SSL Key duration using keytool

[ScatterBrain]

I've just set about setup up SSL enabled Web Access. I have it working, but I have two questions:

First, the key's exipration is only 3 months from the creation date. Can I make that 12 months (or better 24)?

Second, I can't seem to get the key to work at all unless I use the default keystore password. How can I remedy that?

BTW: I'm using Scalix 9.2.1.

[florian]

well, both these questions are actually a bit outside the scope of the Scalix product.

1. The key's expiration needs to be set when creating the key; I'd assume that is a keytool option.

2. if you don't use the default password, the password needs to be specified in the server.xml so that Tomcat can open the keystore. Our instructions on how to set this up are actually a subset of the full Tomcat documentation on SSL handling; you might want to check out http://tomcat.apache.org/tomcat-5.0-doc/ssl-howto.html. This will give you more information on the subject.

Hope this helps,
Florian.

[ScatterBrain]

well, both these questions are actually a bit outside the scope of the Scalix product.

How do figure that? The only reason java (and hence the keytool) is on this machine is because Scalix requires it. I downloaded and installed it following the Scalix directions in the Scalix installation guide. I've used the Scalix guide to setup the SWA application to use SSL. So how is it that this doesn't fall under the scope of Scalix support?

1. The key's expiration needs to be set when creating the key; I'd assume that is a keytool option.

I agree with you that it needs to be set during the key creation. I would have also assumed that there would be a switch to allow me to set the expiration length. But I could not find it with "keytool --help". I admit that I haven't searched beyond that, but I figured that I would a quick response here.

2. if you don't use the default password, the password needs to be specified in the server.xml so that Tomcat can open the keystore. Our instructions on how to set this up are actually a subset of the full Tomcat documentation on SSL handling; you might want to check out http://tomcat.apache.org/tomcat-5.0-doc/ssl-howto.html. This will give you more information on the subject.

I understand this. This is all documented in the Scalix installation guide. I did this and everytime I tried to access the site using the password I wanted, I 'd get a error connecting to the site. The catalina logs said someting to the effect of "The key had been tampered with".

I will look at the link you provided and I hope that I find my answer there.

Hope this helps,
Florian.

It didn't!

[ScalixSupport]

Hi Kevin,

If this is an issue for you, please can you raise this as a support call seeing as you have a support contract with us. The forums are provided to assist people using Scalix but you can't guarantee a quick response if your question is time critical. Logging a support call provides us with the ability to track your issue etc.

To answer your question, if you run keytool without any parameters or with --help, you get the following:

Code: Select all

-genkey      [-v] [-alias <alias>] [-keyalg <keyalg>]
             [-keysize <keysize>] [-sigalg <sigalg>]
             [-dname <dname>] [-validity <valDays>]
             [-keypass <keypass>] [-keystore <keystore>]
             [-storepass <storepass>] [-storetype <storetype>]
             [-provider <provider_class_name>] ...


The switch you are looking for is -validity.

With regards the SSL error, please can you post the error from the tomcat logs as this will help us to diagnose the problem. Can you also post the section from server.xml that you edited to include the password ?

Cheers

Dave

[florian]

Kevin,

let's try again.

When I type keytool --help, one of the things it displays is

Code: Select all

             -genkey      [-v] [-alias <alias>] [-keyalg <keyalg>]
             [-keysize <keysize>] [-sigalg <sigalg>]
             [-dname <dname>] [-validity <valDays>]
             [-keypass <keypass>] [-keystore <keystore>]
             [-storepass <storepass>] [-storetype <storetype>]
             [-provider <provider_class_name>] ...



In that block, I see something like

Code: Select all

[-validity <valDays>]

that will take the validity of the certificate in days. Also, the passwords can be specified with the -keypass and -storepass options. In addition, the location of the store file can be specified with the -keystore option. Putting all this together, I now created a store with the following complete command:

Code: Select all

[root@rhel4 ~]# /usr/java/j2sdk1.4.2_09/bin/keytool -genkey -alias tomcat -keyalg RSA -validity 360 -keypass kevin123 -storepass kevin123 -keystore /root/kevin.keystore
What is your first and last name?
  [Unknown]:  mail.nesbitt.com
What is the name of your organizational unit?
  [Unknown]:  IT
What is the name of your organization?
  [Unknown]:  Nesbitt Engineering, Inc.
What is the name of your City or Locality?
  [Unknown]:  Whereever
What is the name of your State or Province?
  [Unknown]:  XX
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=mail.nesbitt.com, OU=IT, O="Nesbitt Engineering, Inc.", L=Whereever, ST=XX, C=US correct?
  [no]:  yes


So this created a keystore protected by the password "kevin123" with a validity of 360 days in a file called /root/kevin.keystore.

I now change the definition of the SSL connector in server.xml:

Code: Select all

    <Connector port="8443"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" debug="0" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="/root/kevin.keystore" keystorePass="kevin123" />



Please note the two added attributes giving the keystore filename and the keystore password.

I then restart tomcat, it comes up without problems and when checked with a browser, the certificate is valid until 19.10.2006 - which is 360 days from today.

I do assume that this helps now! :-)

-- Florian.

[florian]

ups, just saw that dave was faster than me on the validity... ;-) he's just sitting two cubes from me, so... rate your support! :-)

Florian.