installing certificates

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

installing certificates

Adam Pease
Hi,
   I'm running Tomcat 8.5.23 on an AWS Ubuntu Linux 16.04 LTS
installation.  I'm trying to follow the instructions at
https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html to get HTTPS
running under tomcat.  My site runs with a self-signed certificate.  Now
I'm trying to install a proper certificate from
https://gethttpsforfree.com/ .  After the rather lengthy process to
generate the "Signed Certificate" and "Intermediate Certificate" it
appears I'm ready to follow the instructions under the heading
"Importing the Certificate".
   My first question is whether there is a difference between the
certificates mentioned in

- "import a so called Chain Certificate or Root Certificate into your
keystore"

and

- "After that you can proceed with importing your Certificate."

I was able to execute the command:

keytool -import -alias root -keystore <your_keystore_filename>
     -trustcacerts -file <filename_of_the_chain_certificate>

using a single file that has the "Signed Certificate" and "Intermediate
Certificate" from gethttpsforfree.  But then I get an error from the
next command

~$ keytool -import -alias tomcat -keystore .keystore -file chained.pem
Enter keystore password:
keytool error: java.lang.Exception: Certificate reply does not contain
public key for <tomcat>

When I run

~$ keytool -list -v

I see (in part)

Alias name: tomcat
Creation date: Oct 9, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Adam Pease

I'm very new to certificates.  Could someone point me in the right
direction?

all the best,
Adam

--
-------------------
Adam Pease
http://www.ontologyportal.org
http://www.adampease.org
@apease_ontology on Twitter

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: installing certificates

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Adam,

On 10/9/17 4:24 PM, Adam Pease wrote:
> Hi, I'm running Tomcat 8.5.23 on an AWS Ubuntu Linux 16.04 LTS
> installation.  I'm trying to follow the instructions at
> https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html to get
> HTTPS running under tomcat.

Version mismatch. You want this guide:
https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html

> My site runs with a self-signed certificate.  Now I'm trying to
> install a proper certificate from > https://gethttpsforfree.com/
Try Let's Encrypt. I know nothing about "gethttpsforfree.com", but
I've personally done Let's Encrypt.

> After the rather lengthy process to generate the "Signed
> Certificate" and "Intermediate Certificate" it appears I'm ready to
> follow the instructions under the heading "Importing the
> Certificate".

BTW, LE is a single command to get a signed certificate.

> My first question is whether there is a difference between the
> certificates mentioned in
>
> - "import a so called Chain Certificate or Root Certificate into
> your keystore"
>
> and
>
> - "After that you can proceed with importing your Certificate."

You have a "server certificate" -- that's yours, and represents you.
There is (usually) another certificate, called the "chain" or
"intermediate" certificate, which represents the Certificate Authority
who signed your certificate.

When your server performs a TLS handshake with the client, it needs to
present a "certificate chain" which includes your server certificate
(the "leaf") and any certificates required to link the server cert to
a root certificate which is stored within the client and already
trusted (e.g. VeriSign, DigiCert, etc.). So your server needs to have
multiple certificates available to send, and only one "belongs" to you.

> I was able to execute the command:
>
> keytool -import -alias root -keystore <your_keystore_filename>
> -trustcacerts -file <filename_of_the_chain_certificate>
>
> using a single file that has the "Signed Certificate" and
> "Intermediate Certificate" from gethttpsforfree.  But then I get an
> error from the next command
>
> ~$ keytool -import -alias tomcat -keystore .keystore -file
> chained.pem Enter keystore password: keytool error:
> java.lang.Exception: Certificate reply does not contain public key
> for <tomcat>

Which file is which? Looks like you imported the chain twice.

> When I run
>
> ~$ keytool -list -v
>
> I see (in part)
>
> Alias name: tomcat Creation date: Oct 9, 2017 Entry type:
> PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner:
> CN=Adam Pease
>
> I'm very new to certificates.  Could someone point me in the right
> direction?

Java keystores are a nightmare... it's not your fault. ;)

It looks like you didn't successfully import the CA's
root/intermediate certificate. Can you reply with some more specifics?
What files do you have from the CA, what keystore(s) do you have, and
what are the exact commands you are running? You've left-out some
important details from your post above.

