[COLUG] Tomcat vs. OpenSSL CA?
Tom Hanlon
tom at functionalmedia.com
Mon Feb 18 18:27:20 EST 2008
I thought a certificate was a certificate. Meaning I use one for
MySQL and can use the same tool to generate one for apache.
Generating in the following manner prompts for email, as I recall.
# Create CA certificate
shell> openssl genrsa 2048 > ca-key.pem
shell> openssl req -new -x509 -nodes -days 1000 \
-key ca-key.pem > ca-cert.pem
# Create server certificate
shell> openssl req -newkey rsa:2048 -days 1000 \
-nodes -keyout server-key.pem > server-req.pem
shell> openssl x509 -req -in server-req.pem -days 1000 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-
cert.pem
On 18 Feb 2008, at 15:07, Josh wrote:
>
> Howdy Folks,
>
> I am trying to pretend to be a CA with OpenSSL. I have done this
> before and generated certificates to use with private keys on
> Apache and IMAPs. However, this time around, I need to pretend to
> be a CA that signs Tomcat certificates.
>
> There is a minor problem. When I generate a Tomcat based key, like
> so:
>
> keytool -genkey -alias myalias -keyalg RSA -keystore mykeystore
> keytool -certreq -keyalg RSA -alias myalias -file certreq.csr
> -keystore mykeystore
>
> ...the resulting CSR does not include the email address. OpenSSL
> refuses to sign a CSR that does not have an email address. I've
> looked around for a bit to find out how to add the email address
> (and how to get OpenSSL to ignore tha lack of an email address) to
> no avail.
>
> Has anyone done this?
>
> Cheers,
> -J
> _______________________________________________
> colug432 mailing list colug432 at colug.net
> http://www.colug.net/mailman/listinfo/colug432
More information about the colug432
mailing list