SSL certificate installation
Locked
 
|
Hi all -
I've created a keystore and downloaded a signed certificate from Godaddy.com. I've imported both intermediate and new cert into my keystore. I configured the containers.xml to use the new keystore and restarted ofbiz. But still both Firefox and IE see the new cert as issued by me and it seems therefore that a warning pops up about a problem with the certificate not be issued by a trusted authority. Any pointers about how to go about correcting this would really appreciated. I'v followed the ofbiz technical guide for setting up SSL. Do we still need to download in PKCS#7 format? I haven't asked Godaddy which format they provide. I'll do that next. Thanks for any and all pointers. Rick |
|
|
Can you describe the process you used to import the certificate into a
keystore? I always start with a .key and a .crt and follow "Step 3: Loading Keys and Certificates" here: http://docs.codehaus.org/display/JETTY/How+to+configure+SSL#HowtoconfigureSSL-step3 to convert them to pkcs12 and load them into a JKS keystore. (may require that you download jetty to use their pcks12 import utility class, depending on your certificate format) -Joe On May 17, 2008, at 3:39 PM, Richard Fleming wrote: > Hi all - > > I've created a keystore and downloaded a signed certificate from > Godaddy.com. I've imported both intermediate and new cert into my > keystore. I configured the containers.xml to use the new keystore > and restarted ofbiz. But still both Firefox and IE see the new cert > as issued by me and it seems therefore that a warning pops up about > a problem with the certificate not be issued by a trusted authority. > > Any pointers about how to go about correcting this would really > appreciated. I'v followed the ofbiz technical guide for setting up > SSL. > > Do we still need to download in PKCS#7 format? I haven't asked > Godaddy which format they provide. I'll do that next. > > Thanks for any and all pointers. > > Rick > > |
|
|
Joe - Thanks for the reply.
First off, according to GoDaddy, thier certificates are downloaded in PKCS#7 format using x.509. First I created the keystore... c:\java\jdk1.5\bin\ keytool -genkey -keyalg RSA -alias ssl -keystore eparts.keystore Second the CSR.. c:\java\jdk1.5\bin\ keytool -certreq -alias ssl -keyalg RSA -file certreq.csr -keystore eparts.keystore Third, submitted to GoDaddy and downloaded 4 files from them.. valicert_class2_root gd_cross_intermediate.crt gd_intermediate.crt www.epartsbiz.com.crt Forth, I ran the following to import them into the keystore... keytool -import -alias root -keystore eparts.keystore -trustcacerts -file valicert_class2_root.crt keytool -import -alias cross -keystore eparts.keystore -trustcacerts -file gd_cross_intermediate.crt keytool -import -alias intermed -keystore eparts.keystore -trustcacerts -file gd_intermediate.crt keytool -import -alias tomcat -keystore eparts.keystore -trustcacerts -file www.epartsbiz.com.crt I get success at the end of each import. I then copied the eparts.keystore into base/config/ and changed the password and file directive in ofbiz_container.xml. Restarted tomcat. Thanks for any help! Rick Joe Eckard <[hidden email]> wrote: Can you describe the process you used to import the certificate into a keystore? I always start with a .key and a .crt and follow "Step 3: Loading Keys and Certificates" here: http://docs.codehaus.org/display/JETTY/How+to+configure+SSL#HowtoconfigureSSL-step3 to convert them to pkcs12 and load them into a JKS keystore. (may require that you download jetty to use their pcks12 import utility class, depending on your certificate format) -Joe On May 17, 2008, at 3:39 PM, Richard Fleming wrote: > Hi all - > > I've created a keystore and downloaded a signed certificate from > Godaddy.com. I've imported both intermediate and new cert into my > keystore. I configured the containers.xml to use the new keystore > and restarted ofbiz. But still both Firefox and IE see the new cert > as issued by me and it seems therefore that a warning pops up about > a problem with the certificate not be issued by a trusted authority. > > Any pointers about how to go about correcting this would really > appreciated. I'v followed the ofbiz technical guide for setting up > SSL. > > Do we still need to download in PKCS#7 format? I haven't asked > Godaddy which format they provide. I'll do that next. > > Thanks for any and all pointers. > > Rick > > |
|
|