Here's what I have in my "Java Keystore Cheat Cheet":

Create your server key and self-signed cert:
> $ keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 4096
> -alias ${HOSTNAME} -keystore ${HOSTNAME}.jks

Now, export your CSR:

> $ keytool -certreq -sigalg SHA256withRSA -keystore ${HOSTNAME}.jks
>
Use that CSR to get your cert signed.

Now, import the signed cert back into your keystore, starting with the
root and/or intermediate cert and finishing with your server's cert:

> $ keytool -import -alias [Authority.CA] -trustcacerts -file
> [authority's CA cert] -keystore ${HOSTNAME}.jks

(^^^^^ if necessary)

> $ keytool -import -alias [Authority.intermediate] -trustcacerts
> -file [authority's intermediate cert] -keystore ${HOSTNAME}.jks $
> keytool -import -alias ${HOSTNAME} -file ${HOSTNAME}.crt -keystore
> ${HOSTNAME}.jks

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb41sdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjanw//ZLdT9HeenslFlWAz
6Bn76MPvXVnBAQ2NqK0ufp26p70KpOpYb+3+4OxxVIvZBo7DAFwS3Q6EY/bntij7
eyH8m/7GH3ZwIiNrwyFpRbIVQh9Jft5Q+Cmf9ARvUespfJZ0MjxvPKXfxGvt6IAI
ojyexYNlQ4P2kL2I1CCcYwQtwu838nFlZOHIw+11BlPl2Opm5GLcXVgVUtIoNS4n
JfgS7818t45mUeH1kPfTYwGaI/3KNRJS2OFp0A7dSr3qamR9Xpve0mYG2G4XH9BI
PGbGgXKQhaAAsw4rMtuOxp1ukxsfRW3VQItrTTg5F0juR2BkTZOsxzJMlJrKcvrG
3p+BmH9rTEUE6EctyLOu0b20DzeM5FHtBGxNOSuPBuQpFq28Nzgvjm5QQPosyEZG
uESgDOpsJ/qVLgBZeEd3HlLJGF2UQQryW5gAWhUVn3gk3/IEyrmhfWipqw1IBhgP
uJ6g8rowShwIOz/9b7ZLwPlyl0r+diTtMXf8qT5+DpsS7SMHSJ47/Kcba2wQxoON
TQnerLohHKJcKg140liZvpYI7bh63nendNsUdMTOKcyAKLhIw0deDkeHDTx/DCks
0QJAkW2SvjeIBeRN/3+xrsvYD/XvKr/xCuUGIdsHCDotrFsF+lk7SwecFhU+8I+W
RoezW/Qt6SSgu5iyyfuioT/na64=
=3ECo
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: installing certificates

Adam Pease
Hi Chris,
   Many thanks for the quick response!  There's a lot of new terminology
(to me) to all this and it's quite confusing I'm afraid.

   I tried Let's Encrypt just now but since I'm running Tomcat sites
either I'm not doing it right, or it doesn't know how to verify domains
when they don't answer on port 80.  So I get "The server could not
connect to the client to verify the domain :: Timeout"
   Following the process at "gethttpsforfree.com" resulted in two long
hex keys: one titled "Signed Certificate" and one titled "Intermediate
Certificate".  I'm not sure what a "server certificate" is.  Is that a
public/private key pair that I generated at the beginning of this
process with

openssl genrsa 4096 > account.key

or what I did at the beginning of the tomcat instructions

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

But that generates a .keystore file which is already a parameter to the
failing command.

I really appreciate your help.

