Fred, Thanks. I'm confident in the URLs --> the http version works fine: so the machine is OK. And I can browse the server on the 8443 port (including the java AXIS wsdl. Plus it works ) I just wanted some confidence that this cert whackiness is really what was going on... I'll now send out the openssl stuff. I know this isn't an openssl group, but you have to do something like this to use SSL with AXIS-C, so if anyone can share what they're doing or critique what I'm doing.
(The following is based upon the process described at: http://www.churchillobjects.com/c/11201g.html) <code> #!/usr/bin/csh rm -rf mkcerts #set path = ( /usr/local/ssl/bin $path ) #set path = /usr/local/ssl/bin:$path #setenv PATH = /usr/local/ssl/bin:$PATH set path = ( /usr/local/ssl/bin $path ) #set path = /usr/local/ssl/bin:$path echo $PATH mkdir mkcerts cd mkcerts mkdir demoCA cd demoCA mkdir certs mkdir crl mkdir newcerts mkdir private touch index.txt echo "01" > serial cd .. #generate the Certificate Authorities Key openssl genrsa -out ca.key 1024 #generate create certificate with Key openssl req -new -x509 -key ca.key -out demoCA/cacert.pem<<H_MK_CERT US COLORADO AURORA myorg CertGroup JASON MUSGRAVE [EMAIL PROTECTED] H_MK_CERT #make client key keytool -genkey -alias clientapp -keystore newcerts<<H_CLIENT_KEYSTORE changeit clientStuff mysuborg myorg AURORA COLORADO US yes H_CLIENT_KEYSTORE #make server key keytool -genkey -alias serverapp -keystore newcerts<<H_SERVER_KEYSTORE changeit testmachine mysuborg myorg AURORA COLORADO US yes H_SERVER_KEYSTORE #Export the client key keytool -keystore newcerts -certreq -alias clientapp -file clientapp.crs<<H_EXPORT_CLIENT changeit H_EXPORT_CLIENT #Export the server key keytool -keystore newcerts -certreq -alias serverapp -file serverapp.crs<<H_EXPORT_SERVER changeit H_EXPORT_SERVER #sign the client key openssl ca -in clientapp.crs -out clientapp.pem -keyfile ca.key<<H_SIGN_CLIENT y y H_SIGN_CLIENT #sign the server key openssl ca -in serverapp.crs -out serverapp.pem -keyfile ca.key<<H_SIGN_SERVER y y H_SIGN_SERVER #Convert from PEM to DER openssl x509 -in clientapp.pem -out clientapp.der -outform DER openssl x509 -in serverapp.pem -out serverapp.der -outform DER #import CA Cert & Keys into Keystores keytool -keystore newcerts -alias systemca -import -file demoCA/cacert.pem<<H_IM_1 changeit yes H_IM_1 # keytool -keystore newcerts -alias clientapp -import -file clientapp.der<<H_IM_2 changeit yes H_IM_2 keytool -keystore newcerts -alias serverapp -import -file serverapp.der<<H_IM_3 changeit yes H_IM_3 </code> Now I have a keystore with client/server certs in it. Then I copy the newcerts keystore to the tomcat install (which hosts JAVA AXIS) and use remove keytool to remove client cert from it. Then I go back and copy cacert into the certs directory and hash it. Since, I think this is how to make it a trusted cert. <code> cp cacert.pem certs cd certs ln -s cacert.pem `openssl x509 -noout -hash -in cacert.pem`.0 </code> Any help would be appreciated, Jason