java - Apache tomcat: Importing already existing certificates into keystore -


i trying configure ssl our server. now, have made sure that crt files password same keystore(.jks password). however, whenever import crt file either alias tomcat or root(only 1 of them can use there 1 crt file), ssl_error_no_cypher_overlap.

i not able find guide import 1 certificate not complain it's self-signed certificate , no ssl_error_no_cypher_overlap error 1 certificate.

these files have domainname.ca-bundle, .crt, .csr, .key, .p12, domainname.jks,

this command gave :

keytool -import -trustcacerts -alias root -file domainname.crt -keyalg rsa -keystore domainaname.jks

connector :

 <connector port="443" protocol="http/1.1" sslenabled="true" maxthreads="200" compression="force"               compressionminsize="1024" scheme="https" secure="true" clientauth="false" sslenabledprotocols="tlsv1.2,tlsv1.1,tlsv1" sslprotocol="tls" uriencoding="utf-8"  compressablemimetype="text/html,text/xml,text/plain,text/css,text/ javascript,application/x-javascript,application/javascript"                keystorefile="domain.jks" keystorepass="pass" />

any nice. lot.

meta: feels duplicate couldn't find match ...

ssl/tls server must have certificate matching private key and chain certs if applicable. single certificate itself, or several certificates, not sufficient. first 

 keytool -list -v -keystore $d.jks

and privatekey entry (not trustedcert entry). if present, @ cert(s) determine whether certs want. if aren't desired cert(s), have desired cert(s) in .crt , bundle files, describe contents of .crt , bundle files , can work out how use them fix .jks. in particular, there 2 formats commonly used single certs , several ca "bundles"; if open files in editor notepad or vi , first line -----begin something----- followed block of letters , digits ----end same---- , maybe more of same, post somethings; if appear random characters , have hex dump tool available post first 64 bytes @ least, or if have openssl or other asn.1 (binary) parser available post results of that. if there no privatekey @ all, .jks useless; discard , continue.

your .key file sounds contain private key, there dozens of different formats people label .key , it's unlikely file in usable format. if key not more conveniently in p12, can come this.

your .p12 file contains private key , cert(s), not desired cert(s). (technically pkcs#12 standard allows file no private key, common tools create pkcs#12 don't ever that.) see have now, 

keytool -list -v -keystore $d.jks -storetype pkcs12

if want, tomcat (and java/jsse) can use pkcs12 directly keystore in place of jks: set keystorefile , keystorepass , add keystoretype="pkcs12". alternatively can convert pkcs12 jks with

keytool -importkeystore -srckeystore $d.p12 -srcstoretype pkcs12 -destkeystore $d.jks

if .p12 contains privatekey wrong cert(s), there 2 approaches:

  • first convert pkcs12 jks above, fix certs in jks; same case first paragraph: jks contains privatekey wrong cert(s)

  • if have or openssl, use "unpack" pkcs12 separate privatekey , cert files, replace wrong cert files right ones, , reconstruct new pkcs12. puts in fourth paragraph: pkcs12 correct cert(s) can either use or convert jks , use that.


Comments

Post a Comment

Popular posts from this blog

html - Outlook 2010 Anchor (url/address/link) -

i'm trying link specific pdf page msoutlook'10 or msword'10, #page=... anchor particularly useful , works fine elsewhere. unfortunately when click [ctr-k] in outlook or winword, links re-formatted assuming unc path. pdf file located on shared drive. using "file:" prefix links open pdf in adobe reader (outside of browser), , "http:" open inside browser. issue seem need open in browser "file:" prefix in order anchor work. know anchors work inside browser. outlook uses windows/explorer default program (based on file extension) seems open in adobe reader neglecting anchor. is aware of solution, link specific page or bookmark of shared-pdf ms outlook and/or winword link? common references: mailermailer.com/...anchor-tags-html-emails campaignmonitor.com/...anchor-links-in-email-newsletters/ stackoverflow.com/...anchor-in-pdf-document
Read more

javascript - Why does running this loop 9 times take 100x longer than running it 8 times? -

consider code: test = function() { } t = new test(); (var = 0; < 8; i++) { result = t instanceof test; } if change number of iterations 8 9 , loop take 100 times longer complete in latest version of firefox (41.0.1). tested on 2 different pcs , magic limit 8. here jsperf test used: http://jsperf.com/instanceof-8-times-vs-9-times does have idea why might happen? seems specific instanceof . not happen if else object, example check property. note: filed bugzilla bug this. jan de mooij mozilla team has posted details in bugzilla thread . here's simplistic interpretation of highly technical answers: in i < 8 case, firefox smart enough hoist result = t instanceof test; statement out of loop (according tests, doesn't seem omit altogether). in i < 9 case, apparently doesn't optimization . why? reason not clear, related fact 9 iterations threshold above function considered "hot" enough run through jit compiler. i < 8 cas...
Read more

Getting gateway time-out Rails app with Nginx + Puma running on Digital Ocean -

following this guide setup app on digital ocean droplet, not working. site not loading , it's throwing: "gateway time-out". the puma server works, since ps aux | grep puma prints: root 15878 0.0 0.4 376832 2168 ? sl 12:50 0:00 puma 2.13.4 (unix:///var/www/myapp/shared/tmp/sockets/myapp-puma.sock) [20150930164940] root 15881 0.0 0.7 903676 3692 ? sl 12:50 0:06 puma: cluster worker 0: 15878 [20150930164940] root 24654 0.0 0.1 11748 916 pts/2 s+ 18:00 0:00 grep --color=auto puma my nginx config: user root; worker_processes 1; events { worker_connections 1024; } http { upstream puma { server unix:///var/www/myapp/shared/tmp/sockets/myapp-puma.sock; } server { listen 80; server_name myapp.com; root /var/www/myapp/current/public; access_log /var/www/myapp/current/log/access.log; error_log /...
Read more