RE: SSL/Verisign Confusion
I believe a Verisign certificate alone is $600 for a year. You can get certificates much cheaper, but there are issues with some older broswers not recognizing the CA (so your users would get a message stating that the certificate may not be legit). openssl is not an alternative to VeriSign. openssl is software, Verisign is a company that provides certificates (though apparently, you can use openssl to create certificates yourself if you don't care at all about them being legit (for an intranet, for example?)). There are (much) cheapers alternatives to VeriSign. Check out freessl.com, for example (not free, but $35.00 isn't bad). Also, see http://www.whichssl.org for more good info on the subject. -dave -Original Message- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: Sunday, September 07, 2003 3:43 AM To: Tomcat Users List Subject: Re: SSL/Verisign Confusion Hi Dave, how much does it cost at Verisign, and how long is it valid for? And is this 'openssl' you mentioned a free alternative? Adam On 09/06/2003 03:21 PM Dave Wood wrote: FINALLY! I still don't know what I did wrong in the first place, but after starting over with VeriSign, all is well now. I thought I'd share the (simple!) steps I took to get SSL running using keytool/tomcat in case anyone else might find this useful: # keytool -genkey -alias tomcat -keyalg RSA [enter a password and all necessary information, then just enter at next password prompt] # cp ~/.keystore ~/.keystore-backup # keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr [enter same password] [give contents of certreq.csr to VeriSign and wait for response...] [NOTE: when asked to select my server software, I chose apache since they didn't have Tomcat in their list...I don't know if this matters, but it worked] # keytool -import -trustcacerts -file intermediate.crt -alias root [enter same password] [NOTE: intermediate.crt is the file found here: http://www.verisign.com/support/install/intermediate.html] # keytool -import trustcacerts -file public.crt -alias tomcat [enter same password] [where public.crt is the certificate sent from VeriSign after they complete their approval process] [finally, edit ...tomcat/conf/server.xml and enable the SSL connector section, adding keystorePass=[password] as an attribute to the Factory tag] Hope this helps. Thanks to all who provided suggestions along the way. Dave -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 11:40 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Well, after all this, I just discovered that VeriSign will basically let you start over if it's within 30 days (which it is). So, for now, I'm going down this path. Just talked to someone at V/S who said it would take just a couple hours. Oh, and I made a BACKUP of my new keystore file this time that now contains a single keyEntry with the alias tomcat. I try to avoid being stupid in the same way more than once! :) As for the programmatic approach, FWIW, I started down that path as well, but somehow I had no private key entry in the keystore (best I can tell). Still not sure how I got in that messed up state. Thanks, Dave -Original Message- From: Christopher Williams [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 9:43 AM To: Tomcat Users List Subject: Re: SSL/Verisign Confusion Have you thought of manipulating the keystore programmatically? Here's what you'd do: 1. Open your existing keystore 2. Find the entry with your private key and (presumably) a temporary self-signed certificate. 3. Open the certificate you got from Versign. 4. Change the certificate in your key entry to your Verisign certificate. 5. Save and close the keystore. OpenSSL doesn't understand most of the Java keystore formats, although it can manipulate PKCS#12 files which Keytool can handle. If you download the BouncyCastle crypto provider, then you can use keytool to write PKCS#12 files as well. Also, if the person who originally posted the question doesn't feel up to monkeying around with the Keystore classes, I have some code that I can adapt to stick your Verisign certificate in your keystore. Get in touch with me personally and I'll see what I can do. - Original Message - From: Jay Garala [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, September 05, 2003 3:36 PM Subject: RE: SSL/Verisign Confusion NOTE: You cannot export private key from keystore. -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 10:32 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks. With the exception of the openssl doc, I've been over these quite a bit. The result is the problem I've mentioned where keytool says it can't import my certificate because the alias already exists. After some help I got last night
Re: SSL/Verisign Confusion
Dave Wood [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I believe a Verisign certificate alone is $600 for a year. You can get certificates much cheaper, but there are issues with some older broswers not recognizing the CA (so your users would get a message stating that the certificate may not be legit). openssl is not an alternative to VeriSign. openssl is software, Verisign is a company that provides certificates (though apparently, you can use openssl to create certificates yourself if you don't care at all about them being legit (for an intranet, for example?)). There are (much) cheapers alternatives to VeriSign. Check out freessl.com, for example (not free, but $35.00 isn't bad). Agreed. VeriSign can charge what they do because all browsers (including at least Sun's implementation of JSSE) ship with VeriSign's CA cert as trusted. I just use my openssl CA for development boxes or small departmental servers (where I can tell everyone that will ever use it how to trust my CA cert). Also, see http://www.whichssl.org for more good info on the subject. -dave -Original Message- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: Sunday, September 07, 2003 3:43 AM To: Tomcat Users List Subject: Re: SSL/Verisign Confusion Hi Dave, how much does it cost at Verisign, and how long is it valid for? And is this 'openssl' you mentioned a free alternative? Adam On 09/06/2003 03:21 PM Dave Wood wrote: FINALLY! I still don't know what I did wrong in the first place, but after starting over with VeriSign, all is well now. I thought I'd share the (simple!) steps I took to get SSL running using keytool/tomcat in case anyone else might find this useful: # keytool -genkey -alias tomcat -keyalg RSA [enter a password and all necessary information, then just enter at next password prompt] # cp ~/.keystore ~/.keystore-backup # keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr [enter same password] [give contents of certreq.csr to VeriSign and wait for response...] [NOTE: when asked to select my server software, I chose apache since they didn't have Tomcat in their list...I don't know if this matters, but it worked] # keytool -import -trustcacerts -file intermediate.crt -alias root [enter same password] [NOTE: intermediate.crt is the file found here: http://www.verisign.com/support/install/intermediate.html] # keytool -import trustcacerts -file public.crt -alias tomcat [enter same password] [where public.crt is the certificate sent from VeriSign after they complete their approval process] [finally, edit ...tomcat/conf/server.xml and enable the SSL connector section, adding keystorePass=[password] as an attribute to the Factory tag] Hope this helps. Thanks to all who provided suggestions along the way. Dave -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 11:40 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Well, after all this, I just discovered that VeriSign will basically let you start over if it's within 30 days (which it is). So, for now, I'm going down this path. Just talked to someone at V/S who said it would take just a couple hours. Oh, and I made a BACKUP of my new keystore file this time that now contains a single keyEntry with the alias tomcat. I try to avoid being stupid in the same way more than once! :) As for the programmatic approach, FWIW, I started down that path as well, but somehow I had no private key entry in the keystore (best I can tell). Still not sure how I got in that messed up state. Thanks, Dave -Original Message- From: Christopher Williams [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 9:43 AM To: Tomcat Users List Subject: Re: SSL/Verisign Confusion Have you thought of manipulating the keystore programmatically? Here's what you'd do: 1. Open your existing keystore 2. Find the entry with your private key and (presumably) a temporary self-signed certificate. 3. Open the certificate you got from Versign. 4. Change the certificate in your key entry to your Verisign certificate. 5. Save and close the keystore. OpenSSL doesn't understand most of the Java keystore formats, although it can manipulate PKCS#12 files which Keytool can handle. If you download the BouncyCastle crypto provider, then you can use keytool to write PKCS#12 files as well. Also, if the person who originally posted the question doesn't feel up to monkeying around with the Keystore classes, I have some code that I can adapt to stick your Verisign certificate in your keystore. Get in touch with me personally and I'll see what I can do. - Original Message - From: Jay Garala [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, September 05, 2003 3:36 PM Subject: RE
