how to get a digital certificate

Discussion in 'Java' started by jimgardener, Oct 23, 2008.

  1. jimgardener

    jimgardener Guest

    hi
    i am trying out the ssl-howto tutorial that comes with apache
    tomcat5.5..I used
    keytool -genkey -alias tomcat -keyalg RSA to create a .keystore file
    in home directory and added the password using keystorePass in
    Connector element of server.xml.When i try
    https://localhost:8443 the browser complains that it is self signed
    and that it uses an invalid security certificate.( Error code:
    sec_error_ca_cert_invalid)..

    so i wanted to get a certificate from verisign and went to their free
    ssl trial certificate page.In the textbox for pasting csr data i
    copied the data of certreq.csr created by
    keytool -genkey -alias tomcat -keyalg RSA -keystore mylocalkeystore
    and
    keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore
    mylocalkeystore

    But here i get an error message that it contains invalid characters in
    common name.

    Can someone please help me to get this right?Is the csr created by
    keytool inappropriate?Do i have to use some other tool?
    jimgardener, Oct 23, 2008
    #1
    1. Advertising

  2. jimgardener

    Dave Miller Guest

    jimgardener wrote:
    > hi
    > i am trying out the ssl-howto tutorial that comes with apache
    > tomcat5.5..I used
    > keytool -genkey -alias tomcat -keyalg RSA to create a .keystore file
    > in home directory and added the password using keystorePass in
    > Connector element of server.xml.When i try
    > https://localhost:8443 the browser complains that it is self signed
    > and that it uses an invalid security certificate.( Error code:
    > sec_error_ca_cert_invalid)..
    >
    > so i wanted to get a certificate from verisign and went to their free
    > ssl trial certificate page.In the textbox for pasting csr data i
    > copied the data of certreq.csr created by
    > keytool -genkey -alias tomcat -keyalg RSA -keystore mylocalkeystore
    > and
    > keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore
    > mylocalkeystore
    >
    > But here i get an error message that it contains invalid characters in
    > common name.
    >
    > Can someone please help me to get this right?Is the csr created by
    > keytool inappropriate?Do i have to use some other tool?
    >
    >
    >

    I don't know if a CA will issue an SSL cert to localhost. It may be
    easier to just accept the cert / ignore the warning for testing purposes.

    --
    Dave Miller
    Java Web Hosting
    http://www.cheap-jsp-hosting.com/
    Dave Miller, Oct 23, 2008
    #2
    1. Advertising

  3. jimgardener

    Nigel Wade Guest

    jimgardener wrote:

    > hi
    > i am trying out the ssl-howto tutorial that comes with apache
    > tomcat5.5..I used
    > keytool -genkey -alias tomcat -keyalg RSA to create a .keystore file
    > in home directory and added the password using keystorePass in
    > Connector element of server.xml.When i try
    > https://localhost:8443 the browser complains that it is self signed
    > and that it uses an invalid security certificate.( Error code:
    > sec_error_ca_cert_invalid)..


    Certificates include the hostname. If your self-signed cert. was issued
    containing the FQDN, then when you connect via "localhost" the hostname does
    not match the hostname in the cert.

    This got me when I was testing SSL, and connecting using an IP number. The same
    problem arises there, the IP number does not match the hostname and the cert.
    is refused.

    >
    > so i wanted to get a certificate from verisign and went to their free
    > ssl trial certificate page.In the textbox for pasting csr data i
    > copied the data of certreq.csr created by
    > keytool -genkey -alias tomcat -keyalg RSA -keystore mylocalkeystore
    > and
    > keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore
    > mylocalkeystore
    >
    > But here i get an error message that it contains invalid characters in
    > common name.
    >
    > Can someone please help me to get this right?Is the csr created by
    > keytool inappropriate?Do i have to use some other tool?


    What Common Name did you use in the request? It must be the FQDN of the host for
    which you are requesting the cert. When keytool asks you for your first and
    last name this is the Common Name. Don't enter your name, enter the name of the
    host. See
    https://www.verisign.com/support/ssl-certificates-support/page_dev020184.html

    If you have openssl installed you can view the contents of the request using the
    command:

    openssl req -text -noout -in /path/to/request

    --
    Nigel Wade
    Nigel Wade, Oct 24, 2008
    #3
  4. jimgardener

    jimgardener Guest

    On Oct 24, 2:18 pm, Nigel Wade <> wrote:
    When keytool asks you for your first and
    > last name this is the Common Name. Don't enter your name, enter the name of the host.


