Kenneth: /* Curl Check Certificates */

2026-02-04T21:26:28Z

Curl Check Certificates

← Older revision		Revision as of 21:26, 4 February 2026
Line 142:		Line 142:

	=== Curl Check Certificates ===		=== Curl Check Certificates ===

			See [[curl]]

	-v # verbose		-v # verbose

Kenneth: /* Keytool (Java) */

2026-02-04T21:26:03Z

Keytool (Java)

@@ Line 120: / Line 120: @@
 ===Keytool (Java)===
 See [[keytool]]
 ==Errors==

Kenneth: Created page with "==Summary== ==Generate Custom Self Signed Certificate== {{Template:makecert.sh}} ==GoDaddy CER Generating Instructions== GoDaddy Instructions for generating CERs [https://ce..."

2014-09-15T08:31:20Z

Created page with "==Summary== ==Generate Custom Self Signed Certificate== {{Template:makecert.sh}} ==GoDaddy CER Generating Instructions== GoDaddy Instructions for generating CERs [https://ce..."

New page

==Summary==

==Generate Custom Self Signed Certificate==
{{Template:makecert.sh}}

==GoDaddy CER Generating Instructions==
GoDaddy Instructions for generating CERs [https://certificates.godaddy.com/CSRgeneration.go]

===Apache===
Generate CER for Apache [https://certificates.godaddy.com/CSRApache2.go]
# cd /usr/bin/ (/your path to openssl/) Enter a passphrase when prompted to.
# openssl genrsa -des3 -out <name of your certificate>.key 1024
# openssl req -new -key <name of your certificate>.key -out <name of your certificate>.csr

===Tomcat===
Generating Key Pair for Tomcat [https://certificates.godaddy.com/CSRTomcat.go]
# Enter the following command: keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
# You will be prompted for a password. Tomcat uses the default password "changeit."
# Enter Distinguished Name (DN) information First and last name - This is the Common Name: Common Name: The common name is the fully-qualified domain name - or URL - to which you plan to apply your certificate. Do not enter your personal name in this field.
# Confirm that the Distinguished Name information is correct.

Generating CSR [https://certificates.godaddy.com/CSRTomcat.go]
# Enter the following command: keytool -certreq -keyalg RSA -alias tomcat -file <your file name>.csr -keystore tomcat.keystore
# Upon prompt, enter keystore password
# Cut/copy and paste the generated CSR into our online enrollment form.
# Select "Tomcat" as your server software.

==GoDaddy CRT Installation Instructions==
Installing Your SSL Certificate [https://certificates.godaddy.com/InstallationInstructions_alt.go]

===Tomcat===
Installation for Tomcat [https://certificates.godaddy.com/Tomcat.go]

Installation Option One: Installing SSL Certificate and CA Bundle (gd_bundle.crt) Implementing a PKCS12 Keystore
#Before you install your SSL certificate you must download our root certificate bundle ([https://certificates.godaddy.com/Repository.go gd_bundle.crt]) on your Web server.
#Use the following OpenSSL command to combine the ca bundle (gd_bundle.crt) and your SSL certificate: openssl pkcs12 -export -chain -CAfile gd_bundle.crt -in <name of your certificate> -inkey <name of your certificate private key file> -out keystore.tomcat -name tomcat -passout pass:changeit
#Open the server.xml file.
#After uncommenting the SSL/TLS connector from server.xml, locate the following Factory tag section and COMMENT IT OUT: <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" />
#Add the following directives to the Connector tag: keystoreFile=<path to>\keystore.tomcat keystorePass="changeit" keystoreType="PKCS12"
#Restart Tomcat.

Installation Option Two: Installing SSL Certificate and Intermediate Certificates Separately
#Once you have downloaded the certificates to your local machine, please use the following keytool commands to import them: Root: "keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file valicert_class2_root.crt." First intermediate (gd_cross_intermediate.crt): "keytool -import -alias cross -keystore tomcat.keystore -trustcacerts -file gd_cross_intermediate.crt" Second intermediate (gd_intermediate.crt): "keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_intermediate.crt"
#Installing SSL Certificate
##Use the following command to import the issued certificate into your keystore.
##keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file <name of your certificate>
#Updating the server.xml Configuration File
##Open the server.xml file.
##After uncommenting the SSL/TLS connector from server.xml, locate the following text section: <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" />
##Add the "keystoreFile" and "keystorePass directives: <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" keystoreFile="/full/path/to/tomcat.keystore" keystorePass="changeit" />
##Restart Tomcat.

server.xml [http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html]:
<-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->


<blockquote>The default password used by Tomcat is "changeit" (all lower case), although you can specify a custom password if you like. You will also need to specify the custom password in the server.xml configuration file. [http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html]</blockquote>

Additional connector parameters:
:keystoreFile - Add this attribute if the keystore file you created is not in the default place that Tomcat expects (a file named .keystore in the user home directory under which Tomcat is running). You can specify an absolute pathname, or a relative pathname that is resolved against the $CATALINA_BASE environment variable.
:keystorePass - Add this element if you used a different keystore (and Certificate) password than the one Tomcat expects (changeit).
:keyAlias - Add this element if your have more than one key in the KeyStore. If the element is not present the first key read in the KeyStore will be used.

