[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    Re: SSL Certificates and Tomcat 8.5.11
From:       Christopher Schultz <chris () christopherschultz ! net>
Date:       2018-05-17 20:28:22
Message-ID: 8fec5c00-ed08-133d-67ac-7204bbca6b6c () christopherschultz ! net
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Laurie,

On 5/17/18 11:33 AM, Laurie Miller-Cook wrote:
> I am very new to Tomcat so please bear with me.

Welcome.

> I currently have a Thawte certificate that is installed within IIS 
> for our domain that is all managed by Rackspace.
> 
> I now have a new server set-up with Tomcat 8.5.11 installed and
> have created a keystore.
> 
> I have been supplied by Rackspace the following text a
> Certificate, Private Key and CA Bundle.

You should start over. If Rackspace supplied the private key, then you
have no control over your own security. You should generate your own
private key on a server you control and trust.

> So my question is, with the three text files from Rackspace can I 
> import these (in what order) into the Keystore to get SSL working 
> with our Domain or do I need something totally different.
> 
> Just as a sub-note we need to have the SSL certificate for the
> domain working on both IIS and Tomcat.

It is very difficult to import a private key into a Java keystore. You
usually have to go through a PKCS12 file, first, and OpenSSL is the
best tool IMO to manipulate those. JKS files are fortunately being
abandoned and PKCS12 files are directly-readable by Java, so it's a
one-step operation if you have OpenSSL handy:

openssl pkcs12 -export -in server.crt -inkey server.key -certfile
intermediate.crt -out keystore.p12 -chain

Now, you can configure your Tomcat to use keystore.p12 as the
keystore, and use whatever password you gave to OpenSSL when writing
the PKCS12 file.

I'd still highly recommend that you start over from scratch with
yourown private key, though. Generate a key, certificate signing
request (CSR), and send the CSR to Thawte. Once they sign it, import
any intermediate certs into your keystore first (top-most first) then
your server's signed certificate into your keystore and use the result
with Tomcat.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlr95eYACgkQHPApP6U8
pFj3PRAAlEHlY5czP+i7yHyqgWakieUufMJDcW98JpEZdq9fiv+fTtSKQzx0IKOV
Z588ikrZU7DdRhB5WNMiYFO9fDMtiV5d7KhGEBggSzuyAKEFDos1YXpk2uj42lPH
u3OSXS4igkgbWWiuxRxjSNlyMpTHoG+TSdhr7+W/hdF2rMnHSBz4VgEteQVymXeu
pHyjTeIp2CabKYmz9u2A86vF2pdmwLUQ2B4twvRkdCG6QNcr8uOom70itltvXGIG
T7vhtFgjYnJQ0MqV1+QJbBEfO0NVIE/+LKseuiGoGJN5oWWQY8MdW5yfH2mQcITk
bCAkDUkbBHTBnWgAl3U6Ly/k7mtfRa2FQfPOpPVyoefMgpwJGYPQ0U7IPr6YIROw
X6Rc/9FTerAmkwUgv9Ls2Hsyi31J5BqS1dhp4+kEYWoGEMq+Uu0Cy8GJqPvPJM75
sug6rQuLSaARB2b1inNkvwED3u2ju6HVCgp+5M4hyHDkLuYPajpRau+LC1gusHeN
UB/zaLLUZZL1Ujr9WvDHnEFSBj+UmpUCwLRiqeUZKIlX/JdmBZA2nlxdbMgBWztq
GPkdvhKCEO2SGJi1q5OJ6NiNtC4H93ZmNvbg1xtQGweRjmc8LfLIjgEiMAsCA2ns
7Wjr8lMO93t4ehWnmDQYk34uHL6I9ieWDfFkvmN2DD+SPsL9ibU=
=154L
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]