RE: SSL and certificates, AGAIN
I have a couple of sites using Thawte SSL certs on Tomcat 4.0.1. These steps have been discussed a week or so ago. keytool -genkey -alias tomcat -keyalg RSA keytool -certreq -alias tomcat -file my.csr paste this into the signing authority request, you get back a cert that you paste into a new file, i.e. mySigned.cer make sure the Thawte root CA cert in you keystore or cacerts file as a trusted certificate. e.g. keytool -import -keystore java/jre/lib/security/cacerts -alias ThawteRootCert -file ThawteRootCertificate.cer keytool -import -trustcacerts -alias tomcat -file mySigned.cer David -Original Message- From: Brian Adams [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 29 January 2002 1:02 PM To: Tomcat Users List Subject: RE: SSL and certificates, AGAIN I hae not done this yet, but I want to learn. Can we try and keep it on the list? I am a few weeks before I get a signed cert (www.geotrust.com cheaper I think) so please keep me in the loop. All I have learned so far is self-signed certs. Thanks, B -Original Message- From: Richard S. Huntrods [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 8:58 PM To: [EMAIL PROTECTED] Subject: SSL and certificates, AGAIN Greetings! Three quick question to all who have SSL working with signed certificates (not just self-signed): 1. What provider did you use? Verisign, Entrust, Thawte, etc? 2. Has anyone gotten signed certificates working with Thawte certification? 3. Would you be willing to discuss this by personal email rather than through the list (to conserve bandwidth). Thanks, -Richard -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: SSL and signed certificates...
try keytool -import -trustcacerts -alias tomcat -file /tmp/mine.csr make sure the root CA cert that signed your request is in you keystore or cacerts file as a trusted certificate. David -Original Message- From: Richard S. Huntrods [mailto:[EMAIL PROTECTED]] Sent: Friday, 18 January 2002 6:28 AM To: [EMAIL PROTECTED] Subject: SSL and signed certificates... Greetings! I am hoping someone can provide some assistance regarding SSL and signed certificates. The Tomcat SSL-how-to FAQ stops just short of where I need to be. I have self-signed certificates working just fine with Tomcat 4.0.1. I created a 'csr' request from the working certificate (.keystore) file. The signing authority returned a certificate. I understand that this needs to be chained to the original self-signed certificate, so that the .keystore file will then contain two certs - mine and the signing agencies one. This process is not working. Some examples from this list indicate the use of the '-alias tomcat' flag on all uses of keytool. Unfortunately, the keytool docs explicitly state that two certs in a .keystore file cannot have the same alias, so this will not work when importing. That is, this does not work (I tried it). keytool -genkey -alias tomcat -keyalg RSA keytool -certreq -alias tomcat -file /tmp/mine.csr paste this into the signing authority request, you get back a cert that you paste into a new file, i.e. mine.cer keytool -import -alias tomcat -file /tmp/mine.csr THIS LAST COMMAND DOES NOT WORK - you cannot add the new cert to the existing keystore file with the same alias. I get a java exception if I try. So - how does one import the signing authority certificate and make the chain? If you leave off -alias tomcat on the import line, it *will* import and create the chain, but the security level is uchanged from a self-signed cert. The reply from the signing authority is not included in the certificate sent to a browser. If you delete the self-signed .keystore and just import the signing authority cert by itself, it works (even with the tomcat alias), but then Tomcat ceases to serve secure pages (error 404 - not found). SO (again) - how do I import the certificate reply from the signing authority such that it works with tomcat? Thanks, -Richard -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]