all the best,
Adam

On 10/09/2017 02:00 PM, Christopher Schultz wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Adam,
>
> On 10/9/17 4:24 PM, Adam Pease wrote:
>> Hi, I'm running Tomcat 8.5.23 on an AWS Ubuntu Linux 16.04 LTS
>> installation.  I'm trying to follow the instructions at
>> https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html to get
>> HTTPS running under tomcat.
>
> Version mismatch. You want this guide:
> https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html
>
>> My site runs with a self-signed certificate.  Now I'm trying to
>> install a proper certificate from > https://gethttpsforfree.com/
> Try Let's Encrypt. I know nothing about "gethttpsforfree.com", but
> I've personally done Let's Encrypt.
>
>> After the rather lengthy process to generate the "Signed
>> Certificate" and "Intermediate Certificate" it appears I'm ready to
>> follow the instructions under the heading "Importing the
>> Certificate".
>
> BTW, LE is a single command to get a signed certificate.
>
>> My first question is whether there is a difference between the
>> certificates mentioned in
>>
>> - "import a so called Chain Certificate or Root Certificate into
>> your keystore"
>>
>> and
>>
>> - "After that you can proceed with importing your Certificate."
>
> You have a "server certificate" -- that's yours, and represents you.
> There is (usually) another certificate, called the "chain" or
> "intermediate" certificate, which represents the Certificate Authority
> who signed your certificate.
>
> When your server performs a TLS handshake with the client, it needs to
> present a "certificate chain" which includes your server certificate
> (the "leaf") and any certificates required to link the server cert to
> a root certificate which is stored within the client and already
> trusted (e.g. VeriSign, DigiCert, etc.). So your server needs to have
> multiple certificates available to send, and only one "belongs" to you.
>
>> I was able to execute the command:
>>
>> keytool -import -alias root -keystore <your_keystore_filename>
>> -trustcacerts -file <filename_of_the_chain_certificate>
>>
>> using a single file that has the "Signed Certificate" and
>> "Intermediate Certificate" from gethttpsforfree.  But then I get an
>> error from the next command
>>
>> ~$ keytool -import -alias tomcat -keystore .keystore -file
>> chained.pem Enter keystore password: keytool error:
>> java.lang.Exception: Certificate reply does not contain public key
>> for <tomcat>
>
> Which file is which? Looks like you imported the chain twice.
>
>> When I run
>>
>> ~$ keytool -list -v
>>
>> I see (in part)
>>
>> Alias name: tomcat Creation date: Oct 9, 2017 Entry type:
>> PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner:
>> CN=Adam Pease
>>
>> I'm very new to certificates.  Could someone point me in the right
>> direction?
>
> Java keystores are a nightmare... it's not your fault. ;)
>
> It looks like you didn't successfully import the CA's
> root/intermediate certificate. Can you reply with some more specifics?
> What files do you have from the CA, what keystore(s) do you have, and
> what are the exact commands you are running? You've left-out some
> important details from your post above.
>
> Here's what I have in my "Java Keystore Cheat Cheet":
>
> Create your server key and self-signed cert:
>> $ keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 4096
>> -alias ${HOSTNAME} -keystore ${HOSTNAME}.jks
>
> Now, export your CSR:
>
>> $ keytool -certreq -sigalg SHA256withRSA -keystore ${HOSTNAME}.jks
>>
> Use that CSR to get your cert signed.
>
> Now, import the signed cert back into your keystore, starting with the
> root and/or intermediate cert and finishing with your server's cert:
>
>> $ keytool -import -alias [Authority.CA] -trustcacerts -file
>> [authority's CA cert] -keystore ${HOSTNAME}.jks
>
> (^^^^^ if necessary)
>
>> $ keytool -import -alias [Authority.intermediate] -trustcacerts
>> -file [authority's intermediate cert] -keystore ${HOSTNAME}.jks $
>> keytool -import -alias ${HOSTNAME} -file ${HOSTNAME}.crt -keystore
>> ${HOSTNAME}.jks
>
> Hope that helps,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb41sdHGNocmlzQGNo
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjanw//ZLdT9HeenslFlWAz
> 6Bn76MPvXVnBAQ2NqK0ufp26p70KpOpYb+3+4OxxVIvZBo7DAFwS3Q6EY/bntij7
> eyH8m/7GH3ZwIiNrwyFpRbIVQh9Jft5Q+Cmf9ARvUespfJZ0MjxvPKXfxGvt6IAI
> ojyexYNlQ4P2kL2I1CCcYwQtwu838nFlZOHIw+11BlPl2Opm5GLcXVgVUtIoNS4n
> JfgS7818t45mUeH1kPfTYwGaI/3KNRJS2OFp0A7dSr3qamR9Xpve0mYG2G4XH9BI
> PGbGgXKQhaAAsw4rMtuOxp1ukxsfRW3VQItrTTg5F0juR2BkTZOsxzJMlJrKcvrG
> 3p+BmH9rTEUE6EctyLOu0b20DzeM5FHtBGxNOSuPBuQpFq28Nzgvjm5QQPosyEZG
> uESgDOpsJ/qVLgBZeEd3HlLJGF2UQQryW5gAWhUVn3gk3/IEyrmhfWipqw1IBhgP
> uJ6g8rowShwIOz/9b7ZLwPlyl0r+diTtMXf8qT5+DpsS7SMHSJ47/Kcba2wQxoON
> TQnerLohHKJcKg140liZvpYI7bh63nendNsUdMTOKcyAKLhIw0deDkeHDTx/DCks
> 0QJAkW2SvjeIBeRN/3+xrsvYD/XvKr/xCuUGIdsHCDotrFsF+lk7SwecFhU+8I+W
> RoezW/Qt6SSgu5iyyfuioT/na64=
> =3ECo
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