Hi all-
Finally got it working w/ GoDaddy certificate. This is what I did - <!--Download openssl developer for win32 or unix--> 1. Create private key file. openssl genrsa -out privkey.pem 4096 2. Create CSR openssl req -new -key privkey.pem -out cert.csr 3. Submit CSR to godaddy. 4. Create keystore w/ new certificate. openssl pkcs12 -export -chain -CAfile gd_bundle.crt -in <name of your certificate> -inkey <name of your certificate private key file> -out keystore.tomcat -name tomcat -passout pass:changeit When you have completed installing your certificate, you must configure your framework/base/config/ofbiz-containers.xml configuration file to point to the correct pkcs12 keystore file: 1. Open the ofbiz-containers.xml file. 2. Add the following directives to the https-connector tag(towards the bottom of the file): keystoreFile=<path to>\keystore.tomcat keystorePass="changeit" keystoreType="PKCS12" 4. Restart Tomcat. Hope this can help someone out at some point. Rick Three sources helped: http://www.openssl.org/docs/HOWTO/certificates.txt http://docs.ofbiz.org/display/OFBTECH/Apache+OFBiz+Technical+Production+Setup+Guide GoDaddy.com installation instructions. Richard Fleming <[hidden email]> wrote: Joe - Thanks for the reply. First off, according to GoDaddy, thier certificates are downloaded in PKCS#7 format using x.509. First I created the keystore... c:\java\jdk1.5\bin\ keytool -genkey -keyalg RSA -alias ssl -keystore eparts.keystore Second the CSR.. c:\java\jdk1.5\bin\ keytool -certreq -alias ssl -keyalg RSA -file certreq.csr -keystore eparts.keystore Third, submitted to GoDaddy and downloaded 4 files from them.. valicert_class2_root gd_cross_intermediate.crt gd_intermediate.crt www.epartsbiz.com.crt Forth, I ran the following to import them into the keystore... keytool -import -alias root -keystore eparts.keystore -trustcacerts -file valicert_class2_root.crt keytool -import -alias cross -keystore eparts.keystore -trustcacerts -file gd_cross_intermediate.crt keytool -import -alias intermed -keystore eparts.keystore -trustcacerts -file gd_intermediate.crt keytool -import -alias tomcat -keystore eparts.keystore -trustcacerts -file www.epartsbiz.com.crt I get success at the end of each import. I then copied the eparts.keystore into base/config/ and changed the password and file directive in ofbiz_container.xml. Restarted tomcat. Thanks for any help! Rick Joe Eckard wrote: Can you describe the process you used to import the certificate into a keystore? I always start with a .key and a .crt and follow "Step 3: Loading Keys and Certificates" here: http://docs.codehaus.org/display/JETTY/How+to+configure+SSL#HowtoconfigureSSL-step3 to convert them to pkcs12 and load them into a JKS keystore. (may require that you download jetty to use their pcks12 import utility class, depending on your certificate format) -Joe On May 17, 2008, at 3:39 PM, Richard Fleming wrote: > Hi all - > > I've created a keystore and downloaded a signed certificate from > Godaddy.com. I've imported both intermediate and new cert into my > keystore. I configured the containers.xml to use the new keystore > and restarted ofbiz. But still both Firefox and IE see the new cert > as issued by me and it seems therefore that a warning pops up about > a problem with the certificate not be issued by a trusted authority. > > Any pointers about how to go about correcting this would really > appreciated. I'v followed the ofbiz technical guide for setting up > SSL. > > Do we still need to download in PKCS#7 format? I haven't asked > Godaddy which format they provide. I'll do that next. > > Thanks for any and all pointers. > > Rick > > |
|
|
Hello Rick, I tried your method and everything seemed to work till I restarted the server. My keystore.tomcat is outside of the ofbiz directory, would this make a difference? The log says the following:
2008-05-28 13:03:16,740 (main) [ Http11BaseProtocol.java:141:ERROR] Error initializing endpoint java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. at sun.security.util.DerInputStream.getLength(DerInputStream.java:530) at sun.security.util.DerValue.init(DerValue.java:346) at sun.security.util.DerValue.<init>(DerValue.java:302) at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1198) at java.security.KeyStore.load(KeyStore.java:1150)
|
|
|
I had a problem with the path originally so I move the keystore file into the base/config directory. After that everything worked great.
