Hi Dave, can you try this to create the key? openssl pkcs12 -in mykey.p12 -nodes -nocerts -out hostkey.pem it seems you have forgot -nodes option. cheers alessandra Kant, D (Dave) wrote: > I exported w/o password. > Then, when I try to create the hostkey.pem file, I get stuck in a recuirsive loop if I don't use a passphrase. > > [root@goc01 grid-security]# openssl pkcs12 -in goc01.pfx -clcerts -nokeys -out hostcert.pem > Enter Import Password: > MAC verified OK > > [root@goc01 grid-security]# openssl pkcs12 -in goc01.pfx -nocerts -out hostkey.pem > Enter Import Password: > MAC verified OK > Enter PEM pass phrase: > Verifying password - Enter PEM pass phrase: > phrase is too short, needs to be at least 4 chars > Enter PEM pass phrase: > Verifying password - Enter PEM pass phrase: > phrase is too short, needs to be at least 4 chars > Enter PEM pass phrase: > Verifying password - Enter PEM pass phrase: > phrase is too short, needs to be at least 4 chars > Enter PEM pass phrase: > Verifying password - Enter PEM pass phrase: > > > > ========================================================= > Dr Dave Kant > CCLRC eScience Department Phone: (+44)|(0) 1235 778178 > Rutherford Appleton Laboratory Fax: (+44)|(0) 1235 446626 > Chilton, Didcot, Oxon, OX11 0QX, UK Email: [log in to unmask] > ========================================================== > > > -----Original Message----- > From: LHC Computer Grid - Rollout > [mailto:[log in to unmask]]On Behalf Of Alessandra Forti > Sent: 06 December 2006 14:23 > To: [log in to unmask] > Subject: Re: [LCG-ROLLOUT] Host Certificate renewal on RGMA MON > > > You must have exported goc01.pfx from your browser before though. Did > you use a password? The browser normally asks for one. In firefox I type > a character and then I delete it so that it is an empty password. > > cheers > alessandra > > Kant, D (Dave) wrote: >> Alessandra, >> >> I did this. >> >> openssl pkcs12 -in goc01.pfx -clcerts -nokeys -out hostcert.pem >> openssl pkcs12 -in goc01.pfx -nocerts -out hostkey.pem >> chmod 400 userkey.pem >> chmod 400 usercert.pem >> >> Dave >> >> ========================================================= >> Dr Dave Kant >> CCLRC eScience Department Phone: (+44)|(0) 1235 778178 >> Rutherford Appleton Laboratory Fax: (+44)|(0) 1235 446626 >> Chilton, Didcot, Oxon, OX11 0QX, UK Email: [log in to unmask] >> ========================================================== >> >> >> -----Original Message----- >> From: LHC Computer Grid - Rollout >> [mailto:[log in to unmask]]On Behalf Of Alessandra Forti >> Sent: 06 December 2006 13:12 >> To: [log in to unmask] >> Subject: Re: [LCG-ROLLOUT] Host Certificate renewal on RGMA MON >> >> >> Hi Dave, >> >> did you export the p12 certificate from the browser with a password? >> >> cheers >> alessandra >> >> >> Kant, D (Dave) wrote: >>> Hi, >>> >>> I have renewed the host certificate on the APEL accounting archiver and tried to re-start the tomcat, then the flexy archiver service. >>> The certificate looks fine and has been copied to the various locations. But, we have lots of certificate related errors when starting tomcat services. >>> Any suggestions? >>> >>> Dave >>> >>> >>> [root@goc01 grid-security]# ls -l `locate hostkey` >>> -r-------- 1 root root 1202 Dec 6 10:41 /etc/grid-security/hostkey.pem >>> -r-------- 1 tomcat4 tomcat4 1202 Dec 6 10:46 /etc/tomcat5/hostkey.pem >>> -r-------- 1 rgma rgma 1202 Dec 6 10:45 /opt/glite/var/rgma/.certs/hostkey.pem >>> >>> [root@goc01 grid-security]# ls -l `locate hostcert` >>> -r-------- 1 root root 1989 Dec 6 10:40 /etc/grid-security/hostcert.pem >>> -r-------- 1 tomcat4 tomcat4 1989 Dec 6 10:44 /etc/tomcat5/hostcert.pem >>> -r-------- 1 rgma rgma 1989 Dec 6 10:45 /opt/glite/var/rgma/.certs/hostcert.pem >>> >>> [root@goc01 grid-security]# openssl verify -CApath /etc/grid-security/certificates/ hostcert.pem >>> hostcert.pem: OK >>> >>> [root@goc01 grid-security]# tail -150 /usr/share/tomcat5/logs/catalina.out | less >>> >>> INFO: Installing web application at context path /webdav from URL file:/var/lib/tomcat5/webapps/webdav >>> java.io.IOException: problem creating RSA private key: java.io.IOException: No password finder specified, but a password is required >>> at org.bouncycastle.openssl.PEMReader.readObject(PEMReader.java:113) >>> at org.glite.security.util.PrivateKeyReader.read(PrivateKeyReader.java:78) >>> at org.glite.security.util.KeyStoreGenerator.generate(KeyStoreGenerator.java:59) >>> at org.glite.security.trustmanager.UpdatingKeyManager.loadKeystore(UpdatingKeyManager.java:190) >>> at org.glite.security.trustmanager.UpdatingKeyManager.