how to get a digital certificate

J

jimgardener

hi
i am trying out the ssl-howto tutorial that comes with apache
tomcat5.5..I used
keytool -genkey -alias tomcat -keyalg RSA to create a .keystore file
in home directory and added the password using keystorePass in
Connector element of server.xml.When i try
https://localhost:8443 the browser complains that it is self signed
and that it uses an invalid security certificate.( Error code:
sec_error_ca_cert_invalid)..

so i wanted to get a certificate from verisign and went to their free
ssl trial certificate page.In the textbox for pasting csr data i
copied the data of certreq.csr created by
keytool -genkey -alias tomcat -keyalg RSA -keystore mylocalkeystore
and
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore
mylocalkeystore

But here i get an error message that it contains invalid characters in
common name.

Can someone please help me to get this right?Is the csr created by
keytool inappropriate?Do i have to use some other tool?
 
D

Dave Miller

jimgardener said:
hi
i am trying out the ssl-howto tutorial that comes with apache
tomcat5.5..I used
keytool -genkey -alias tomcat -keyalg RSA to create a .keystore file
in home directory and added the password using keystorePass in
Connector element of server.xml.When i try
https://localhost:8443 the browser complains that it is self signed
and that it uses an invalid security certificate.( Error code:
sec_error_ca_cert_invalid)..

so i wanted to get a certificate from verisign and went to their free
ssl trial certificate page.In the textbox for pasting csr data i
copied the data of certreq.csr created by
keytool -genkey -alias tomcat -keyalg RSA -keystore mylocalkeystore
and
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore
mylocalkeystore

But here i get an error message that it contains invalid characters in
common name.

Can someone please help me to get this right?Is the csr created by
keytool inappropriate?Do i have to use some other tool?
I don't know if a CA will issue an SSL cert to localhost. It may be
easier to just accept the cert / ignore the warning for testing purposes.
 
N

Nigel Wade

jimgardener said:
hi
i am trying out the ssl-howto tutorial that comes with apache
tomcat5.5..I used
keytool -genkey -alias tomcat -keyalg RSA to create a .keystore file
in home directory and added the password using keystorePass in
Connector element of server.xml.When i try
https://localhost:8443 the browser complains that it is self signed
and that it uses an invalid security certificate.( Error code:
sec_error_ca_cert_invalid)..

Certificates include the hostname. If your self-signed cert. was issued
containing the FQDN, then when you connect via "localhost" the hostname does
not match the hostname in the cert.

This got me when I was testing SSL, and connecting using an IP number. The same
problem arises there, the IP number does not match the hostname and the cert.
is refused.
so i wanted to get a certificate from verisign and went to their free
ssl trial certificate page.In the textbox for pasting csr data i
copied the data of certreq.csr created by
keytool -genkey -alias tomcat -keyalg RSA -keystore mylocalkeystore
and
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore
mylocalkeystore

But here i get an error message that it contains invalid characters in
common name.

Can someone please help me to get this right?Is the csr created by
keytool inappropriate?Do i have to use some other tool?

What Common Name did you use in the request? It must be the FQDN of the host for
which you are requesting the cert. When keytool asks you for your first and
last name this is the Common Name. Don't enter your name, enter the name of the
host. See
https://www.verisign.com/support/ssl-certificates-support/page_dev020184.html

If you have openssl installed you can view the contents of the request using the
command:

openssl req -text -noout -in /path/to/request
 
N

Nigel Wade

jimgardener said:
the host.

thanks Nigel,
if i want to test my applications on tomcat using say https://localhost:8443/myapp

what CommonName should i give to make certificate?Is it the computer
name?My machine is named TARGA .Is that what i have to give?The
verisign page says it shd be like www.somename.com ..
thanks
jim

To make any sensible use of digital certs. your server really ought to have a
properly registered FQDN.

What you use for CN is the hostname which the server knows itself as, and which
other machines use to refer to it.

If you only intend to use SSL within a private subnet you may get away with
using just a hostname if that's all that the client will use to refer to the
server. But I don't know, I've never tried it, all our machines have FQDNs. The
CA may refuse to issue a cert. based on a hostname rather than a FQDN.
 
H

harryos

To make any sensible use of digital certs. your server really ought to have a
properly registered FQDN.


i had this same problem while trying out the tutorial on ssl..when i
give http://localhost:8443/MySecureApp i get an error like
'localhost:8443 uses an invalid security certificate.
The certificate is not trusted because it is self signed'

is there a workaround to make the server accept self signed
certificates?

thanks
harry
 
D

David Segall

jimgardener said:
thanks Nigel,
if i want to test my applications on tomcat using say https://localhost:8443/myapp

what CommonName should i give to make certificate?Is it the computer
name?My machine is named TARGA .Is that what i have to give?The
verisign page says it shd be like www.somename.com ..
If you have a broadband Internet connection spend ten dollars a year
on your own domain name. I have written a HOWTO here
<http:cheapweb.profectus.com.au>.
 
N

Nigel Wade

harryos said:
i had this same problem while trying out the tutorial on ssl..when i
give http://localhost:8443/MySecureApp i get an error like
'localhost:8443 uses an invalid security certificate.
The certificate is not trusted because it is self signed'

is there a workaround to make the server accept self signed
certificates?

It's not the server that needs to accept it, the server just serves it. It's the
client that's complaining that it doesn't trust it. With self-signed certs. the
client will /always/ complain unless you explicitly tell it to accept the cert.
There is no chain of trust with self-signed certs.
 
R

RedGrittyBrick

Nigel said:
It's not the server that needs to accept it, the server just serves it. It's the
client that's complaining that it doesn't trust it. With self-signed certs. the
client will /always/ complain unless you explicitly tell it to accept the cert.
There is no chain of trust with self-signed certs.

Surely you can install the cert in the browsers "Trusted Root
Certification Authorities" - if you trust yourself :)

Then the browser will stop complaining.
 
L

Lew

Surely you can install the cert in the browsers "Trusted Root
Certification Authorities" - if you trust yourself :)

Then the browser will stop complaining.

Don't you have to set up a root certificate (self-signed) separately
in order to do that?
 
N

Nigel Wade

RedGrittyBrick said:
Surely you can install the cert in the browsers "Trusted Root
Certification Authorities" - if you trust yourself :)

Then the browser will stop complaining.

The browsers have stores for certs. which you can accept on an individual basis.
For a self-signed (i.e. no CA) this is where the browser will put it.

There is also a store for trusted CA certs (the browsers come with this already
populated with the commercial published CA certs). If you set up your own CA
you can still install the server cert. as above. Or you can install your CA
cert. in the browsers trusted CA store so that any cert. signed by that CA will
be accepted.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top