    thanks Nigel,
    if i want to test my applications on tomcat using say https://localhost:8443/myapp

    what CommonName should i give to make certificate?Is it the computer
    name?My machine is named TARGA .Is that what i have to give?The
    verisign page says it shd be like www.somename.com ..
    thanks
    jim
    jimgardener, Oct 24, 2008
    #4
  5. jimgardener

    Nigel Wade Guest

    jimgardener wrote:

    > On Oct 24, 2:18 pm, Nigel Wade <> wrote:
    > When keytool asks you for your first and
    >> last name this is the Common Name. Don't enter your name, enter the name of

    the host.
    >
    > thanks Nigel,
    > if i want to test my applications on tomcat using say

    https://localhost:8443/myapp
    >
    > what CommonName should i give to make certificate?Is it the computer
    > name?My machine is named TARGA .Is that what i have to give?The
    > verisign page says it shd be like www.somename.com ..
    > thanks
    > jim


    To make any sensible use of digital certs. your server really ought to have a
    properly registered FQDN.

    What you use for CN is the hostname which the server knows itself as, and which
    other machines use to refer to it.

    If you only intend to use SSL within a private subnet you may get away with
    using just a hostname if that's all that the client will use to refer to the
    server. But I don't know, I've never tried it, all our machines have FQDNs. The
    CA may refuse to issue a cert. based on a hostname rather than a FQDN.

    --
    Nigel Wade
    Nigel Wade, Oct 24, 2008
    #5
  6. jimgardener

    harryos Guest


    > To make any sensible use of digital certs. your server really ought to have a
    > properly registered FQDN.



    i had this same problem while trying out the tutorial on ssl..when i
    give http://localhost:8443/MySecureApp i get an error like
    'localhost:8443 uses an invalid security certificate.
    The certificate is not trusted because it is self signed'

    is there a workaround to make the server accept self signed
    certificates?

    thanks
    harry
    harryos, Oct 24, 2008
    #6
  7. jimgardener

    David Segall Guest

    jimgardener <> wrote:

    >On Oct 24, 2:18 pm, Nigel Wade <> wrote:
    >When keytool asks you for your first and
    >> last name this is the Common Name. Don't enter your name, enter the name of the host.

    >
    >thanks Nigel,
    >if i want to test my applications on tomcat using say https://localhost:8443/myapp
    >
    >what CommonName should i give to make certificate?Is it the computer
    >name?My machine is named TARGA .Is that what i have to give?The
    >verisign page says it shd be like www.somename.com ..

    If you have a broadband Internet connection spend ten dollars a year
    on your own domain name. I have written a HOWTO here
    <http:cheapweb.profectus.com.au>.
    David Segall, Oct 24, 2008
    #7
  8. jimgardener

    Nigel Wade Guest

    harryos wrote:

    >
    >> To make any sensible use of digital certs. your server really ought to have a
    >> properly registered FQDN.

    >
    >
    > i had this same problem while trying out the tutorial on ssl..when i
    > give http://localhost:8443/MySecureApp i get an error like
    > 'localhost:8443 uses an invalid security certificate.
    > The certificate is not trusted because it is self signed'
    >
    > is there a workaround to make the server accept self signed
    > certificates?
    >


    It's not the server that needs to accept it, the server just serves it. It's the
    client that's complaining that it doesn't trust it. With self-signed certs. the
    client will /always/ complain unless you explicitly tell it to accept the cert.
    There is no chain of trust with self-signed certs.

    --
    Nigel Wade
    Nigel Wade, Oct 24, 2008
    #8
  9. Nigel Wade wrote:
    > harryos wrote:
    >
    >>> To make any sensible use of digital certs. your server really ought to have a
    >>> properly registered FQDN.

    >>
    >> i had this same problem while trying out the tutorial on ssl..when i
    >> give http://localhost:8443/MySecureApp i get an error like
    >> 'localhost:8443 uses an invalid security certificate.
    >> The certificate is not trusted because it is self signed'
    >>
    >> is there a workaround to make the server accept self signed
    >> certificates?
    >>

    >
    > It's not the server that needs to accept it, the server just serves it. It's the
    > client that's complaining that it doesn't trust it. With self-signed certs. the
    > client will /always/ complain unless you explicitly tell it to accept the cert.
    > There is no chain of trust with self-signed certs.
    >


    Surely you can install the cert in the browsers "Trusted Root
    Certification Authorities" - if you trust yourself :)

    Then the browser will stop complaining.

