• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Knute Snortum
  • Junilu Lacar
  • paul wheaton
Saloon Keepers:
  • Ganesh Patekar
  • Frits Walraven
  • Tim Moores
  • Ron McLeod
  • Carey Brown
Bartenders:
  • Stephan van Hulst
  • salvin francis
  • Tim Holloway

Import CSR into keystore?  RSS feed

 
Ranch Hand
Posts: 1605
13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

I have a client who already has an SSL certificate for their site. Tomcat is running on the same FQDN, but on port 8080.

Thus, rather than paying for a new certificate, the client wants to know if we can use the same certificate to secure Tomcat.

Since I've always used keystore to generate the CSR, first, and go from there, is it possible to somehow use the CSR they used to get the original certificate into keystore?

IOW, how would I, if it's possible, create a keystore suitable for Tomcat, given an already-created and issued certificate?

If this importing a CSR, or whatever, is a bad idea, just let me know too.

Thanks in advance,

- mike
 
Bartender
Posts: 19993
95
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A CSR is a Certificate Signing Request. It's what you send to your registrar for them to sign and return as the actual cert. A keystore stores private keys and certs, not - unless I've forgotten something - CSRs, which as far as I can recall are useless once they've been signed.

However, a cert doesn't carry a port number on it. So you should be able to use the same cert for both ports, assuming that the domain name on the cert matches the domain name for the Tomcat Host.

These days I'm not a big fan of using SSL on Tomcat anyway. Instead I front Tomcat with a reverse proxy like Apache or Nginx and use SSL on the proxy. Note, however, that the Tomcat cert files are in a different format than those used by Apache/Nginx (there is a nice GUI utility that can translate them, though).

Aside from that, even if you want Tomcat to be encrypted, port 8080 is supposed to be the unencrypted port. The standard for its SSL port is 8443.

 
Mike London
Ranch Hand
Posts: 1605
13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Tim Holloway wrote:A CSR is a Certificate Signing Request. It's what you send to your registrar for them to sign and return as the actual cert. A keystore stores private keys and certs, not - unless I've forgotten something - CSRs, which as far as I can recall are useless once they've been signed.

However, a cert doesn't carry a port number on it. So you should be able to use the same cert for both ports, assuming that the domain name on the cert matches the domain name for the Tomcat Host.

These days I'm not a big fan of using SSL on Tomcat anyway. Instead I front Tomcat with a reverse proxy like Apache or Nginx and use SSL on the proxy. Note, however, that the Tomcat cert files are in a different format than those used by Apache/Nginx (there is a nice GUI utility that can translate them, though).

Aside from that, even if you want Tomcat to be encrypted, port 8080 is supposed to be the unencrypted port. The standard for its SSL port is 8443.



Thanks Tim.

Since I don't really have control over the server, the SSL certificate is probably the best I can hope for.

Not exactly sure how to do this import given that the private key doesn't get generated in the keystore since it didn't generate the CSR, but I'm sure I can import it.

I'll contact the CA for more info.

Thanks again,

- mike
 
Saloon Keeper
Posts: 2153
278
Android Angular Framework Eclipse IDE Java Linux MySQL Database Redhat TypeScript
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You will need both the private key and the cert issued by the CA (and possibly an intermediate certificate depending on the CA).

Do you have the private key?  If it didn't already exist, it would have been created when the CSR was generated.
 
Tim Holloway
Bartender
Posts: 19993
95
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Ron McLeod wrote:You will need both the private key and the cert issued by the CA (and possibly an intermediate certificate depending on the CA).

Do you have the private key?  If it didn't already exist, it would have been created when the CSR was generated.



And no, the CA does NOT have a copy of the private key. If you don't have it, you're out of luck.
 
Ron McLeod
Saloon Keeper
Posts: 2153
278
Android Angular Framework Eclipse IDE Java Linux MySQL Database Redhat TypeScript
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Which version of Tomcat will you be using, and will the connector be NIO or APR based?
 
Ron McLeod
Saloon Keeper
Posts: 2153
278
Android Angular Framework Eclipse IDE Java Linux MySQL Database Redhat TypeScript
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Tim Holloway wrote:And no, the CA does NOT have a copy of the private key. If you don't have it, you're out of luck.


Unless you have access to the server currently using the certificate and can grab the private key from there.
 
Mike London
Ranch Hand
Posts: 1605
13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Ron McLeod wrote:You will need both the private key and the cert issued by the CA (and possibly an intermediate certificate depending on the CA).

Do you have the private key?  If it didn't already exist, it would have been created when the CSR was generated.



Since keytool wasn't initially used to generate the site's certificate, I'm assuming I would need to:

1. Import the PEM file (private key) into a new keystore. (CSR probably doesn't matter?)

2. Import the certificate files as would be the normal course of action creating keystore.

Thanks,

- mike
 
Tim Holloway
Bartender
Posts: 19993
95
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That's about it.

I recommend you get a copy of Portecle, an open-source java-based GUI tool for keystore manipulation and certificate management. It can make the processes a lot easier.

Note also that a keystore file is self-contained. That means that you can create test keystores and muck around with them outside your production environment, then copy them to production servers when you have what you want.
 
Mike London
Ranch Hand
Posts: 1605
13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Tim Holloway wrote:That's about it.

I recommend you get a copy of Portecle, an open-source java-based GUI tool for keystore manipulation and certificate management. It can make the processes a lot easier.

Note also that a keystore file is self-contained. That means that you can create test keystores and muck around with them outside your production environment, then copy them to production servers when you have what you want.



Thanks Tim,

You're the best!

I've used Portecle previously, but end up back at the command line sooner or later..

I also tried Keystore Exporer, but it doesn't seem to have any facility to import private keys.

Appreciate the great help and support on this amazing forum.

- mike
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!