--
-------------------
Adam Pease
http://www.ontologyportal.org
http://www.adampease.org
@apease_ontology on Twitter

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: installing certificates

Alex O'Ree
Graphical keystore tool - http://keystore-explorer.org/

It may make things easier

On Mon, Oct 9, 2017 at 6:13 PM, Adam Pease
<[hidden email]> wrote:

> Hi Chris,
>   Many thanks for the quick response!  There's a lot of new terminology (to
> me) to all this and it's quite confusing I'm afraid.
>
>   I tried Let's Encrypt just now but since I'm running Tomcat sites either
> I'm not doing it right, or it doesn't know how to verify domains when they
> don't answer on port 80.  So I get "The server could not connect to the
> client to verify the domain :: Timeout"
>   Following the process at "gethttpsforfree.com" resulted in two long hex
> keys: one titled "Signed Certificate" and one titled "Intermediate
> Certificate".  I'm not sure what a "server certificate" is.  Is that a
> public/private key pair that I generated at the beginning of this process
> with
>
> openssl genrsa 4096 > account.key
>
> or what I did at the beginning of the tomcat instructions
>
> $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
>
> But that generates a .keystore file which is already a parameter to the
> failing command.
>
> I really appreciate your help.
>
> all the best,
> Adam
>
>
> On 10/09/2017 02:00 PM, Christopher Schultz wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Adam,
>>
>> On 10/9/17 4:24 PM, Adam Pease wrote:
>>>
>>> Hi, I'm running Tomcat 8.5.23 on an AWS Ubuntu Linux 16.04 LTS
>>> installation.  I'm trying to follow the instructions at
>>> https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html to get
>>> HTTPS running under tomcat.
>>
>>
>> Version mismatch. You want this guide:
>> https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html
>>
>>> My site runs with a self-signed certificate.  Now I'm trying to
>>> install a proper certificate from > https://gethttpsforfree.com/
>>
>> Try Let's Encrypt. I know nothing about "gethttpsforfree.com", but
>> I've personally done Let's Encrypt.
>>
>>> After the rather lengthy process to generate the "Signed
>>> Certificate" and "Intermediate Certificate" it appears I'm ready to
>>> follow the instructions under the heading "Importing the
>>> Certificate".
>>
>>
>> BTW, LE is a single command to get a signed certificate.
>>
>>> My first question is whether there is a difference between the
>>> certificates mentioned in
>>>
>>> - "import a so called Chain Certificate or Root Certificate into
>>> your keystore"
>>>
>>> and
>>>
>>> - "After that you can proceed with importing your Certificate."
>>
>>
>> You have a "server certificate" -- that's yours, and represents you.
>> There is (usually) another certificate, called the "chain" or
>> "intermediate" certificate, which represents the Certificate Authority
>> who signed your certificate.
>>
>> When your server performs a TLS handshake with the client, it needs to
>> present a "certificate chain" which includes your server certificate
>> (the "leaf") and any certificates required to link the server cert to
>> a root certificate which is stored within the client and already
>> trusted (e.g. VeriSign, DigiCert, etc.). So your server needs to have
>> multiple certificates available to send, and only one "belongs" to you.
>>
>>> I was able to execute the command:
>>>
>>> keytool -import -alias root -keystore <your_keystore_filename>
>>> -trustcacerts -file <filename_of_the_chain_certificate>
>>>
>>> using a single file that has the "Signed Certificate" and
