Jason, You are right on target with what we discovered this afternoon. We are switching over to Apache HTTP Server. The jks file is what is currently being used in our prod environment. I'm playing around with QAS, which will be promoted to Prod later. Sorry for not clarifying earlier.
After following a similar path to what you have noted below, we learned that the ca-bundle.crt referenced by the SSLCertificateChainFile directive was bad. We had to download a new one from Thawte. That fixed the problem! I still think the Keystore Explorer is cool as dirt, much easier to look at than the cmd. :) Many thanks for the assistance! Scott From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Jason Miller Sent: Thursday, January 31, 2013 2:58 PM To: [email protected] Subject: Re: Certificate Assistance ** I will admit that I am not a crypt/SSL/ketytool/OpenSSL expert however I am starting to get comfortable with it. Here is my take and my understanding of what can be done. The p12 keystore could be renamed to use a .pfx extensions (used in the MS world). You can either rename your Thawte keystore to .pfx or since they are more or less interchangeable according to my understanding you should be able to just import the .p12 keystore into your TC keystore. I have the following instructions I use (using Window directory syntax but the keytool command is the same just switch \ to /): Import pfx keystore into Tomcat Keystore o keytool.exe -importkeystore -srckeystore D:\Thawte.pfx -srcstoretype pkcs12 -destkeystore D:\TomcatKeystore -deststoretype jks In our usage this takes a .pfx file we exported from the Window Server using the Certificates MMC snap-in and imports the whole keystore. The .pfx keystore includes the server cert and root certs in to the TC keystore. I don't remember if I have tried using KeyStore Explorer to import a keystore into a keystore. I am pretty sure I have but I know the command line works. One point of clarification... When you say "Apache" are you talking about Apache Tomcat or Apache HTTP server? The instructions I gave were assuming you were talking about Tomcat since you mentioned Mid Tier. Looking that the error you posted and re-reading the thread I noticed you don't specify Tomcat and the error you posted looks like an Apache HTTP error. We have not had much success using Java keystores with Apache HTTP server. In our Apache httpd-ssl.conf we point: * SSLCertificateFile to the server's .crt file * SSLCertificateKeyFile to the servers .pem (private key) file * SSLCertificateChainFile to the intermediate .crt file HTH, Jason On Thu, Jan 31, 2013 at 8:04 AM, Myers, Scott <[email protected]<mailto:[email protected]>> wrote: ** Shazaam! That is a cool tool. It's a heck of a lot more readable than all that command line stuff. Thanks, Jason! I added the Thawte cert into the jks myself. Since sending this email, I have found that when I export that cert or convert it from the p12 version from Thawte, it drops the CA root. It only gives me the domain....*.domain.com<http://domain.com>. I used your tool to create a full chain and apply it to Apache's SSL. One of two things happens: 1) I continue to get the warning on the site or 2) Apache won't start b/c it doesn't like the crt I added. When Apache won't start, I see an error in the log: [Thu Jan 31 10:59:04 2013] [error] Unable to configure verify locations for client authentication Still working on that one. Thanks again for the help and the tool! From: Action Request System discussion list(ARSList) [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Jason Miller Sent: Wednesday, January 30, 2013 5:20 PM To: [email protected]<mailto:[email protected]> Subject: Re: Certificate Assistance ** Just to make sure I am following you... Thawte sent you a jks keystore file with the cert and chain in it? If this is the case can you just replace the Tomcat keystore with this keystore? They are both Java keystores correct? You *may* have to change the Thawte keystore password to changeme, I have encountered some versions of TC that require that specific keystore password and others that allow you to specify the password in the config. Either way I'll mention a cool free tool that adds a GUI to many aspects of cert/keystore management. KeyStore Explorer is free (unfortunately not currently being developed): http://www.lazgosoftware.com/kse/index.html I found this tool after figuring out the process of requesting/exporting a cert and chain from an internal MS CA, converting it and importing into the TC keystore using OpenSSL and keytool. Just for fun and to test the tool I downloaded KeyStore Explorer and created a brand new TC keystore with the MS CA certs/chain in a matter of clicks. Jason On Wed, Jan 30, 2013 at 8:13 AM, Myers, Scott <[email protected]<mailto:[email protected]>> wrote: ** Hi all, I am trying to apply a certificate from Thawte to a Mid-Tier. The cert I have used is a wildcard that is currently in a jks file. When I export the crt from the jks, it is losing the chain. That flags as a warning on the website as "The site's security certificate is not trusted." I'm using a Linux Red Hat op system and have tried various methods of openssl and keytool apps. Any suggestions? Scott This email is subject to certain disclaimers, which may be reviewed via the following link. http://compass-usa.com/Pages/Disclaimer.aspx _ARSlist: "Where the Answers Are" and have been for 20 years_ _ARSlist: "Where the Answers Are" and have been for 20 years_ This email is subject to certain disclaimers, which may be reviewed via the following link. http://compass-usa.com/Pages/Disclaimer.aspx _ARSlist: "Where the Answers Are" and have been for 20 years_ _ARSlist: "Where the Answers Are" and have been for 20 years_ This email is subject to certain disclaimers, which may be reviewed via the following link. http://compass-usa.com/Pages/Disclaimer.aspx _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
