Tomcat & SSL & a certificate generated by Verisign

[johndesp]

Attempting to SSL enable tomcat 4.04. Have implemented JSSE and SSL
works fine when I create a keystore with a self generated certificate.

keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore

We now want to cutover using a production certificate. We create a
..cer file by accessing our production web site and export the
certificate to a .cer file.

then using the keytool we import the .cer file

keytool -v -import -file prod.cer -keystore .keystore

When we inspect the .keystore file using the -list switch we see the
certificate.

Now when we implement the .keystore in tomcat, only the original self
generated certificate is presented.

So, using the keytool we delete the original self generated
certificate so we are only left with the newly imported production
certificate.

When we implement this .keystore file with only the production cert,
the browser and tomcat fail to negotiate. Tomcat binds to port 8843
but the ssl negotiation is hosed.

Has anybody ever gottent tomcat & ssl to work with a non self
generated certificate? Can you please help?

Thanks,

(e-mail address removed)

 

[Roedy Green]

then using the keytool we import the .cer file

keytool -v -import -file prod.cer -keystore .keystore

When you export a cert, you lose the private key part. Your server
needs the private key part, otherwise anyone with just the public key
could masquerade as you.

You must copy the entire .keystore about to bring along the private
keys. Alternatively, you start the whole process of buying a cert
from the server's .keystore.

Mitch Gallant may have a way around this as usual.

 

[Roedy Green]

You must copy the entire .keystore about to bring along the private
keys. Alternatively, you start the whole process of buying a cert
from the server's .keystore.

Mitch Gallant may have a way around this as usual.

See http://www.jensign.com/JavaScience/Thawte/ Mitch Gallant's notes
on exactly what to do. Basically you configure a little java program
called BCMain to export the certificate in PKCS12 format using
theBouncyCastle JCE. That exported file contains both private
and public keys. From there, you can import it elsewhere with
keytool.exe.

Usually the people who know most about these matters hang out in
comp.lang.java.security.

see http://mindprod.com/jgloss/certificate.html
http://mindprod.com/jgloss/bouncycastle.html

 

[Sudsy]

johndesp wrote:

Has anybody ever gottent tomcat & ssl to work with a non self
generated certificate? Can you please help?

Of course not! That's why no commercial sites run HTTPS on Tomcat.

Just kidding!

And you work for IBM? Can I get a job there?

The key (excuse the pun) was exposed by Roedy.
What you should have actually created was a CSR: Certificate Signing
Request. What you receive in return is an X.509 cert which includes
the credentials of the certificate (signing) authority (CA).
You can then just replace your public (self-signed) cert with the
one signed by the CA; the private key stays private.
On my Tomcat 3.1.1 installation there's a document available at
$TOMCAT_HOME/doc/tomcat-ssl-howto.html
Highly recommended, as it also addresses the typical environment of
an Apache front-end to Tomcat.
Try downloading the documentation fork of the Tomcat version you're
using or visit the website at <http://jakarta.apache.org/tomcat>.
Select the appropriate version under the Documentation header and
seek out the SSL how-tos.
Okay, so it's not easy but it IS straight-forward.

 

[johndesp]

Can I extract the certificate from a kdb file, import into a jks then
run the BCMain. Or will extracting from kdb only pull the public
component of the cert?

thanks

 

[Sudsy]

Can I extract the certificate from a kdb file, import into a jks then
run the BCMain. Or will extracting from kdb only pull the public
component of the cert?

thanks

If you need to "bundle" the private and public keys then you should
be looking at the PKCS#12 keystore, as another poster mentioned.
I don't know the details of your platform but I use linux and here's
how I create the keystore:
$ openssl pkcs12 -export
-in <signed_cert_filename>
-inkey <private_key_filename>
-name <alias>
-out <keystore_filename>
I can then use it for tools like jarsigner which accept the storetype
argument. Here's how I sign an applet, for example:
$ jarsigner -keystore <keystore_filename>
-storetype pkcs12
<jarfile>
<alias>

I'm providing all this detail as it took me ages to find the right
combination.
Does this provide enough information to answer your question?
If not then rephrase and we'll try to get you on your way.

 

[johndesp]

Sudsy,

We have http servers and use the gskit to create key database file,
kdb file. We have both kdb files with self signed certs and and
commercial certs from verisign. We are running IBM IHS servers
configured with ssl using the kdb files. We now need to deploy native
tomcat, with out apache. The goal is to be able extract the necessary
components from the kdb file and import them into the a keystore that
tomcat will comprehend and respect. At the moment, Assume we don't
have the original certs. They are stored in a safe place by another
organization.

GSKit allows you to extract the certificate into both a .arm and .der
file. However, I don't know if when you extract the certificate you
will obtain both the public and private components. Also, with gskit
you can export a key to a pkcs12 file. However, I think this may only
be the public key.

I am looking for a way to reuse specitific certificates embedded in
the key database files for use with tomcat. So I am lacking knowledge
on both sides. 1) not sure what/how to extract from kdb file. And I
am not sure what/how to import into a keystore for use by tomcat.
Also I am not sure if tomcat expects an alias called tomcat, because
the tomcat documentation tells you to create a selfsigned certificate
with keytool they tell you to use an alias called "tomcat". I am also
unsure if you specifical have to create the keystore in pkcs12 format.

Any guidance would be appreciated.

 

[Sudsy]

Sudsy,

We have http servers and use the gskit to create key database file,
kdb file. We have both kdb files with self signed certs and and
commercial certs from verisign. We are running IBM IHS servers
configured with ssl using the kdb files. We now need to deploy native
tomcat, with out apache. The goal is to be able extract the necessary
components from the kdb file and import them into the a keystore that
tomcat will comprehend and respect. At the moment, Assume we don't
have the original certs. They are stored in a safe place by another
organization.

<snip>

Here's the thing: you're now asking some product-specific questions.
GSkit is IBM's Global Security Toolkit. I haven't used that package
and I'm not about to invest time/effort in research. Why would I?
If someone here is familiar with it then they'll likely chime in.
If not then be prepared to pay someone, whether it's IBM or an
outside consultant.
I'm assuming you've already referenced the documentation here:
<http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html>