Re: SSL/Verisign Confusion
Hi Dave, how much does it cost at Verisign, and how long is it valid for? And is this 'openssl' you mentioned a free alternative? Adam On 09/06/2003 03:21 PM Dave Wood wrote: FINALLY! I still don't know what I did wrong in the first place, but after starting over with VeriSign, all is well now. I thought I'd share the (simple!) steps I took to get SSL running using keytool/tomcat in case anyone else might find this useful: # keytool -genkey -alias tomcat -keyalg RSA [enter a password and all necessary information, then just enter at next password prompt] # cp ~/.keystore ~/.keystore-backup # keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr [enter same password] [give contents of certreq.csr to VeriSign and wait for response...] [NOTE: when asked to select my server software, I chose apache since they didn't have Tomcat in their list...I don't know if this matters, but it worked] # keytool -import -trustcacerts -file intermediate.crt -alias root [enter same password] [NOTE: intermediate.crt is the file found here: http://www.verisign.com/support/install/intermediate.html] # keytool -import trustcacerts -file public.crt -alias tomcat [enter same password] [where public.crt is the certificate sent from VeriSign after they complete their approval process] [finally, edit ...tomcat/conf/server.xml and enable the SSL connector section, adding keystorePass=[password] as an attribute to the Factory tag] Hope this helps. Thanks to all who provided suggestions along the way. Dave -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 11:40 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Well, after all this, I just discovered that VeriSign will basically let you start over if it's within 30 days (which it is). So, for now, I'm going down this path. Just talked to someone at V/S who said it would take just a couple hours. Oh, and I made a BACKUP of my new keystore file this time that now contains a single keyEntry with the alias tomcat. I try to avoid being stupid in the same way more than once! :) As for the programmatic approach, FWIW, I started down that path as well, but somehow I had no private key entry in the keystore (best I can tell). Still not sure how I got in that messed up state. Thanks, Dave -Original Message- From: Christopher Williams [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 9:43 AM To: Tomcat Users List Subject: Re: SSL/Verisign Confusion Have you thought of manipulating the keystore programmatically? Here's what you'd do: 1. Open your existing keystore 2. Find the entry with your private key and (presumably) a temporary self-signed certificate. 3. Open the certificate you got from Versign. 4. Change the certificate in your key entry to your Verisign certificate. 5. Save and close the keystore. OpenSSL doesn't understand most of the Java keystore formats, although it can manipulate PKCS#12 files which Keytool can handle. If you download the BouncyCastle crypto provider, then you can use keytool to write PKCS#12 files as well. Also, if the person who originally posted the question doesn't feel up to monkeying around with the Keystore classes, I have some code that I can adapt to stick your Verisign certificate in your keystore. Get in touch with me personally and I'll see what I can do. - Original Message - From: Jay Garala [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, September 05, 2003 3:36 PM Subject: RE: SSL/Verisign Confusion NOTE: You cannot export private key from keystore. -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 10:32 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks. With the exception of the openssl doc, I've been over these quite a bit. The result is the problem I've mentioned where keytool says it can't import my certificate because the alias already exists. After some help I got last night, I think the question boils down to this: * once I have extracted my private key from keytool (haven't done this yet), how do I take that key, the VeriSign intermediate certificate and my public key certificate and get them to play together. I'm hoping the openssl stuff will take care of this, because keytool doesn't really seem to recognize private keys as things that you can work with directly. Thanks again, Dave -Original Message- From: Jay Garala [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 7:12 AM To: 'Tomcat Users List' Subject: RE: SSL/Verisign Confusion Try the Java keytool help: http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html Tomcat how-to: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html If you have OpenSSL: http://forum.java.sun.com/thread.jsp?forum=2thread=4240 Jay -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 1:04 AM To: Tomcat Users List Subject: RE
Re: SSL/Verisign Confusion
www.openssl.org is the website for OpenSSL. It's an open source implementation of SSL / TLS together with a tremendous amount of other stuff (such as X.509, S/MIME, every cryptographic algorithm you ever heard of). You can also use it to set up your own CA - it's not the easiest software to use as it takes a terrific number of command line switches, but it's probably more convenient than having to wait on Verisign and renew your certificates every couple of weeks. - Original Message - From: Adam Hardy [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Sunday, September 07, 2003 10:43 AM Subject: Re: SSL/Verisign Confusion Hi Dave, how much does it cost at Verisign, and how long is it valid for? And is this 'openssl' you mentioned a free alternative? Adam On 09/06/2003 03:21 PM Dave Wood wrote: FINALLY! I still don't know what I did wrong in the first place, but after starting over with VeriSign, all is well now. I thought I'd share the (simple!) steps I took to get SSL running using keytool/tomcat in case anyone else might find this useful: # keytool -genkey -alias tomcat -keyalg RSA [enter a password and all necessary information, then just enter at next password prompt] # cp ~/.keystore ~/.keystore-backup # keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr [enter same password] [give contents of certreq.csr to VeriSign and wait for response...] [NOTE: when asked to select my server software, I chose apache since they didn't have Tomcat in their list...I don't know if this matters, but it worked] # keytool -import -trustcacerts -file intermediate.crt -alias root [enter same password] [NOTE: intermediate.crt is the file found here: http://www.verisign.com/support/install/intermediate.html] # keytool -import trustcacerts -file public.crt -alias tomcat [enter same password] [where public.crt is the certificate sent from VeriSign after they complete their approval process] [finally, edit ...tomcat/conf/server.xml and enable the SSL connector section, adding keystorePass=[password] as an attribute to the Factory tag] Hope this helps. Thanks to all who provided suggestions along the way. Dave -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 11:40 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Well, after all this, I just discovered that VeriSign will basically let you start over if it's within 30 days (which it is). So, for now, I'm going down this path. Just talked to someone at V/S who said it would take just a couple hours. Oh, and I made a BACKUP of my new keystore file this time that now contains a single keyEntry with the alias tomcat. I try to avoid being stupid in the same way more than once! :) As for the programmatic approach, FWIW, I started down that path as well, but somehow I had no private key entry in the keystore (best I can tell). Still not sure how I got in that messed up state. Thanks, Dave -Original Message- From: Christopher Williams [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 9:43 AM To: Tomcat Users List Subject: Re: SSL/Verisign Confusion Have you thought of manipulating the keystore programmatically? Here's what you'd do: 1. Open your existing keystore 2. Find the entry with your private key and (presumably) a temporary self-signed certificate. 