>>> "Intermediate Certificate" from gethttpsforfree.  But then I get an
>>> error from the next command
>>>
>>> ~$ keytool -import -alias tomcat -keystore .keystore -file
>>> chained.pem Enter keystore password: keytool error:
>>> java.lang.Exception: Certificate reply does not contain public key
>>> for <tomcat>
>>
>>
>> Which file is which? Looks like you imported the chain twice.
>>
>>> When I run
>>>
>>> ~$ keytool -list -v
>>>
>>> I see (in part)
>>>
>>> Alias name: tomcat Creation date: Oct 9, 2017 Entry type:
>>> PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner:
>>> CN=Adam Pease
>>>
>>> I'm very new to certificates.  Could someone point me in the right
>>> direction?
>>
>>
>> Java keystores are a nightmare... it's not your fault. ;)
>>
>> It looks like you didn't successfully import the CA's
>> root/intermediate certificate. Can you reply with some more specifics?
>> What files do you have from the CA, what keystore(s) do you have, and
>> what are the exact commands you are running? You've left-out some
>> important details from your post above.
>>
>> Here's what I have in my "Java Keystore Cheat Cheet":
>>
>> Create your server key and self-signed cert:
>>>
>>> $ keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 4096
>>> -alias ${HOSTNAME} -keystore ${HOSTNAME}.jks
>>
>>
>> Now, export your CSR:
>>
>>> $ keytool -certreq -sigalg SHA256withRSA -keystore ${HOSTNAME}.jks
>>>
>> Use that CSR to get your cert signed.
>>
>> Now, import the signed cert back into your keystore, starting with the
>> root and/or intermediate cert and finishing with your server's cert:
>>
>>> $ keytool -import -alias [Authority.CA] -trustcacerts -file
>>> [authority's CA cert] -keystore ${HOSTNAME}.jks
>>
>>
>> (^^^^^ if necessary)
>>
>>> $ keytool -import -alias [Authority.intermediate] -trustcacerts
>>> -file [authority's intermediate cert] -keystore ${HOSTNAME}.jks $
>>> keytool -import -alias ${HOSTNAME} -file ${HOSTNAME}.crt -keystore
>>> ${HOSTNAME}.jks
>>
>>
>> Hope that helps,
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb41sdHGNocmlzQGNo
>> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjanw//ZLdT9HeenslFlWAz
>> 6Bn76MPvXVnBAQ2NqK0ufp26p70KpOpYb+3+4OxxVIvZBo7DAFwS3Q6EY/bntij7
>> eyH8m/7GH3ZwIiNrwyFpRbIVQh9Jft5Q+Cmf9ARvUespfJZ0MjxvPKXfxGvt6IAI
>> ojyexYNlQ4P2kL2I1CCcYwQtwu838nFlZOHIw+11BlPl2Opm5GLcXVgVUtIoNS4n
>> JfgS7818t45mUeH1kPfTYwGaI/3KNRJS2OFp0A7dSr3qamR9Xpve0mYG2G4XH9BI
>> PGbGgXKQhaAAsw4rMtuOxp1ukxsfRW3VQItrTTg5F0juR2BkTZOsxzJMlJrKcvrG
>> 3p+BmH9rTEUE6EctyLOu0b20DzeM5FHtBGxNOSuPBuQpFq28Nzgvjm5QQPosyEZG
>> uESgDOpsJ/qVLgBZeEd3HlLJGF2UQQryW5gAWhUVn3gk3/IEyrmhfWipqw1IBhgP
>> uJ6g8rowShwIOz/9b7ZLwPlyl0r+diTtMXf8qT5+DpsS7SMHSJ47/Kcba2wQxoON
>> TQnerLohHKJcKg140liZvpYI7bh63nendNsUdMTOKcyAKLhIw0deDkeHDTx/DCks
>> 0QJAkW2SvjeIBeRN/3+xrsvYD/XvKr/xCuUGIdsHCDotrFsF+lk7SwecFhU+8I+W
>> RoezW/Qt6SSgu5iyyfuioT/na64=
>> =3ECo
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
> --
> -------------------
> Adam Pease
> http://www.ontologyportal.org
> http://www.adampease.org
> @apease_ontology on Twitter
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: installing certificates

Adam Pease
In reply to this post by Adam Pease
Hi Chris and all,
   I was able to get my system running based on the instructions at
https://community.letsencrypt.org/t/configuring-lets-encrypt-with-tomcat-6-x-and-7-x/32416 
.  I clarified them a little and put
them into the context of installing my open source project at
https://github.com/ontologyportal/sigmakee/blob/master/Security.txt

all the best,
Adam


On 10/09/2017 03:13 PM, Adam Pease wrote:

