Tomcat vs. OpenSSL CA?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Tomcat vs. OpenSSL CA?

jazzcat2

Howdy Folks,

I am trying to pretend to be a CA with OpenSSL.  I have done this before and
generated certificates to use with private keys on Apache and IMAPs. However,
this time around, I need to pretend to be a CA that signs Tomcat certificates.

There is a minor problem.  When I generate a Tomcat based key, like so:

keytool -genkey -alias myalias -keyalg RSA -keystore mykeystore
keytool -certreq -keyalg RSA -alias myalias -file certreq.csr
  -keystore mykeystore

...the resulting CSR does not include the email address.  OpenSSL refuses to
sign a CSR that does not have an email address.  I've looked around for a bit
to find out how to add the email address (and how to get OpenSSL to ignore tha
lack of an email address) to no avail.

Has anyone done this?

Cheers,
-J
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Tomcat vs. OpenSSL CA?

Bear Giles
Have you checked the conf file for the openssl ca?  I haven't looked at
it in a long time, but I think you can specify whether an element is
required or optional in it.

Bear

Josh wrote:

>
> Howdy Folks,
>
> I am trying to pretend to be a CA with OpenSSL.  I have done this
> before and generated certificates to use with private keys on Apache
> and IMAPs. However, this time around, I need to pretend to be a CA
> that signs Tomcat certificates.
>
> There is a minor problem.  When I generate a Tomcat based key, like so:
>
> keytool -genkey -alias myalias -keyalg RSA -keystore mykeystore
> keytool -certreq -keyalg RSA -alias myalias -file certreq.csr
>     -keystore mykeystore
>
> ...the resulting CSR does not include the email address.  OpenSSL
> refuses to sign a CSR that does not have an email address.  I've
> looked around for a bit to find out how to add the email address (and
> how to get OpenSSL to ignore tha lack of an email address) to no avail.
>
> Has anyone done this?
>
> Cheers,
> -J
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Tomcat vs. OpenSSL CA?

jazzcat2

Thanks Bear, that did the trick!

On Mon, 18 Feb 2008, Bear Giles wrote:

> Have you checked the conf file for the openssl ca?  I haven't looked at it in
> a long time, but I think you can specify whether an element is required or
> optional in it.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]