3. Open the certificate you got from Versign. 4. Change the certificate in your key entry to your Verisign certificate. 5. Save and close the keystore. OpenSSL doesn't understand most of the Java keystore formats, although it can manipulate PKCS#12 files which Keytool can handle. If you download the BouncyCastle crypto provider, then you can use keytool to write PKCS#12 files as well. Also, if the person who originally posted the question doesn't feel up to monkeying around with the Keystore classes, I have some code that I can adapt to stick your Verisign certificate in your keystore. Get in touch with me personally and I'll see what I can do. - Original Message - From: Jay Garala [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, September 05, 2003 3:36 PM Subject: RE: SSL/Verisign Confusion NOTE: You cannot export private key from keystore. -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 10:32 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks. With the exception of the openssl doc, I've been over these quite a bit. The result is the problem I've mentioned where keytool says it can't import my certificate because the alias already exists. After some help I got last night, I think the question boils down to this: * once I have extracted my private key from keytool (haven't done this yet
RE: SSL/Verisign Confusion
FINALLY! I still don't know what I did wrong in the first place, but after starting over with VeriSign, all is well now. I thought I'd share the (simple!) steps I took to get SSL running using keytool/tomcat in case anyone else might find this useful: # keytool -genkey -alias tomcat -keyalg RSA [enter a password and all necessary information, then just enter at next password prompt] # cp ~/.keystore ~/.keystore-backup # keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr [enter same password] [give contents of certreq.csr to VeriSign and wait for response...] [NOTE: when asked to select my server software, I chose apache since they didn't have Tomcat in their list...I don't know if this matters, but it worked] # keytool -import -trustcacerts -file intermediate.crt -alias root [enter same password] [NOTE: intermediate.crt is the file found here: http://www.verisign.com/support/install/intermediate.html] # keytool -import trustcacerts -file public.crt -alias tomcat [enter same password] [where public.crt is the certificate sent from VeriSign after they complete their approval process] [finally, edit ...tomcat/conf/server.xml and enable the SSL connector section, adding keystorePass=[password] as an attribute to the Factory tag] Hope this helps. Thanks to all who provided suggestions along the way. Dave -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 11:40 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Well, after all this, I just discovered that VeriSign will basically let you start over if it's within 30 days (which it is). So, for now, I'm going down this path. Just talked to someone at V/S who said it would take just a couple hours. Oh, and I made a BACKUP of my new keystore file this time that now contains a single keyEntry with the alias tomcat. I try to avoid being stupid in the same way more than once! :) As for the programmatic approach, FWIW, I started down that path as well, but somehow I had no private key entry in the keystore (best I can tell). Still not sure how I got in that messed up state. Thanks, Dave -Original Message- From: Christopher Williams [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 9:43 AM To: Tomcat Users List Subject: Re: SSL/Verisign Confusion Have you thought of manipulating the keystore programmatically? Here's what you'd do: 1. Open your existing keystore 2. Find the entry with your private key and (presumably) a temporary self-signed certificate. 3. Open the certificate you got from Versign. 4. Change the certificate in your key entry to your Verisign certificate. 5. Save and close the keystore. OpenSSL doesn't understand most of the Java keystore formats, although it can manipulate PKCS#12 files which Keytool can handle. If you download the BouncyCastle crypto provider, then you can use keytool to write PKCS#12 files as well. Also, if the person who originally posted the question doesn't feel up to monkeying around with the Keystore classes, I have some code that I can adapt to stick your Verisign certificate in your keystore. Get in touch with me personally and I'll see what I can do. - Original Message - From: Jay Garala [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, September 05, 2003 3:36 PM Subject: RE: SSL/Verisign Confusion NOTE: You cannot export private key from keystore. -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 10:32 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks. With the exception of the openssl doc, I've been over these quite a bit. The result is the problem I've mentioned where keytool says it can't import my certificate because the alias already exists. After some help I got last night, I think the question boils down to this: * once I have extracted my private key from keytool (haven't done this yet), how do I take that key, the VeriSign intermediate certificate and my public key certificate and get them to play together. I'm hoping the openssl stuff will take care of this, because keytool doesn't really seem to recognize private keys as things that you can work with directly. Thanks again, Dave -Original Message- From: Jay Garala [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 7:12 AM To: 'Tomcat Users List' Subject: RE: SSL/Verisign Confusion Try the Java keytool help: http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html Tomcat how-to: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html If you have OpenSSL: http://forum.java.sun.com/thread.jsp?forum=2thread=4240 Jay -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 1:04 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks Bill. I think this highlights something I'm really not understanding... Didn't I generate an important private key
Re: SSL/Verisign Confusion
Dave Wood [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Thanks Bill. I think this highlights something I'm really not understanding... Didn't I generate an important private key somewhere along the line that I can't just regenerate if I blow away my keystore? I assumed the certificate I got back from verisign would only work if I still had the original private key I generated before sending them my request. Is that wrong? Of course you need your original private key. A lapse on my part, since I always use openssl to generate the CSR for VS :(. If you used keytool to generate the PK, then you'll have to extract it first. (I'll take a look at the link you sent...at first glance, it looks a little hard to follow, but hopefully not). Thanks again. Dave -Original Message- From: news [mailto:[EMAIL PROTECTED] Behalf Of Bill Barker Sent: Thursday, September 04, 2003 11:06 PM To: [EMAIL PROTECTED] Subject: Re: SSL/Verisign Confusion Firstly, it looks like you should wipe you keystore and start again. To use a VS cert with Tomcat, the two options I know are: 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm. 