> Hi Chris,
>    Many thanks for the quick response!  There's a lot of new terminology
> (to me) to all this and it's quite confusing I'm afraid.
>
>    I tried Let's Encrypt just now but since I'm running Tomcat sites
> either I'm not doing it right, or it doesn't know how to verify domains
> when they don't answer on port 80.  So I get "The server could not
> connect to the client to verify the domain :: Timeout"
>    Following the process at "gethttpsforfree.com" resulted in two long
> hex keys: one titled "Signed Certificate" and one titled "Intermediate
> Certificate".  I'm not sure what a "server certificate" is.  Is that a
> public/private key pair that I generated at the beginning of this
> process with
>
> openssl genrsa 4096 > account.key
>
> or what I did at the beginning of the tomcat instructions
>
> $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
>
> But that generates a .keystore file which is already a parameter to the
> failing command.
>
> I really appreciate your help.
>
> all the best,
> Adam
>
> On 10/09/2017 02:00 PM, Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Adam,
>>
>> On 10/9/17 4:24 PM, Adam Pease wrote:
>>> Hi, I'm running Tomcat 8.5.23 on an AWS Ubuntu Linux 16.04 LTS
>>> installation.  I'm trying to follow the instructions at
>>> https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html to get
>>> HTTPS running under tomcat.
>>
>> Version mismatch. You want this guide:
>> https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html
>>
>>> My site runs with a self-signed certificate.  Now I'm trying to
>>> install a proper certificate from > https://gethttpsforfree.com/
>> Try Let's Encrypt. I know nothing about "gethttpsforfree.com", but
>> I've personally done Let's Encrypt.
>>
>>> After the rather lengthy process to generate the "Signed
>>> Certificate" and "Intermediate Certificate" it appears I'm ready to
>>> follow the instructions under the heading "Importing the
>>> Certificate".
>>
>> BTW, LE is a single command to get a signed certificate.
>>
>>> My first question is whether there is a difference between the
>>> certificates mentioned in
>>>
>>> - "import a so called Chain Certificate or Root Certificate into
>>> your keystore"
>>>
>>> and
>>>
>>> - "After that you can proceed with importing your Certificate."
>>
>> You have a "server certificate" -- that's yours, and represents you.
>> There is (usually) another certificate, called the "chain" or
>> "intermediate" certificate, which represents the Certificate Authority
>> who signed your certificate.
>>
>> When your server performs a TLS handshake with the client, it needs to
>> present a "certificate chain" which includes your server certificate
>> (the "leaf") and any certificates required to link the server cert to
>> a root certificate which is stored within the client and already
>> trusted (e.g. VeriSign, DigiCert, etc.). So your server needs to have
>> multiple certificates available to send, and only one "belongs" to you.
>>
>>> I was able to execute the command:
>>>
>>> keytool -import -alias root -keystore <your_keystore_filename>
