Win 2016 server.
I used Win-Acme as the agent to request cert from LetsEncrypt
Before, we would make a self-signed CSR - and import that into the keystore.
but now the Agent makes a CSR.
So if I make & import one, then keys don't match on the received .pem
So I'm not sure where the Agent's CSR is - cause it has to go into the keystore, doesn't it.
And some places say Tomcat can refer to .pem directly in the Connector.
And openssl is there to convert .pem files, so I'm confused.
HELP! SSL unsure what to do with .pem files. Tomcat Windows
HELP! SSL unsure what to do with .pem files. Tomcat Windows
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.
Jaymer
Aware Programming & Consulting - Tampa FL
Jaymer
Aware Programming & Consulting - Tampa FL
Re: HELP! SSL unsure what to do with .pem files. Tomcat Wind
Hi Jaymer,
When it comes to SSL, in my experience with getting them installed the easiest method is purchasing a certificate. I utilise a multi-domain certificate from sectigo for $239 per year, you can also get a single domain certificate for $79.
I just have found the installation process to be a lot quicker and easier, especially when it comes to renewals.
There are methods for converting the .pem into a .cer and then importing into your java keystore. I just found that route extremely frustrating compared to just purchasing a certificate.
When it comes to SSL, in my experience with getting them installed the easiest method is purchasing a certificate. I utilise a multi-domain certificate from sectigo for $239 per year, you can also get a single domain certificate for $79.
I just have found the installation process to be a lot quicker and easier, especially when it comes to renewals.
There are methods for converting the .pem into a .cer and then importing into your java keystore. I just found that route extremely frustrating compared to just purchasing a certificate.
AwareIM Developer edition. Version 8.5 (Build 2827) running on Windows Server 2012 R2 Standard
Re: HELP! SSL unsure what to do with .pem files. Tomcat Wind
I agree - I didn't have this issue last time when I bought a certificate outright.
I've wasted more time than the savings for this customer.
And then you have to redo this 4 times a year.
thx
I've wasted more time than the savings for this customer.
And then you have to redo this 4 times a year.
thx
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.
Jaymer
Aware Programming & Consulting - Tampa FL
Jaymer
Aware Programming & Consulting - Tampa FL
Re: HELP! SSL unsure what to do with .pem files. Tomcat Wind
+1yahya wrote:Hi Jaymer,
When it comes to SSL, in my experience with getting them installed the easiest method is purchasing a certificate. I utilise a multi-domain certificate from sectigo for $239 per year, you can also get a single domain certificate for $79.
I just have found the installation process to be a lot quicker and easier, especially when it comes to renewals.
There are methods for converting the .pem into a .cer and then importing into your java keystore. I just found that route extremely frustrating compared to just purchasing a certificate.
They are very easy to handle and they don't have shady renewal practices like GoDaddy for instance.
Re: HELP! SSL unsure what to do with .pem files. Tomcat Wind
If you want to continue down the free route, I use a product called Keystore Explorer and have an account with sslforfree
It's a bit of a faff but I've got the time down to around 10 mins for an update, Here are the working notes I made for my son just in case the virus gets me.
***************************************
Creating or managing an SSL keystore is a little trickier for Tomcat because, although this is a Windows machine,
nevertheless, both Tomcat and AwareIM run on a java virtual machine. So the Keystore type needs to be in the JKS format
The problem is that the certificates issued by sslforfree are in the PKCS12 format (the keyfile is PKCS8) so they will not import directly into a JKS keystore. They have to be converted.
Here's how to do it using Keystore Explorer
1) create a new keystore in the PKSC12 format
2) Import the CA-Bundle certificate (this is the root and intermediate certificates)
3) import the Key pair (PKCS8 key format - Private.key and Certificate.crt
4) CONVERT THE WHOLE LOT (THE KEYSTORE) BACK TO JKS FORMAT
5) Be sure to name it Keystore
6) set the correct path in Tomcat's /conf/server.xml or just put it where the old one was
7) Restart AwareIM
free certificates expire after 90 days. Best practice is to regenerate the store after 60 days to avoid embarrasing "Not Secure" messages in client browsers
Take a backup of the existing keystore before generating a new one - just in case something goes wrong.
You can generate and put in place the new keystore whilst AwareIM is live. When you want to swap simply restart AIM.
Toncat will also do a restart and pick up the new certificates on restart.
If the client browsers report @server took too long to respond - it's probably because you missed step 4
It's a bit of a faff but I've got the time down to around 10 mins for an update, Here are the working notes I made for my son just in case the virus gets me.
***************************************
Creating or managing an SSL keystore is a little trickier for Tomcat because, although this is a Windows machine,
nevertheless, both Tomcat and AwareIM run on a java virtual machine. So the Keystore type needs to be in the JKS format
The problem is that the certificates issued by sslforfree are in the PKCS12 format (the keyfile is PKCS8) so they will not import directly into a JKS keystore. They have to be converted.
Here's how to do it using Keystore Explorer
1) create a new keystore in the PKSC12 format
2) Import the CA-Bundle certificate (this is the root and intermediate certificates)
3) import the Key pair (PKCS8 key format - Private.key and Certificate.crt
4) CONVERT THE WHOLE LOT (THE KEYSTORE) BACK TO JKS FORMAT
5) Be sure to name it Keystore
6) set the correct path in Tomcat's /conf/server.xml or just put it where the old one was
7) Restart AwareIM
free certificates expire after 90 days. Best practice is to regenerate the store after 60 days to avoid embarrasing "Not Secure" messages in client browsers
Take a backup of the existing keystore before generating a new one - just in case something goes wrong.
You can generate and put in place the new keystore whilst AwareIM is live. When you want to swap simply restart AIM.
Toncat will also do a restart and pick up the new certificates on restart.
If the client browsers report @server took too long to respond - it's probably because you missed step 4
Rocketman
V8.7 Developer Edition. Server 2016 Standard edition. MySql 5.5
V8.7 Developer Edition. Server 2016 Standard edition. MySql 5.5