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and use that as your keystore (remember to set 'keystoreType=pkcs12' on the Factory in server.xml). Dave Wood [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm having a problem getting an SSL certificate from Verisign working correctly. I'm going to include everything I can think of that MIGHT be a problem. Unfortunately, there are a couple things I can't quite remember for certain. Here's the situation: 1. I generated the initial key using an alias other than tomcat (we'll call it company) 2. I generated the CSR and sent it to verisign. I still have this file. 3. Verisign changed the company name during the verification process (from an acronym to the full spelling of the name) 4. I now have the certificate that they sent back after the validation process. 5. One thing I can't account for is why when I see this: $ keytool -list Keystore type: jks Keystore provider: SUN Your keystore contains 4 entries: (...others removed...) company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry, Certificate fingerprint (MD5): 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really 0's) ...I think I must have self-signed or something (I was doing a couple of these things and don't recall exactly), but I'm surprised to see trustedCertEntry here. The problem I'm having is this: $ keytool -import -trustcacerts -alias company -file public.crt Enter keystore password: xxx keytool error: java.lang.Exception: Certificate not imported, alias company already exists (but I'm thinking it should be REPLACING this entry, so the fact that it exists shouldn't be a problem???) So, I have several questions: 1. Am I hosed completely because I didn't use tomcat as the alias? 2. How does the private key get stored exactly? I assume that if I delete the current entry for the company alias, I'll be losing the private key, right? 3. Can someone provide steps I should take to get this working given what I have said above. Thanks so much in advance. Sorry to be so long-winded. -Dave --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL/Verisign Confusion
OK, good...glad I'm not as confused as I thought. :) Problem is...I don't see any way to extract a private key using keytool. Perhaps I just need to look at openssl...I haven't used this tool yet. Thanks, -dave -Original Message- From: news [mailto:[EMAIL PROTECTED] Behalf Of Bill Barker Sent: Friday, September 05, 2003 12:18 AM To: [EMAIL PROTECTED] Subject: Re: SSL/Verisign Confusion Dave Wood [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Thanks Bill. I think this highlights something I'm really not understanding... Didn't I generate an important private key somewhere along the line that I can't just regenerate if I blow away my keystore? I assumed the certificate I got back from verisign would only work if I still had the original private key I generated before sending them my request. Is that wrong? Of course you need your original private key. A lapse on my part, since I always use openssl to generate the CSR for VS :(. If you used keytool to generate the PK, then you'll have to extract it first. (I'll take a look at the link you sent...at first glance, it looks a little hard to follow, but hopefully not). Thanks again. Dave -Original Message- From: news [mailto:[EMAIL PROTECTED] Behalf Of Bill Barker Sent: Thursday, September 04, 2003 11:06 PM To: [EMAIL PROTECTED] Subject: Re: SSL/Verisign Confusion Firstly, it looks like you should wipe you keystore and start again. To use a VS cert with Tomcat, the two options I know are: 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm. 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and use that as your keystore (remember to set 'keystoreType=pkcs12' on the Factory in server.xml). Dave Wood [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm having a problem getting an SSL certificate from Verisign working correctly. I'm going to include everything I can think of that MIGHT be a problem. Unfortunately, there are a couple things I can't quite remember for certain. Here's the situation: 1. I generated the initial key using an alias other than tomcat (we'll call it company) 2. I generated the CSR and sent it to verisign. I still have this file. 3. Verisign changed the company name during the verification process (from an acronym to the full spelling of the name) 4. I now have the certificate that they sent back after the validation process. 5. One thing I can't account for is why when I see this: $ keytool -list Keystore type: jks Keystore provider: SUN Your keystore contains 4 entries: (...others removed...) company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry, Certificate fingerprint (MD5): 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really 0's) ...I think I must have self-signed or something (I was doing a couple of these things and don't recall exactly), but I'm surprised to see trustedCertEntry here. The problem I'm having is this: $ keytool -import -trustcacerts -alias company -file public.crt Enter keystore password: xxx keytool error: java.lang.Exception: Certificate not imported, alias company already exists (but I'm thinking it should be REPLACING this entry, so the fact that it exists shouldn't be a problem???) So, I have several questions: 1. Am I hosed completely because I didn't use tomcat as the alias? 2. How does the private key get stored exactly? I assume that if I delete the current entry for the company alias, I'll be losing the private key, right? 3. Can someone provide steps I should take to get this working given what I have said above. Thanks so much in advance. Sorry to be so long-winded. -Dave --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
RE: SSL/Verisign Confusion
Try the Java keytool help: http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html Tomcat how-to: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html If you have OpenSSL: http://forum.java.sun.com/thread.jsp?forum=2thread=4240 Jay -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 1:04 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks Bill. I think this highlights something I'm really not understanding... Didn't I generate an important private key somewhere along the line that I can't just regenerate if I blow away my keystore? I assumed the certificate I got back from verisign would only work if I still had the original private key I generated before sending them my request. Is that wrong? (I'll take a look at the link you sent...at first glance, it looks a little hard to follow, but hopefully not). Thanks again. Dave -Original Message- From: news [mailto:[EMAIL PROTECTED] Behalf Of Bill Barker Sent: Thursday, September 04, 2003 11:06 PM To: [EMAIL PROTECTED] Subject: Re: SSL/Verisign Confusion Firstly, it looks like you should wipe you keystore and start again. To use a VS cert with Tomcat, the two options I know are: 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm. 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and use that as your keystore (remember to set 'keystoreType=pkcs12' on the Factory in server.xml). Dave Wood [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm having a problem getting an SSL certificate from Verisign working correctly. I'm going to include everything I can think of that MIGHT be a problem. Unfortunately, there are a couple things I can't quite remember for certain. Here's the situation: 1. I generated the initial key using an alias other than tomcat (we'll call it company) 2. I generated the CSR and sent it to verisign. I still have this file. 3. Verisign changed the company name during the verification process (from an acronym to the full spelling of the name) 4. I now have the certificate that they sent back after the validation process. 5. One thing I can't account for is why when I see this: $ keytool -list Keystore type: jks Keystore provider: SUN Your keystore contains 4 entries: (...others removed...) company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry, Certificate fingerprint (MD5): 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really 0's) ...I think I must have self-signed or something (I was doing a couple of these things and don't recall exactly), but I'm surprised to see trustedCertEntry here. The problem I'm having is this: $ keytool -import -trustcacerts -alias company -file public.crt Enter keystore password: xxx keytool error: java.lang.Exception: Certificate not imported, alias company already exists (but I'm thinking it should be REPLACING this entry, so the fact that it exists shouldn't be a problem???) So, I have several questions: 1. Am I hosed completely because I didn't use tomcat as the alias? 2. How does the private key get stored exactly? I assume that if I delete the current entry for the company alias, I'll be losing the private key, right? 3. Can someone provide steps I should take to get this working given what I have said above. Thanks so much in advance. Sorry to be so long-winded. -Dave --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL/Verisign Confusion