>>> -trustcacerts -file <filename_of_the_chain_certificate>
>>>
>>> using a single file that has the "Signed Certificate" and
>>> "Intermediate Certificate" from gethttpsforfree.  But then I get an
>>> error from the next command
>>>
>>> ~$ keytool -import -alias tomcat -keystore .keystore -file
>>> chained.pem Enter keystore password: keytool error:
>>> java.lang.Exception: Certificate reply does not contain public key
>>> for <tomcat>
>>
>> Which file is which? Looks like you imported the chain twice.
>>
>>> When I run
>>>
>>> ~$ keytool -list -v
>>>
>>> I see (in part)
>>>
>>> Alias name: tomcat Creation date: Oct 9, 2017 Entry type:
>>> PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner:
>>> CN=Adam Pease
>>>
>>> I'm very new to certificates.  Could someone point me in the right
>>> direction?
>>
>> Java keystores are a nightmare... it's not your fault. ;)
>>
>> It looks like you didn't successfully import the CA's
>> root/intermediate certificate. Can you reply with some more specifics?
>> What files do you have from the CA, what keystore(s) do you have, and
>> what are the exact commands you are running? You've left-out some
>> important details from your post above.
>>
>> Here's what I have in my "Java Keystore Cheat Cheet":
>>
>> Create your server key and self-signed cert:
>>> $ keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 4096
>>> -alias ${HOSTNAME} -keystore ${HOSTNAME}.jks
>>
>> Now, export your CSR:
>>
>>> $ keytool -certreq -sigalg SHA256withRSA -keystore ${HOSTNAME}.jks
>>>
>> Use that CSR to get your cert signed.
>>
>> Now, import the signed cert back into your keystore, starting with the
>> root and/or intermediate cert and finishing with your server's cert:
>>
>>> $ keytool -import -alias [Authority.CA] -trustcacerts -file
>>> [authority's CA cert] -keystore ${HOSTNAME}.jks
>>
>> (^^^^^ if necessary)
>>
>>> $ keytool -import -alias [Authority.intermediate] -trustcacerts
>>> -file [authority's intermediate cert] -keystore ${HOSTNAME}.jks $
>>> keytool -import -alias ${HOSTNAME} -file ${HOSTNAME}.crt -keystore
>>> ${HOSTNAME}.jks
>>
>> Hope that helps,
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb41sdHGNocmlzQGNo
>> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjanw//ZLdT9HeenslFlWAz
>> 6Bn76MPvXVnBAQ2NqK0ufp26p70KpOpYb+3+4OxxVIvZBo7DAFwS3Q6EY/bntij7
>> eyH8m/7GH3ZwIiNrwyFpRbIVQh9Jft5Q+Cmf9ARvUespfJZ0MjxvPKXfxGvt6IAI
>> ojyexYNlQ4P2kL2I1CCcYwQtwu838nFlZOHIw+11BlPl2Opm5GLcXVgVUtIoNS4n
>> JfgS7818t45mUeH1kPfTYwGaI/3KNRJS2OFp0A7dSr3qamR9Xpve0mYG2G4XH9BI
>> PGbGgXKQhaAAsw4rMtuOxp1ukxsfRW3VQItrTTg5F0juR2BkTZOsxzJMlJrKcvrG
>> 3p+BmH9rTEUE6EctyLOu0b20DzeM5FHtBGxNOSuPBuQpFq28Nzgvjm5QQPosyEZG
>> uESgDOpsJ/qVLgBZeEd3HlLJGF2UQQryW5gAWhUVn3gk3/IEyrmhfWipqw1IBhgP
>> uJ6g8rowShwIOz/9b7ZLwPlyl0r+diTtMXf8qT5+DpsS7SMHSJ47/Kcba2wQxoON
>> TQnerLohHKJcKg140liZvpYI7bh63nendNsUdMTOKcyAKLhIw0deDkeHDTx/DCks
>> 0QJAkW2SvjeIBeRN/3+xrsvYD/XvKr/xCuUGIdsHCDotrFsF+lk7SwecFhU+8I+W
>> RoezW/Qt6SSgu5iyyfuioT/na64=
>> =3ECo
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>

