Sorry the long e-mail, I'm trying to provise as much inormation as possible. Someone else from my company generated a CA root certificate, a private key and a certificate that was signed by the mentioned CA. We're using it in our test environment with weblogic server and it works fine. However, I'm trying to regenerate the certificates from scratch but I'm having problems when I try to start the server. I would like to tell you guys what am I doing and what kind of things are different from the current certificates. Maybe you could help me to figure out what's wrong. First, this is how I generate everything: 1. Create self signed root certificate /usr/local/ssl/bin/openssl req -x509 \ -newkey rsa:512 -keyout ./demoCA/private/cakey.pem \ -out ./demoCA/cacert.pem -days 365 2. Create private key /usr/local/ssl/bin/openssl genrsa -out skntKey.pem 512 3. Create certificate request /usr/local/ssl/bin/openssl req -new -key skntKey.pem \ -out skntReq.pem -verbose 4. Sign the certificate request /usr/local/ssl/bin/openssl ca -in skntReq.pem \ -out skntCert.pem -days 365 By the way, I have the ./demoCA directory and the necessary subdirectories and files (index.txt and serial) The certificates are generated but they don't work when I try to use them with my weblogic server (version 6.1). When I start the weblogic server with the current certificates (the certificates that work fine) I can see the following message: <Aug 16, 2001 11:06:14 AM EDT> <Info> <WebLogicServer> <Certificate co ntents: 2 certificate(s): fingerprint = ee8dae1fa03669a4bfa6fbaf2aab7227, not before = Sun Sep 24 03:51:49 EDT 2000, not after = Mon Sep 24 03:51:49 EDT 2001, holde r = C=US SP=New York L=New York O=Sakonnet Technology, LLC CN=Alarik M yrin [EMAIL PROTECTED] , issuer = C=US SP=New York L=New York O=Sa konnet Technology -- CA CN=Alarik Myrin [EMAIL PROTECTED] , key = modulus length=65 exponent length=3 fingerprint = c35822593edb68ae0b011ad6d97eddbd, not before = Sun Sep 24 03:51:15 EDT 2000, not after = Mon Sep 24 03:51:15 EDT 2001, holde r = C=US SP=New York L=New York O=Sakonnet Technology -- CA CN=Alarik Myrin [EMAIL PROTECTED] , issuer = C=US SP=New York L=New York O=S akonnet Technology -- CA CN=Alarik Myrin [EMAIL PROTECTED] , key = modulus length=65 exponent length=3 > One thing: I noticed that the organization in the first loaded certificate is different from the organization in the second certificate, which is the CA certificate. When I try to create my certificates, if I specify different organizations I have an error message. Now, when I try to start the server using the certificates that I generated following the steps presented above, I have the following message: <Aug 16, 2001 11:21:58 AM EDT> <Alert> <WebLogicServer> <Inconsistent security configuration, java.lang.Exception: Problem with X509 certifi cate: fingerprint = 2fa1718d4242cf9ce8ccca47e6259877, not before = Thu Aug 16 12:24:32 EDT 2001, not after = Fri Aug 16 12:24:32 EDT 2002, h older = C=US SP=New York O=Sakonnet Technology, CA OU=Sakonnet Technol ogy, LLC CN=PORKY [EMAIL PROTECTED] , issuer = C=US SP=New York L=N ew York O=Sakonnet Technology, CA OU=Sakonnet Technology, CA CN=Andre Mendonca [EMAIL PROTECTED] , key = modulus length=65 exponent leng th=3, java.lang.Exception: Certificate expired or not yet valid: finge rprint = 2fa1718d4242cf9ce8ccca47e6259877, not before = Thu Aug 16 12: 24:32 EDT 2001, not after = Fri Aug 16 12:24:32 EDT 2002, holder = C=U S SP=New York O=Sakonnet Technology, CA OU=Sakonnet Technology, LLC CN =PORKY [EMAIL PROTECTED] , issuer = C=US SP=New York L=New York O=S akonnet Technology, CA OU=Sakonnet Technology, CA CN=Andre Mendonca Em [EMAIL PROTECTED] , key = modulus length=65 exponent length=3> java.lang.Exception: Problem with X509 certificate: fingerprint = 2fa1 718d4242cf9ce8ccca47e6259877, not before = Thu Aug 16 12:24:32 EDT 200 1, not after = Fri Aug 16 12:24:32 EDT 2002, holder = C=US SP=New York O=Sakonnet Technology, CA OU=Sakonnet Technology, LLC CN=PORKY Email= [EMAIL PROTECTED] , issuer = C=US SP=New York L=New York O=Sakonnet Techn ology, CA OU=Sakonnet Technology, CA CN=Andre Mendonca Email=andre@skn t.com , key = modulus length=65 exponent length=3, java.lang.Exceptio n: Certificate expired or not yet valid: fingerprint = 2fa1718d4242cf9 ce8ccca47e6259877, not before = Thu Aug 16 12:24:32 EDT 2001, not afte r = Fri Aug 16 12:24:32 EDT 2002, holder = C=US SP=New York O=Sakonnet Technology, CA OU=Sakonnet Technology, LLC CN=PORKY Email=andre@sknt. com , issuer = C=US SP=New York L=New York O=Sakonnet Technology, CA O U=Sakonnet Technology, CA CN=Andre Mendonca [EMAIL PROTECTED] , key = modulus length=65 exponent length=3 at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListe nThread.java:290) at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.jav a:414) at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.jav a:300) at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java :1039) at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:475) at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:197) at weblogic.Server.main(Server.java:35) Notice that the organizations are the same in both certificates. So, the first step would be to figure out whether I'm doing the right thing generating the certificates. The person that created the first set of certificates told me something about setting different names for the organizations but I couldn't do that because of the error I got. Also, this person will be unreachable for a while and right now I'm sort of running out of ideas on how to do things differently. I would appreciate any help. Thanks in advance! Regards, --------------------------------- Andre Mendonca, Software Engineer [EMAIL PROTECTED] http://www.sknt.com Sakonnet Technology, LLC 594 Broadway, Suite 1008 New York, NY 10012 Tel (212) 343-3170 x109 Fax (212) 343-3103 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]