Thanks. With the exception of the openssl doc, I've been over these quite a bit. The result is the problem I've mentioned where keytool says it can't import my certificate because the alias already exists. After some help I got last night, I think the question boils down to this: * once I have extracted my private key from keytool (haven't done this yet), how do I take that key, the VeriSign intermediate certificate and my public key certificate and get them to play together. I'm hoping the openssl stuff will take care of this, because keytool doesn't really seem to recognize private keys as things that you can work with directly. Thanks again, Dave -Original Message- From: Jay Garala [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 7:12 AM To: 'Tomcat Users List' Subject: RE: SSL/Verisign Confusion Try the Java keytool help: http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html Tomcat how-to: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html If you have OpenSSL: http://forum.java.sun.com/thread.jsp?forum=2thread=4240 Jay -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 1:04 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks Bill. I think this highlights something I'm really not understanding... Didn't I generate an important private key somewhere along the line that I can't just regenerate if I blow away my keystore? I assumed the certificate I got back from verisign would only work if I still had the original private key I generated before sending them my request. Is that wrong? (I'll take a look at the link you sent...at first glance, it looks a little hard to follow, but hopefully not). Thanks again. Dave -Original Message- From: news [mailto:[EMAIL PROTECTED] Behalf Of Bill Barker Sent: Thursday, September 04, 2003 11:06 PM To: [EMAIL PROTECTED] Subject: Re: SSL/Verisign Confusion Firstly, it looks like you should wipe you keystore and start again. To use a VS cert with Tomcat, the two options I know are: 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm. 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and use that as your keystore (remember to set 'keystoreType=pkcs12' on the Factory in server.xml). Dave Wood [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm having a problem getting an SSL certificate from Verisign working correctly. I'm going to include everything I can think of that MIGHT be a problem. Unfortunately, there are a couple things I can't quite remember for certain. Here's the situation: 1. I generated the initial key using an alias other than tomcat (we'll call it company) 2. I generated the CSR and sent it to verisign. I still have this file. 3. Verisign changed the company name during the verification process (from an acronym to the full spelling of the name) 4. I now have the certificate that they sent back after the validation process. 5. One thing I can't account for is why when I see this: $ keytool -list Keystore type: jks Keystore provider: SUN Your keystore contains 4 entries: (...others removed...) company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry, Certificate fingerprint (MD5): 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really 0's) ...I think I must have self-signed or something (I was doing a couple of these things and don't recall exactly), but I'm surprised to see trustedCertEntry here. The problem I'm having is this: $ keytool -import -trustcacerts -alias company -file public.crt Enter keystore password: xxx keytool error: java.lang.Exception: Certificate not imported, alias company already exists (but I'm thinking it should be REPLACING this entry, so the fact that it exists shouldn't be a problem???) So, I have several questions: 1. Am I hosed completely because I didn't use tomcat as the alias? 2. How does the private key get stored exactly? I assume that if I delete the current entry for the company alias, I'll be losing the private key, right? 3. Can someone provide steps I should take to get this working given what I have said above. Thanks so much in advance. Sorry to be so long-winded. -Dave --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
RE: SSL/Verisign Confusion
NOTE: You cannot export private key from keystore. -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 10:32 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks. With the exception of the openssl doc, I've been over these quite a bit. The result is the problem I've mentioned where keytool says it can't import my certificate because the alias already exists. After some help I got last night, I think the question boils down to this: * once I have extracted my private key from keytool (haven't done this yet), how do I take that key, the VeriSign intermediate certificate and my public key certificate and get them to play together. I'm hoping the openssl stuff will take care of this, because keytool doesn't really seem to recognize private keys as things that you can work with directly. Thanks again, Dave -Original Message- From: Jay Garala [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 7:12 AM To: 'Tomcat Users List' Subject: RE: SSL/Verisign Confusion Try the Java keytool help: http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html Tomcat how-to: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html If you have OpenSSL: http://forum.java.sun.com/thread.jsp?forum=2thread=4240 Jay -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 1:04 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks Bill. I think this highlights something I'm really not understanding... Didn't I generate an important private key somewhere along the line that I can't just regenerate if I blow away my keystore? I assumed the certificate I got back from verisign would only work if I still had the original private key I generated before sending them my request. Is that wrong? (I'll take a look at the link you sent...at first glance, it looks a little hard to follow, but hopefully not). Thanks again. Dave -Original Message- From: news [mailto:[EMAIL PROTECTED] Behalf Of Bill Barker Sent: Thursday, September 04, 2003 11:06 PM To: [EMAIL PROTECTED] Subject: Re: SSL/Verisign Confusion Firstly, it looks like you should wipe you keystore and start again. To use a VS cert with Tomcat, the two options I know are: 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm. 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and use that as your keystore (remember to set 'keystoreType=pkcs12' on the Factory in server.xml). Dave Wood [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm having a problem getting an SSL certificate from Verisign working correctly. I'm going to include everything I can think of that MIGHT be a problem. Unfortunately, there are a couple things I can't quite remember for certain. Here's the situation: 1. I generated the initial key using an alias other than tomcat (we'll call it company) 2. I generated the CSR and sent it to verisign. I still have this file. 3. Verisign changed the company name during the verification process (from an acronym to the full spelling of the name) 4. I now have the certificate that they sent back after the validation process. 5. One thing I can't account for is why when I see this: $ keytool -list Keystore type: jks Keystore provider: SUN Your keystore contains 4 entries: (...others removed...) company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry, Certificate fingerprint (MD5): 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really 0's) ...I think I must have self-signed or something (I was doing a couple of these things and don't recall exactly), but I'm surprised to see trustedCertEntry here. The problem I'm having is this: $ keytool -import -trustcacerts -alias company -file public.crt Enter keystore password: xxx keytool error: java.lang.Exception: Certificate not imported, alias company already exists (but I'm thinking it should be REPLACING this entry, so the fact that it exists shouldn't be a problem???) So, I have several questions: 1. Am I hosed completely because I didn't use tomcat as the alias? 2. How does the private key get stored exactly? I assume that if I delete the current entry for the company alias, I'll be losing the private key, right? 3. Can someone provide steps I should take to get this working given what I have said above. Thanks so much in advance. Sorry to be so long-winded. -Dave --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus
