Be Excellent To Each Other

And, you know, party on. Dude.

All times are UTC [ DST ]




Reply to topic  [ 13 posts ] 
Author Message
 Post subject: Apache and SSL
PostPosted: Tue Jun 29, 2010 12:00 
SupaMod
User avatar
Commander-in-Cheese

Joined: 30th Mar, 2008
Posts: 49244
Here's the scenario.

I've got a web server that is Apache embedded and Tomcat.

It has a keystore, which is in PKCS12 format. I've used keytool to get our corporate CA to issue a cert for the host. Now, that requires that I not only import the cert for the host, but that I also import the root CA cert as a trusted root.

The problem is, you can't (apparently) store trusted roots in a PKCS12 format keystore. And you can't import a cert without its CA being trusted.

So, question - is there any way to have an Apache/Tomcat web server look at two different keystores? One in PKCS12 format, and one in JKS format? Would that even work, having the host cert in a different keystore to the trusted root?

Any other suggestions?

Ta.

_________________
GoddessJasmine wrote:
Drunk, pulled Craster's pork, waiting for brdyime story,reading nuts. Xz


Top
 Profile  
 
 Post subject: Re: Apache and SSL
PostPosted: Tue Jun 29, 2010 12:07 
User avatar
Ticket to Ride World Champion

Joined: 18th Apr, 2008
Posts: 11898
Shoot the Apache with a Stinger missile twice. The first will be taken off by flares, but you can normally hit with the second.


Top
 Profile  
 
 Post subject: Re: Apache and SSL
PostPosted: Tue Jun 29, 2010 12:15 
User avatar

Joined: 30th Mar, 2008
Posts: 32624
You're on my turf here (I write Tomcat software) but I rarely have to deal with keystores. I was under the impression, though, that JKS (Java Key Store) was the format of the overall keystore, whilst PKCS#12 was the format of the key, and that you should be able to put the one inside the other. What command are you using (keystore?) and what error message are you seeing?


Top
 Profile  
 
 Post subject: Re: Apache and SSL
PostPosted: Tue Jun 29, 2010 12:19 
User avatar

Joined: 30th Mar, 2008
Posts: 32624
Further research suggests I am incorrect.


Top
 Profile  
 
 Post subject: Re: Apache and SSL
PostPosted: Tue Jun 29, 2010 12:21 
User avatar

Joined: 30th Mar, 2008
Posts: 32624
Right, sack off the JKS store. Use the openssl command line tool to make a new cert signed from the existing root cert. Put that new cert into the same store as your root cert, all in PKSC12 format. Point Tomcat at that in the server.xml file.

keystore is part of the core Java tools and can only talk JKS. openssl can write the standard PKCS12 files, and Tomcat can read them.

More detailed instructions: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html


Top
 Profile  
 
 Post subject: Re: Apache and SSL
PostPosted: Tue Jun 29, 2010 12:27 
SupaMod
User avatar
Commander-in-Cheese

Joined: 30th Mar, 2008
Posts: 49244
No, JKS and PKCS12 are both keystore formats. Sanitised input:

Code:
keytool -importcert -trustcacerts -file "c:\cacert.crt" -alias EntrustCA -keystore <path to keystore> -storepass ******* -storetype PKCS12


Returns "keytool error: java.security.KeyStoreException: TrustedCertEntry not supported"

Googling suggests that this is down to PKCS12 stores not allowing trusted root certs.

_________________
GoddessJasmine wrote:
Drunk, pulled Craster's pork, waiting for brdyime story,reading nuts. Xz


Top
 Profile  
 
 Post subject: Re: Apache and SSL
PostPosted: Tue Jun 29, 2010 12:27 
SupaMod
User avatar
Commander-in-Cheese

Joined: 30th Mar, 2008
Posts: 49244
Doctor Glyndwr wrote:
Right, sack off the JKS store. Use the openssl command line tool to make a new cert signed from the existing root cert. Put that new cert into the same store as your root cert, all in PKSC12 format. Point Tomcat at that in the server.xml file.

keystore is part of the core Java tools and can only talk JKS. openssl can write the standard PKCS12 files, and Tomcat can read them.

More detailed instructions: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html


You can't put a root cert in a PKCS12 store, that's the problem.

_________________
GoddessJasmine wrote:
Drunk, pulled Craster's pork, waiting for brdyime story,reading nuts. Xz


Top
 Profile  
 
 Post subject: Re: Apache and SSL
PostPosted: Tue Jun 29, 2010 12:34 
User avatar

Joined: 30th Mar, 2008
Posts: 32624
StackOverflow (http://stackoverflow.com/questions/2147 ... -key-store) suggests http://sourceforge.net/projects/portecle/ might help.


Top
 Profile  
 
 Post subject: Re: Apache and SSL
PostPosted: Tue Jun 29, 2010 12:37 
SupaMod
User avatar
Commander-in-Cheese

Joined: 30th Mar, 2008
Posts: 49244
Hmm - don't think it will. I don't think that changes the fundamental fact that I can't put a trusted root in a PKCS12.

Is there any way to have Tomcat use two separate keystores?

_________________
GoddessJasmine wrote:
Drunk, pulled Craster's pork, waiting for brdyime story,reading nuts. Xz


Top
 Profile  
 
 Post subject: Re: Apache and SSL
PostPosted: Tue Jun 29, 2010 12:38 
User avatar

Joined: 30th Mar, 2008
Posts: 32624
Why not just have a JKS one?


Top
 Profile  
 
 Post subject: Re: Apache and SSL
PostPosted: Tue Jun 29, 2010 12:41 
SupaMod
User avatar
Commander-in-Cheese

Joined: 30th Mar, 2008
Posts: 49244
Because the site itself is a 3rd party product that does internal stuff that uses that keystore.

_________________
GoddessJasmine wrote:
Drunk, pulled Craster's pork, waiting for brdyime story,reading nuts. Xz


Top
 Profile  
 
 Post subject: Re: Apache and SSL
PostPosted: Tue Jun 29, 2010 12:51 
User avatar

Joined: 30th Mar, 2008
Posts: 32624
Craster wrote:
Is there any way to have Tomcat use two separate keystores?
I don't think there is. To aid your own googling, you're mostly asking if Java can have two keystores, by the way.


Top
 Profile  
 
 Post subject: Re: Apache and SSL
PostPosted: Tue Jun 29, 2010 13:04 
SupaMod
User avatar
Commander-in-Cheese

Joined: 30th Mar, 2008
Posts: 49244
Yeah, I know. I really, really hate Java.

_________________
GoddessJasmine wrote:
Drunk, pulled Craster's pork, waiting for brdyime story,reading nuts. Xz


Top
 Profile  
 
Display posts from previous:  Sort by  
Reply to topic  [ 13 posts ] 

All times are UTC [ DST ]


Who is online

Users browsing this forum: markg and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search within this thread:
You are using the 'Ted' forum. Bill doesn't really exist any more. Bogus!
Want to help out with the hosting / advertising costs? That's very nice of you.
Are you on a mobile phone? Try http://beex.co.uk/m/
RIP, Owen. RIP, MrC. RIP, Dimmers.

Powered by a very Grim... version of phpBB © 2000, 2002, 2005, 2007 phpBB Group.