<init>(UpdatingKeyManager.java:106) >>> at org.glite.security.trustmanager.ContextWrapper.initKeyManagers(ContextWrapper.java:338) >>> at org.glite.security.trustmanager.ContextWrapper.init(ContextWrapper.java:285) >>> at org.glite.security.trustmanager.ContextWrapper.<init>(ContextWrapper.java:161) >>> at org.glite.security.trustmanager.tomcat.TMSSLServerSocketFactory.initProxy(TMSSLServerSocketFactory.java:298) >>> at org.glite.security.trustmanager.tomcat.TMSSLServerSocketFactory.init(TMSSLServerSocketFactory.java:185) >>> at org.glite.security.trustmanager.tomcat.TMSSLServerSocketFactory.createSocket(TMSSLServerSocketFactory.java:106) >>> at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:259) >>> at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:281) >>> at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:171) >>> at org.apache.coyote.tomcat5.CoyoteConnector.start(CoyoteConnector.java:1527) >>> at org.apache.catalina.core.StandardService.start(StandardService.java:489) >>> at org.apache.catalina.core.StandardServer.start(StandardServer.java:2313) >>> at org.apache.catalina.startup.Catalina.start(Catalina.java:556) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) >>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >>> at java.lang.reflect.Method.invoke(Method.java:324) >>> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:287) >>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425) >>> SEVERE: Server socket factory creation failed: java.security.cert.CertificateException: Identity reading failed: problem creating RSA private key: jav >>> a.io.IOException: No password finder specified, but a password is required >>> java.security.cert.CertificateException: Identity reading failed: problem creating RSA private key: java.io.IOException: No password finder specified, >>> but a password is required >>> at org.glite.security.trustmanager.UpdatingKeyManager.loadKeystore(UpdatingKeyManager.java:216) >>> at org.glite.security.trustmanager.UpdatingKeyManager.<init>(UpdatingKeyManager.java:106) >>> at org.glite.security.trustmanager.ContextWrapper.initKeyManagers(ContextWrapper.java:338) >>> at org.glite.security.trustmanager.ContextWrapper.init(ContextWrapper.java:285) >>> at org.glite.security.trustmanager.ContextWrapper.<init>(ContextWrapper.java:161) >>> at org.glite.security.trustmanager.tomcat.TMSSLServerSocketFactory.initProxy(TMSSLServerSocketFactory.java:298) >>> at org.glite.security.trustmanager.tomcat.TMSSLServerSocketFactory.init(TMSSLServerSocketFactory.java:185) >>> at org.glite.security.trustmanager.tomcat.TMSSLServerSocketFactory.createSocket(TMSSLServerSocketFactory.java:106) >>> at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:259) >>> at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:281) >>> at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:171) >>> at org.apache.coyote.tomcat5.CoyoteConnector.start(CoyoteConnector.java:1527) >>> at org.apache.catalina.core.StandardService.start(StandardService.java:489) >>> at org.apache.catalina.core.StandardServer.start(StandardServer.java:2313) >>> at org.apache.catalina.startup.Catalina.start(Catalina.java:556) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) >>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >>> at java.lang.reflect.Method.invoke(Method.java:324) >>> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:287) >>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425) >>> 06-Dec-2006 12:50:57 org.apache.coyote.http11.Http11Protocol start > -- ******************************************* * Dr Alessandra Forti * * University of Manchester * * Technical Coordinator - NorthGrid Tier2 * * http://www.hep.man.ac.uk/u/aforti * *******************************************