RE: SSL/Verisign Confusion
I realize you can't do this with keytool. Is there no way to do it at all? I'm beginning to think I might be totally hosed here. Thanks, Dave -Original Message- From: Jay Garala [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 8:37 AM To: 'Tomcat Users List' Subject: RE: SSL/Verisign Confusion NOTE: You cannot export private key from keystore. -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 10:32 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks. With the exception of the openssl doc, I've been over these quite a bit. The result is the problem I've mentioned where keytool says it can't import my certificate because the alias already exists. After some help I got last night, I think the question boils down to this: * once I have extracted my private key from keytool (haven't done this yet), how do I take that key, the VeriSign intermediate certificate and my public key certificate and get them to play together. I'm hoping the openssl stuff will take care of this, because keytool doesn't really seem to recognize private keys as things that you can work with directly. Thanks again, Dave -Original Message- From: Jay Garala [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 7:12 AM To: 'Tomcat Users List' Subject: RE: SSL/Verisign Confusion Try the Java keytool help: http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html Tomcat how-to: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html If you have OpenSSL: http://forum.java.sun.com/thread.jsp?forum=2thread=4240 Jay -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 1:04 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks Bill. I think this highlights something I'm really not understanding... Didn't I generate an important private key somewhere along the line that I can't just regenerate if I blow away my keystore? I assumed the certificate I got back from verisign would only work if I still had the original private key I generated before sending them my request. Is that wrong? (I'll take a look at the link you sent...at first glance, it looks a little hard to follow, but hopefully not). Thanks again. Dave -Original Message- From: news [mailto:[EMAIL PROTECTED] Behalf Of Bill Barker Sent: Thursday, September 04, 2003 11:06 PM To: [EMAIL PROTECTED] Subject: Re: SSL/Verisign Confusion Firstly, it looks like you should wipe you keystore and start again. To use a VS cert with Tomcat, the two options I know are: 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm. 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and use that as your keystore (remember to set 'keystoreType=pkcs12' on the Factory in server.xml). Dave Wood [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm having a problem getting an SSL certificate from Verisign working correctly. I'm going to include everything I can think of that MIGHT be a problem. Unfortunately, there are a couple things I can't quite remember for certain. Here's the situation: 1. I generated the initial key using an alias other than tomcat (we'll call it company) 2. I generated the CSR and sent it to verisign. I still have this file. 3. Verisign changed the company name during the verification process (from an acronym to the full spelling of the name) 4. I now have the certificate that they sent back after the validation process. 5. One thing I can't account for is why when I see this: $ keytool -list Keystore type: jks Keystore provider: SUN Your keystore contains 4 entries: (...others removed...) company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry, Certificate fingerprint (MD5): 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really 0's) ...I think I must have self-signed or something (I was doing a couple of these things and don't recall exactly), but I'm surprised to see trustedCertEntry here. The problem I'm having is this: $ keytool -import -trustcacerts -alias company -file public.crt Enter keystore password: xxx keytool error: java.lang.Exception: Certificate not imported, alias company already exists (but I'm thinking it should be REPLACING this entry, so the fact that it exists shouldn't be a problem???) So, I have several questions: 1. Am I hosed completely because I didn't use tomcat as the alias? 2. How does the private key get stored exactly? I assume that if I delete the current entry for the company alias, I'll be losing the private key, right? 3. Can someone provide steps I should take to get this working given what I have said above. Thanks so much in advance. Sorry to be so long-winded. -Dave --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release
RE: SSL/Verisign Confusion
Hmm.. Did you create the PK in Tomcat's keystore or your JDK's keystore? Try the keyclone? Clone your 'company' to 'tomcat'. -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 11:07 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion I realize you can't do this with keytool. Is there no way to do it at all? I'm beginning to think I might be totally hosed here. Thanks, Dave -Original Message- From: Jay Garala [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 8:37 AM To: 'Tomcat Users List' Subject: RE: SSL/Verisign Confusion NOTE: You cannot export private key from keystore. -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 10:32 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks. With the exception of the openssl doc, I've been over these quite a bit. The result is the problem I've mentioned where keytool says it can't import my certificate because the alias already exists. After some help I got last night, I think the question boils down to this: * once I have extracted my private key from keytool (haven't done this yet), how do I take that key, the VeriSign intermediate certificate and my public key certificate and get them to play together. I'm hoping the openssl stuff will take care of this, because keytool doesn't really seem to recognize private keys as things that you can work with directly. Thanks again, Dave -Original Message- From: Jay Garala [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 7:12 AM To: 'Tomcat Users List' Subject: RE: SSL/Verisign Confusion Try the Java keytool help: http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html Tomcat how-to: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html If you have OpenSSL: http://forum.java.sun.com/thread.jsp?forum=2thread=4240 Jay -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 1:04 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks Bill. I think this highlights something I'm really not understanding... Didn't I generate an important private key somewhere along the line that I can't just regenerate if I blow away my keystore? I assumed the certificate I got back from verisign would only work if I still had the original private key I generated before sending them my request. Is that wrong? (I'll take a look at the link you sent...at first glance, it looks a little hard to follow, but hopefully not). Thanks again. Dave -Original Message- From: news [mailto:[EMAIL PROTECTED] Behalf Of Bill Barker Sent: Thursday, September 04, 2003 11:06 PM To: [EMAIL PROTECTED] Subject: Re: SSL/Verisign Confusion Firstly, it looks like you should wipe you keystore and start again. To use a VS cert with Tomcat, the two options I know are: 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm. 