===Pound===
Pound needs to have the files merged into one .PEM file. I use the order of:
#domain private key (.key)
#domain certificate (.crt)
#ca chained certificates (.crt)

ListenHTTPS
Address 0.0.0.0
Port 443
Cert "/etc/mydomain.com.pem"
...

==Using the Certificates with Various Applications==

===Jira===
Running JIRA over SSL or HTTPS [http://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS]

The keystore and alias passwords both need to be 'changeit'.

If you get an error saying "Cannot recover key" this is because the alias password is not 'changeit'.

===Scalix===
"Setup stunnel if you require secure SSL communication for POP, IMAP, LDAP or SMTP" [http://www.scalix.com/wiki/index.php?title=Manual_Installation]

*Scalix Wiki [http://www.scalix.com/wiki]
*Scalix Forums [http://www.scalix.com/forums/]
*Scalix Install Guide [http://www.scalix.com/documents/Scalix_Install_Guide_11.0.1.pdf]
*Scalix Setup Guide [http://www.scalix.com/documents/Scalix_Setup_Guide_11.0.2.pdf]
*Use secure protocols [http://www.scalix.com/wiki/index.php?title=HowTos/ScalixSecurity#Use_secure_protocols]

===Tomcast SSL===
Tomcast SSL Configuration [http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html]

==Conversion from Apache PEM to Java Keytool==

See [[Java Keystore#Conversion from Apache PEM to Java Keytool|Conversion from Apache PEM to Java Keytool]]

== Conversion from Java Keytool to Apache PEM ==

See [[Java Keystore#Conversion from Java Keytool to Apache PEM]]

==SSL Wrappers==
*[http://www.apsis.ch/pound/ Pound (HTTP Load Balancer)]
*[http://www.stunnel.org/ Stunnel]

==SSL Tools==

===OpenSSL (Apache)===
See [[openssl]]

===Keytool (Java)===
See [[keytool]]

==Errors==
This is caused by an untrusted certificate or an incorrect order of the certificate chain:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target

==Stunnel==
See [[Stunnel]]

==Conversion==
[http://mark.foster.cc/kb/openssl-keytool.html OpenSSL to Keytool Conversion tips]

[http://mark.foster.cc/kb/cacert-keystore-extraction.html Keytool cacert extraction to PEM format using OpenSSL and keytool]

==RSA Encryption==
[http://en.wikipedia.org/wiki/RSA Wiki: RSA]

==Extended Validation SSL - Green Address Bar==
[http://www.verisign.com/ssl/ssl-information-center/faq/extended-validation-ssl-certificates.html Extended Validation SSL (EV SSL Certificates) - Online Identity Assurance]
:"Extended Validation SSL Certificates give high security Web browsers information to clearly identify a Web site’s organizational identity. For example, if you use Microsoft® Internet Explorer 7 to go to a Web site secured with an SSL Certificate that meets the Extended Validation Standard, IE7 will cause the URL address bar to turn green. A display next to the green bar will toggle between the organization name listed in the certificate and the Certificate Authority (VeriSign, for example). Firefox and Opera have announced their intention to support Extended Validation SSL in upcoming releases. Older browsers will display Extended Validation SSL Certificates with the same security symbols as existing SSL Certificates."

*[http://www.verisign.com/ssl/ssl-information-center/ie7-ssl-security/ Get the Green Address Bar]
*[http://blogs.msdn.com/ie/archive/2005/11/21/495507.aspx Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers]
:Shows various colors of bars, and explanation
*[http://blogs.zdnet.com/security/?p=220 Verisign brings EV SSL green bar to Firefox]
*[http://www.experts-exchange.com/Networking/Protocols/Application_Protocols/SSL/Q_23106993.html Padlock icon, Green URL bar and SSL Security]

==See Also==
[[SSL Certificates]] [[openssl]] [[keytool]] [[Java Keystore]]

SSL Certificates - Revision history

Kenneth: /* Curl Check Certificates */

Kenneth: /* Keytool (Java) */

Kenneth: Created page with "==Summary== ==Generate Custom Self Signed Certificate== {{Template:makecert.sh}} ==GoDaddy CER Generating Instructions== GoDaddy Instructions for generating CERs [https://ce..."