Véver's picture

Hi Everybody,

I'm strugleling trying to make an existing ssl certificate works with the Turnkey tomcat appliance.

In My case, i'm using Stand alone appliance.

Any help to acheve it ?

Regards,

 

Forum: 
Jeremy Davis's picture

You don't note the format of the certificate that you have? FWIW TurnKey uses a default certificate format, commonly referred to as "pem" which is in plan text. The certificates that we ship with are self signed and constructed in a specific way so that they can be used for the main HTTP(S) ports, but also used by Webmin and Webshell on ports 12321 & 12320 respectively.

For what it's worth, I did a blog post a while ago that should still be relevant. Please have a read through that and let me know if you have further questions and/or any feedback (even just to let me know it worked for you).

Véver's picture

Hi Jeremy,

Thanks for your reply.

In fact, i fogot to mention in the description of the request the cert type but it was in the subject.

I already have build the cert as PEM, it is an issued one not a self signed so in my case, structure is cert, private key, intremediate cert, root cert :

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

I'll check and try your post and let you know how it helps me.

Véver

Jeremy Davis's picture

There is some nuance I didn't cover in that blog (but probably should have). In the text based 'PEM' format, there are in fact 2 different specifications that apply; PKCS#1 (defined by RFC 3447) and PKCS#8 (defined by RFC 5208).

Your current file, whilst in PEM format, is using the PKS#1 standard (the "RSA" in the "PRIVATE KEY" string gives that away). So if you wish to "drop it in" and replace the default certificate (and have it work with Tomcat, Webmin and Webshell) then you'll need the key in PKCS#8 format.

I don't have a file in that format currently, so I can't tell you 100% right now, but if you pull your file apart (the PEM format is plain text so you can use a commandline Linux text editor, such as vim or nano and copy/paste into a new file) with the key on it's own, let's call it 'pkcs1.key' the file should look like this:

-----BEGIN RSA PRIVATE KEY-----
[ ... ]
-----END RSA PRIVATE KEY-----

(where the '[ ... ]' represents the string of random characters that constitiutes the key).

Then use openssl to convert to a PKCS#8 key like this:

openssl pkcs8 -in pkcs1.key -topk8 -nocrypt -out cert.key

The contents of the new 'cert.key' file should now be:

-----BEGIN PRIVATE KEY-----
[ ... ]
-----END PRIVATE KEY-----

If you then follow the instructions from the bottom part of that blog post, you should be good... Please let me know how you go.

Add new comment