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and use that as your keystore (remember to set 'keystoreType=pkcs12' on the Factory in server.xml). Dave Wood [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm having a problem getting an SSL certificate from Verisign working correctly. I'm going to include everything I can think of that MIGHT be a problem. Unfortunately, there are a couple things I can't quite remember for certain. Here's the situation: 1. I generated the initial key using an alias other than tomcat (we'll call it company) 2. I generated the CSR and sent it to verisign. I still have this file. 3. Verisign changed the company name during the verification process (from an acronym to the full spelling of the name) 4. I now have the certificate that they sent back after the validation process. 5. One thing I can't account for is why when I see this: $ keytool -list Keystore type: jks Keystore provider: SUN Your keystore contains 4 entries: (...others removed...) company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry, Certificate fingerprint (MD5): 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really 0's) ...I think I must have self-signed or something (I was doing a couple of these things and don't recall exactly), but I'm surprised to see trustedCertEntry here. The problem I'm having is this: $ keytool -import -trustcacerts -alias company -file public.crt Enter keystore password: xxx keytool error: java.lang.Exception: Certificate not imported, alias company already exists (but I'm thinking it should be REPLACING this entry, so the fact that it exists shouldn't be a problem???) So, I have several questions: 1. Am I hosed completely because I didn't use tomcat as the alias? 2. How does the private key get stored exactly? I assume that if I delete the current entry for the company alias, I'll be losing the private key, right? 3. Can someone
RE: SSL/Verisign Confusion
I did everything with keytool. I tried keyclone last night, but it appears that you can't clone a trustedCertEntry. I get the error: Alias company has no (private) key ...it almost seems like once your keyEntry becomes a trustedCertEntry, you can't get to the private key at all. ??? The REALLY annoying this is that I can't imagine why I would have self-signed this thing, but that's the only explanation I can come up with for why it is showing as a trustedCertEntry when I do a keytool -list. I *must* be missing something. -Original Message- From: Jay Garala [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 9:21 AM To: 'Tomcat Users List' Subject: RE: SSL/Verisign Confusion Hmm.. Did you create the PK in Tomcat's keystore or your JDK's keystore? Try the keyclone? Clone your 'company' to 'tomcat'. -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 11:07 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion I realize you can't do this with keytool. Is there no way to do it at all? I'm beginning to think I might be totally hosed here. Thanks, Dave -Original Message- From: Jay Garala [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 8:37 AM To: 'Tomcat Users List' Subject: RE: SSL/Verisign Confusion NOTE: You cannot export private key from keystore. -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 10:32 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks. With the exception of the openssl doc, I've been over these quite a bit. The result is the problem I've mentioned where keytool says it can't import my certificate because the alias already exists. After some help I got last night, I think the question boils down to this: * once I have extracted my private key from keytool (haven't done this yet), how do I take that key, the VeriSign intermediate certificate and my public key certificate and get them to play together. I'm hoping the openssl stuff will take care of this, because keytool doesn't really seem to recognize private keys as things that you can work with directly. Thanks again, Dave -Original Message- From: Jay Garala [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 7:12 AM To: 'Tomcat Users List' Subject: RE: SSL/Verisign Confusion Try the Java keytool help: http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html Tomcat how-to: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html If you have OpenSSL: http://forum.java.sun.com/thread.jsp?forum=2thread=4240 Jay -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 1:04 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks Bill. I think this highlights something I'm really not understanding... Didn't I generate an important private key somewhere along the line that I can't just regenerate if I blow away my keystore? I assumed the certificate I got back from verisign would only work if I still had the original private key I generated before sending them my request. Is that wrong? (I'll take a look at the link you sent...at first glance, it looks a little hard to follow, but hopefully not). Thanks again. Dave -Original Message- From: news [mailto:[EMAIL PROTECTED] Behalf Of Bill Barker Sent: Thursday, September 04, 2003 11:06 PM To: [EMAIL PROTECTED] Subject: Re: SSL/Verisign Confusion Firstly, it looks like you should wipe you keystore and start again. To use a VS cert with Tomcat, the two options I know are: 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm. 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and use that as your keystore (remember to set 'keystoreType=pkcs12' on the Factory in server.xml). Dave Wood [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm having a problem getting an SSL certificate from Verisign working correctly. I'm going to include everything I can think of that MIGHT be a problem. Unfortunately, there are a couple things I can't quite remember for certain. Here's the situation: 1. I generated the initial key using an alias other than tomcat (we'll call it company) 2. I generated the CSR and sent it to verisign. I still have this file. 3. Verisign changed the company name during the verification process (from an acronym to the full spelling of the name) 4. I now have the certificate that they sent back after the validation process. 5. One thing I can't account for is why when I see this: $ keytool -list Keystore type: jks Keystore provider: SUN Your keystore contains 4 entries: (...others removed...) company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry, Certificate fingerprint (MD5): 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really 0's) ...I think I must have self-signed or something (I was doing
RE: SSL/Verisign Confusion
Is public the one returned from Versign or is it the Verisign's CA Cert? If you want try following to see if the cert exists within JDK trusted calist: Execute from jdk\jre\lib\security Directory keytool -list -keystore cacerts -storepass changeit Jay -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Thursday, September 04, 2003 11:12 PM To: Tomcat Email List Subject: SSL/Verisign Confusion I'm having a problem getting an SSL certificate from Verisign working correctly. I'm going to include everything I can think of that MIGHT be a problem. Unfortunately, there are a couple things I can't quite remember for certain. Here's the situation: 1. I generated the initial key using an alias other than tomcat (we'll call it company) 2. I generated the CSR and sent it to verisign. I still have this file. 3. Verisign changed the company name during the verification process (from an acronym to the full spelling of the name) 4. I now have the certificate that they sent back after the validation process. 5. One thing I can't account for is why when I see this: $ keytool -list Keystore type: jks Keystore provider: SUN Your keystore contains 4 entries: (...others removed...) company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry, Certificate fingerprint (MD5): 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really 0's) ...I think I must have self-signed or something (I was doing a couple of these things and don't recall exactly), but I'm surprised to see trustedCertEntry here. The problem I'm having is this: $ keytool -import -trustcacerts -alias company -file public.crt Enter keystore password: xxx keytool error: java.lang.Exception: Certificate not imported, alias company already exists (but I'm thinking it should be REPLACING this entry, so the fact that it exists shouldn't be a problem???) So, I have several questions: 1. Am I hosed completely because I didn't use tomcat as the alias? 2. How does the private key get stored exactly? I assume that if I delete the current entry for the company alias, I'll be losing the private key, right? 3. Can someone provide steps I should take to get this working given what I have said above. Thanks so much in advance. Sorry to be so long-winded. -Dave --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL/Verisign Confusion
