.800000190734863px"><br></div><div \
style="font-family:arial,sans-serif;font-size:12.800000190734863px">
<br></div><div style="font-family:arial,sans-serif;font-size:12.800000190734863px">Joel</div></div>
<br>_______________________________________________<br>
OpenDJ mailing list<br>
<a href="mailto:OpenDJ@forgerock.org">OpenDJ@forgerock.org</a><br>
<a href="https://lists.forgerock.org/mailman/listinfo/opendj" \
target="_blank">https://lists.forgerock.org/mailman/listinfo/opendj</a><br> \
<br></blockquote></div>
_______________________________________________
OpenDJ mailing list
OpenDJ@forgerock.org
https://lists.forgerock.org/mailman/listinfo/opendj
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic