how to get a digital certificate

Discussion in 'Java' started by jimgardener, Oct 23, 2008.

  1. jimgardener

    jimgardener Guest

    hi
    i am trying out the ssl-howto tutorial that comes with apache
    tomcat5.5..I used
    keytool -genkey -alias tomcat -keyalg RSA to create a .keystore file
    in home directory and added the password using keystorePass in
    Connector element of server.xml.When i try
    https://localhost:8443 the browser complains that it is self signed
    and that it uses an invalid security certificate.( Error code:
    sec_error_ca_cert_invalid)..

    so i wanted to get a certificate from verisign and went to their free
    ssl trial certificate page.In the textbox for pasting csr data i
    copied the data of certreq.csr created by
    keytool -genkey -alias tomcat -keyalg RSA -keystore mylocalkeystore
    and
    keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore
    mylocalkeystore

    But here i get an error message that it contains invalid characters in
    common name.

    Can someone please help me to get this right?Is the csr created by
    keytool inappropriate?Do i have to use some other tool?
     
    jimgardener, Oct 23, 2008
    #1
    1. Advertisements

  2. jimgardener

    Dave Miller Guest

    I don't know if a CA will issue an SSL cert to localhost. It may be
    easier to just accept the cert / ignore the warning for testing purposes.
     
    Dave Miller, Oct 23, 2008
    #2
    1. Advertisements

  3. jimgardener

    Nigel Wade Guest

    Certificates include the hostname. If your self-signed cert. was issued
    containing the FQDN, then when you connect via "localhost" the hostname does
    not match the hostname in the cert.

    This got me when I was testing SSL, and connecting using an IP number. The same
    problem arises there, the IP number does not match the hostname and the cert.
    is refused.
    What Common Name did you use in the request? It must be the FQDN of the host for
    which you are requesting the cert. When keytool asks you for your first and
    last name this is the Common Name. Don't enter your name, enter the name of the
    host. See
    https://www.verisign.com/support/ssl-certificates-support/page_dev020184.html

    If you have openssl installed you can view the contents of the request using the
    command:

    openssl req -text -noout -in /path/to/request
     
    Nigel Wade, Oct 24, 2008
    #3
  4. jimgardener

    jimgardener Guest

    thanks Nigel,
    if i want to test my applications on tomcat using say https://localhost:8443/myapp

    what CommonName should i give to make certificate?Is it the computer
    name?My machine is named TARGA .Is that what i have to give?The
    verisign page says it shd be like www.somename.com ..
    thanks
    jim
     
    jimgardener, Oct 24, 2008
    #4
  5. jimgardener

    Nigel Wade Guest

    To make any sensible use of digital certs. your server really ought to have a
    properly registered FQDN.

    What you use for CN is the hostname which the server knows itself as, and which
    other machines use to refer to it.

    If you only intend to use SSL within a private subnet you may get away with
    using just a hostname if that's all that the client will use to refer to the
    server. But I don't know, I've never tried it, all our machines have FQDNs. The
    CA may refuse to issue a cert. based on a hostname rather than a FQDN.
     
    Nigel Wade, Oct 24, 2008
    #5
  6. jimgardener

    harryos Guest


    i had this same problem while trying out the tutorial on ssl..when i
    give http://localhost:8443/MySecureApp i get an error like
    'localhost:8443 uses an invalid security certificate.
    The certificate is not trusted because it is self signed'

    is there a workaround to make the server accept self signed
    certificates?

    thanks
    harry
     
    harryos, Oct 24, 2008
    #6
  7. jimgardener

    David Segall Guest

    If you have a broadband Internet connection spend ten dollars a year
    on your own domain name. I have written a HOWTO here
    <http:cheapweb.profectus.com.au>.
     
    David Segall, Oct 24, 2008
    #7
  8. jimgardener

    Nigel Wade Guest

    It's not the server that needs to accept it, the server just serves it. It's the
    client that's complaining that it doesn't trust it. With self-signed certs. the
    client will /always/ complain unless you explicitly tell it to accept the cert.
    There is no chain of trust with self-signed certs.
     
    Nigel Wade, Oct 24, 2008
    #8
  9. Surely you can install the cert in the browsers "Trusted Root
    Certification Authorities" - if you trust yourself :)

    Then the browser will stop complaining.
     
    RedGrittyBrick, Oct 24, 2008
    #9
  10. jimgardener

    Lew Guest

    Don't you have to set up a root certificate (self-signed) separately
    in order to do that?
     
    Lew, Oct 24, 2008
    #10
  11. jimgardener

    Nigel Wade Guest

    The browsers have stores for certs. which you can accept on an individual basis.
    For a self-signed (i.e. no CA) this is where the browser will put it.

    There is also a store for trusted CA certs (the browsers come with this already
    populated with the commercial published CA certs). If you set up your own CA
    you can still install the server cert. as above. Or you can install your CA
    cert. in the browsers trusted CA store so that any cert. signed by that CA will
    be accepted.
     
    Nigel Wade, Oct 27, 2008
    #11
  12. jimgardener

    Roedy Green Guest

    see http://mindprod.com/jgloss/certificate.html
     
    Roedy Green, Oct 27, 2008
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.