    --
    RGB
    RedGrittyBrick, Oct 24, 2008
    #9
  10. jimgardener

    Lew Guest

    On Oct 24, 12:06 pm, RedGrittyBrick <>
    wrote:
    > Nigel Wade wrote:
    > > harryos wrote:

    >
    > >>> To make any sensible use of digital certs. your server really ought to have a
    > >>> properly registered FQDN.

    >
    > >> i had this same problem while trying out the tutorial on ssl..when i
    > >> givehttp://localhost:8443/MySecureAppi get an error like
    > >> 'localhost:8443 uses an invalid security certificate.
    > >> The certificate is not trusted because it is self signed'

    >
    > >> is there a workaround to make the server accept self signed
    > >> certificates?

    >
    > > It's not the server that needs to accept it, the server just serves it. It's the
    > > client that's complaining that it doesn't trust it. With self-signed certs. the
    > > client will /always/ complain unless you explicitly tell it to accept the cert.
    > > There is no chain of trust with self-signed certs.

    >
    > Surely you can install the cert in the browsers "Trusted Root
    > Certification Authorities" - if you trust yourself :)
    >
    > Then the browser will stop complaining.


    Don't you have to set up a root certificate (self-signed) separately
    in order to do that?

    --
    Lew
    Lew, Oct 24, 2008
    #10
  11. jimgardener

    Nigel Wade Guest

    RedGrittyBrick wrote:

    >
    > Nigel Wade wrote:
    >> harryos wrote:
    >>
    >>>> To make any sensible use of digital certs. your server really ought to have

    a
    >>>> properly registered FQDN.
    >>>
    >>> i had this same problem while trying out the tutorial on ssl..when i
    >>> give http://localhost:8443/MySecureApp i get an error like
    >>> 'localhost:8443 uses an invalid security certificate.
    >>> The certificate is not trusted because it is self signed'
    >>>
    >>> is there a workaround to make the server accept self signed
    >>> certificates?
    >>>

    >>
    >> It's not the server that needs to accept it, the server just serves it. It's

    the
    >> client that's complaining that it doesn't trust it. With self-signed certs.

    the
    >> client will /always/ complain unless you explicitly tell it to accept the

    cert.
    >> There is no chain of trust with self-signed certs.
    >>

    >
    > Surely you can install the cert in the browsers "Trusted Root
    > Certification Authorities" - if you trust yourself :)
    >
    > Then the browser will stop complaining.
    >


    The browsers have stores for certs. which you can accept on an individual basis.
    For a self-signed (i.e. no CA) this is where the browser will put it.

    There is also a store for trusted CA certs (the browsers come with this already
    populated with the commercial published CA certs). If you set up your own CA
    you can still install the server cert. as above. Or you can install your CA
    cert. in the browsers trusted CA store so that any cert. signed by that CA will
    be accepted.

    --
    Nigel Wade
    Nigel Wade, Oct 27, 2008
    #11
  12. jimgardener

    Roedy Green Guest

    On Thu, 23 Oct 2008 07:01:16 -0700 (PDT), jimgardener
    <> wrote, quoted or indirectly quoted someone who
    said :

    >i am trying out the ssl-howto tutorial that comes with apache
    >tomcat5.5..I used
    >keytool -genkey -alias tomcat -keyalg RSA to create a .keystore file


    see http://mindprod.com/jgloss/certificate.html
    --
    Roedy Green Canadian Mind Products
    http://mindprod.com
    The Canadian national animal should be changed from the beaver to the ostrich.
    Canadians elected a party that denies global warming so they too could pretend it presents no danger.
    Roedy Green, Oct 27, 2008
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?RWRkaWUgTGFzY3U=?=

    Downloading a file from a website requesting a digital certificate

    =?Utf-8?B?RWRkaWUgTGFzY3U=?=, Jul 10, 2007, in forum: ASP .Net
    Replies:
    0
    Views:
    359
    =?Utf-8?B?RWRkaWUgTGFzY3U=?=
    Jul 10, 2007
  2. suresh123kiran
    Replies:
    2
    Views:
    354
    suresh123kiran
    Aug 18, 2012
  3. Daniele Futtorovic
    Replies:
    0
    Views:
    280
    Daniele Futtorovic
    Aug 17, 2012
  4. suresh123kiran
    Replies:
    2
    Views:
    306
    suresh123kiran
    Aug 18, 2012
  5. suresh123kiran
    Replies:
    2
    Views:
    295
    suresh123kiran
    Aug 19, 2012
Loading...

Share This Page