--
-------------------
Adam Pease
http://www.ontologyportal.org
http://www.adampease.org
@apease_ontology on Twitter

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: installing certificates

Christopher Schultz-2
In reply to this post by Adam Pease
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Adam,

On 10/9/17 6:13 PM, Adam Pease wrote:

> Hi Chris, Many thanks for the quick response!  There's a lot of new
> terminology (to me) to all this and it's quite confusing I'm
> afraid.
>
> I tried Let's Encrypt just now but since I'm running Tomcat sites
> either I'm not doing it right, or it doesn't know how to verify
> domains when they don't answer on port 80.  So I get "The server
> could not connect to the client to verify the domain :: Timeout"
> Following the process at "gethttpsforfree.com" resulted in two
> long hex keys: one titled "Signed Certificate" and one titled
> "Intermediate Certificate".  I'm not sure what a "server
> certificate" is.  Is that a public/private key pair that I
> generated at the beginning of this process with
>
> openssl genrsa 4096 > account.key
>
> or what I did at the beginning of the tomcat instructions
>
> $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
>
> But that generates a .keystore file which is already a parameter to
> the failing command.
>
> I really appreciate your help.

Have a look at this page:
http://tomcat.apache.org/presentations.html

Search for "let's encrypt".

There's a ton of stuff in there that you don't need, but the basics
are in fact there, including (IIRC) every single command you'll need
to execute in order to get yourself a certificate signed, installed,
and running in Tomcat.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlngKLsACgkQHPApP6U8
pFi2pQ//SAjMDzTHWMT/Eg3HDs7+Es++0e4ysYjBNFP2+pq/krtaF6T4mUIVscBq
3KCNdaBIjM/WDrHCwD41G3rZ7OWeTXb4mPXKMeyYzVUdcZKNe/GvmA0rCgV345Uy
o+21S0SYUI4sH8Cuh8h44WCzScyzRvFmrwIzPuC+lo11klk3C1GSZAu9achjKfjr
Q5DqLlpfQUu3RL17HIy6JsFogTU3qhVhgzUIxWl2c/SBE3p1FvCMvCx2HNA57/1D
iakOX5smGW/NU9B2RiWf9LlXdwH4qvwfmTXbqe90ewww3DyUQMAK2JvoydcaIL2+
g8fjtKwTBsswRSsXpOXeXFDK8f5dpeAvNkJXS//Vu6oyt9gg3MYf3CUd3+wVoAaL
XZ/Tnx2lSjwHibwf1amzvgPTqFqXlowIaXrnafk3eKdCawQCEUvJrcvlpqviZVHS
BgQR0ebphM0Q4s+Nro8lfOSo9v1ekFLxyU0wXQt6qVsQ8RYTyaDZ8szHvis/cdOh
I1srYMkRPJjcK97gb1zF1064SH4uKbwo9cTxGSichocUQZzET1BVIVSnAA7wLlk9
C/MgHRAB620a03MWeA1tDj48mccHiX94T6LlQAJGccAESPyZinvWg2MSfqkRCxct
8YfZTHfPYNo3LrAXYrd4fa17VUhnjTXwLf3JgUcy9QAJ1urTYOA=
=2f+C
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: installing certificates

Christopher Schultz-2
In reply to this post by Adam Pease
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Adam,

On 10/11/17 8:48 PM, Adam Pease wrote:
> Hi Chris and all, I was able to get my system running based on the
> instructions at
> https://community.letsencrypt.org/t/configuring-lets-encrypt-with-tomc
at-6-x-and-7-x/32416
>
>
.  I clarified them a little and put
> them into the context of installing my open source project at
> https://github.com/ontologyportal/sigmakee/blob/master/Security.txt

Note
>
that you are wasting your time generating your own RSA key, then
using LE to generate the CSR, etc. It's much easier to simply let
certbot do it's thing and then throw everything into a Java keystore
(if you must use JSSE instead of APR/OpenSSL).

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlngKWoACgkQHPApP6U8
pFgiRw//SdXw7Yvh0fdNPtF5U+mgRNv3NqaduuCTi/W0bO/jRAjaY7mdHW1ykWjx
W2+p6TPAtADCd71KdebBcTqFaxEOhvQiClngjSah8ysPFH2lEHiRagx90ZMslmgU
JC3wlUgU8/iMlH8O1tCR3A149f7SmxaeMlbZ9TSNm5kdbQ5ghFfKYiENOtgPvV+P
87GrPN3QYPQ8c6aWUOxWpEYMxpmXQrvF1igLahG14E0Z3ViNx+OW3+oRDKJnNWSg
w0NoVmJR+b1RsF425xhXMq8OkvoewciIVYOepTDP2lH6UXD8TXb3tVH4O/ioVCKb
SSfFZBHTzfThRxjwp18VZXzwEYO2ZCcmpTIqd5L5SFkMeMfgDo0ifhQSRiScLlky
t4gTc+bQQqLdw/51xws0sOzOZGRbx5HeNQSr4Jt+2PqyPEQWv6U/1qD7zwBv+nlp
uQsH8MpWJrhuGaeOAGx0pXQVrJHVdjTEz59fnfuHPSwvy55SawEpryLWGGBXMDqm
YMBv0kxXgfzDUwQrWHn6jOXSxG0q2CwiyJmxaLh2RDVXFKnTcFzy1z3nHFhjzRUx
GpAvUIF0Fm7JkLfBxxMLws0tdizQebqLMO5SOHYtVw3fpJ4YZCq7Vvm1ByyhTR/g
2lzwv7nCVmMyKAJw/CFMZ8nlpOU2OpqL07kV1WhnCHh0dco1rWM=
=Sy3s
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]