Rick Toddnick <[hidden email]> wrote: Hello Rick, I tried your method and everything seemed to work till I restarted the server. My keystore.tomcat is outside of the ofbiz directory, would this make a difference? The log says the following: 2008-05-28 13:03:16,740 (main) [ Http11BaseProtocol.java:141:ERROR] Error initializing endpoint java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. at sun.security.util.DerInputStream.getLength(DerInputStream.java:530) at sun.security.util.DerValue.init(DerValue.java:346) at sun.security.util.DerValue.(DerValue.java:302) at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1198) at java.security.KeyStore.load(KeyStore.java:1150) Richard Fleming wrote: > > Hi all- > > Finally got it working w/ GoDaddy certificate. This is what I did - > > > > 1. Create private key file. > openssl genrsa -out privkey.pem 4096 > > 2. Create CSR > openssl req -new -key privkey.pem -out cert.csr > > 3. Submit CSR to godaddy. > > 4. Create keystore w/ new certificate. > > > openssl pkcs12 -export -chain -CAfile gd_bundle.crt -in > certificate> -inkey -out > keystore.tomcat -name tomcat -passout pass:changeit > > > When you have completed installing your certificate, you must configure > your framework/base/config/ofbiz-containers.xml configuration file to > point to the correct pkcs12 keystore file: > > 1. Open the ofbiz-containers.xml file. > > 2. Add the following directives to the https-connector tag(towards the > bottom of the file): > > keystoreFile= > keystorePass="changeit" > keystoreType="PKCS12" > > 4. Restart Tomcat. > > Hope this can help someone out at some point. > > Rick > > Three sources helped: > http://www.openssl.org/docs/HOWTO/certificates.txt > http://docs.ofbiz.org/display/OFBTECH/Apache+OFBiz+Technical+Production+Setup+Guide > GoDaddy.com installation instructions. > > > Richard Fleming wrote: Joe - Thanks for the reply. > > First off, according to GoDaddy, thier certificates are downloaded in > PKCS#7 format using x.509. > > First I created the keystore... > c:\java\jdk1.5\bin\ keytool -genkey -keyalg RSA -alias ssl -keystore > eparts.keystore > > Second the CSR.. > c:\java\jdk1.5\bin\ keytool -certreq -alias ssl -keyalg RSA -file > certreq.csr -keystore eparts.keystore > > Third, submitted to GoDaddy and downloaded 4 files from them.. > valicert_class2_root > gd_cross_intermediate.crt > gd_intermediate.crt > www.epartsbiz.com.crt > > Forth, I ran the following to import them into the keystore... > > keytool -import -alias root -keystore eparts.keystore -trustcacerts > -file valicert_class2_root.crt > > keytool -import -alias cross -keystore eparts.keystore > -trustcacerts -file gd_cross_intermediate.crt > > keytool -import -alias intermed -keystore eparts.keystore > -trustcacerts -file gd_intermediate.crt > > keytool -import -alias tomcat -keystore eparts.keystore -trustcacerts > -file www.epartsbiz.com.crt > > I get success at the end of each import. I then copied the eparts.keystore > into base/config/ and changed the password and file directive in > ofbiz_container.xml. Restarted tomcat. > > Thanks for any help! > Rick > > > > > Joe Eckard wrote: Can you describe the process you used to import the > certificate into a > keystore? > > I always start with a .key and a .crt and follow "Step 3: Loading Keys > and Certificates" here: > > > http://docs.codehaus.org/display/JETTY/How+to+configure+SSL#HowtoconfigureSSL-step3 > > to convert them to pkcs12 and load them into a JKS keystore. (may > require that you download jetty to use their pcks12 import utility > class, depending on your certificate format) > > -Joe > > On May 17, 2008, at 3:39 PM, Richard Fleming wrote: > >> Hi all - >> >> I've created a keystore and downloaded a signed certificate from >> Godaddy.com. I've imported both intermediate and new cert into my >> keystore. I configured the containers.xml to use the new keystore >> and restarted ofbiz. But still both Firefox and IE see the new cert >> as issued by me and it seems therefore that a warning pops up about >> a problem with the certificate not be issued by a trusted authority. >> >> Any pointers about how to go about correcting this would really >> appreciated. I'v followed the ofbiz technical guide for setting up >> SSL. >> >> Do we still need to download in PKCS#7 format? I haven't asked >> Godaddy which format they provide. I'll do that next. >> >> Thanks for any and all pointers. >> >> Rick >> >> > > > > > -- View this message in context: http://www.nabble.com/SSL-certificate-installation-tp17295499p17518954.html Sent from the OFBiz - User mailing list archive at Nabble.com. |
«
Return to OFBiz - User
|
1 view|%1 views
| Free forum by Nabble | Edit this page |