I'm working on a tool to pull out the private key. It should be done by the end of the day. I will send something to the list when I have it finished. Kind of funny how just as I'm getting around to a project that has been on my plate all week someone else needs it too ;-) -gabe -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 8:07 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion I realize you can't do this with keytool. Is there no way to do it at all? I'm beginning to think I might be totally hosed here. Thanks, Dave -Original Message- From: Jay Garala [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 8:37 AM To: 'Tomcat Users List' Subject: RE: SSL/Verisign Confusion NOTE: You cannot export private key from keystore. -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 10:32 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks. With the exception of the openssl doc, I've been over these quite a bit. The result is the problem I've mentioned where keytool says it can't import my certificate because the alias already exists. After some help I got last night, I think the question boils down to this: * once I have extracted my private key from keytool (haven't done this yet), how do I take that key, the VeriSign intermediate certificate and my public key certificate and get them to play together. I'm hoping the openssl stuff will take care of this, because keytool doesn't really seem to recognize private keys as things that you can work with directly. Thanks again, Dave -Original Message- From: Jay Garala [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 7:12 AM To: 'Tomcat Users List' Subject: RE: SSL/Verisign Confusion Try the Java keytool help: http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html Tomcat how-to: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html If you have OpenSSL: http://forum.java.sun.com/thread.jsp?forum=2thread=4240 Jay -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 1:04 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks Bill. I think this highlights something I'm really not understanding... Didn't I generate an important private key somewhere along the line that I can't just regenerate if I blow away my keystore? I assumed the certificate I got back from verisign would only work if I still had the original private key I generated before sending them my request. Is that wrong? (I'll take a look at the link you sent...at first glance, it looks a little hard to follow, but hopefully not). Thanks again. Dave -Original Message- From: news [mailto:[EMAIL PROTECTED] Behalf Of Bill Barker Sent: Thursday, September 04, 2003 11:06 PM To: [EMAIL PROTECTED] Subject: Re: SSL/Verisign Confusion Firstly, it looks like you should wipe you keystore and start again. To use a VS cert with Tomcat, the two options I know are: 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm. 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and use that as your keystore (remember to set 'keystoreType=pkcs12' on the Factory in server.xml). Dave Wood [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm having a problem getting an SSL certificate from Verisign working correctly. I'm going to include everything I can think of that MIGHT be a problem. Unfortunately, there are a couple things I can't quite remember for certain. Here's the situation: 1. I generated the initial key using an alias other than tomcat (we'll call it company) 2. I generated the CSR and sent it to verisign. I still have this file. 3. Verisign changed the company name during the verification process (from an acronym to the full spelling of the name) 4. I now have the certificate that they sent back after the validation process. 5. One thing I can't account for is why when I see this: $ keytool -list Keystore type: jks Keystore provider: SUN Your keystore contains 4 entries: (...others removed...) company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry, Certificate fingerprint (MD5): 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really 0's) ...I think I must have self-signed or something (I was doing a couple of these things and don't recall exactly), but I'm surprised to see trustedCertEntry here. The problem I'm having is this: $ keytool -import -trustcacerts -alias company -file public.crt Enter keystore password: xxx keytool error: java.lang.Exception: Certificate not imported, alias company already exists (but I'm thinking it should be REPLACING this entry, so the fact that it exists shouldn't be a problem???) So, I have several questions: 1. Am I hosed completely because I didn't use tomcat as the alias? 2. How does
RE: SSL/Verisign Confusion
So it's possible then...? That's promising. Thanks (in advance) very much. -dave -Original Message- From: Lawrence, Gabriel [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 10:13 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion I'm working on a tool to pull out the private key. It should be done by the end of the day. I will send something to the list when I have it finished. Kind of funny how just as I'm getting around to a project that has been on my plate all week someone else needs it too ;-) -gabe -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 8:07 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion I realize you can't do this with keytool. Is there no way to do it at all? I'm beginning to think I might be totally hosed here. Thanks, Dave -Original Message- From: Jay Garala [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 8:37 AM To: 'Tomcat Users List' Subject: RE: SSL/Verisign Confusion NOTE: You cannot export private key from keystore. -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 10:32 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks. With the exception of the openssl doc, I've been over these quite a bit. The result is the problem I've mentioned where keytool says it can't import my certificate because the alias already exists. After some help I got last night, I think the question boils down to this: * once I have extracted my private key from keytool (haven't done this yet), how do I take that key, the VeriSign intermediate certificate and my public key certificate and get them to play together. I'm hoping the openssl stuff will take care of this, because keytool doesn't really seem to recognize private keys as things that you can work with directly. Thanks again, Dave -Original Message- From: Jay Garala [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 7:12 AM To: 'Tomcat Users List' Subject: RE: SSL/Verisign Confusion Try the Java keytool help: http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html Tomcat how-to: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html If you have OpenSSL: http://forum.java.sun.com/thread.jsp?forum=2thread=4240 Jay -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 1:04 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks Bill. I think this highlights something I'm really not understanding... Didn't I generate an important private key somewhere along the line that I can't just regenerate if I blow away my keystore? I assumed the certificate I got back from verisign would only work if I still had the original private key I generated before sending them my request. Is that wrong? (I'll take a look at the link you sent...at first glance, it looks a little hard to follow, but hopefully not). Thanks again. Dave -Original Message- From: news [mailto:[EMAIL PROTECTED] Behalf Of Bill Barker Sent: Thursday, September 04, 2003 11:06 PM To: [EMAIL PROTECTED] Subject: Re: SSL/Verisign Confusion Firstly, it looks like you should wipe you keystore and start again. To use a VS cert with Tomcat, the two options I know are: 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm. 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and use that as your keystore (remember to set 'keystoreType=pkcs12' on the Factory in server.xml). Dave Wood [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm having a problem getting an SSL certificate from Verisign working correctly. I'm going to include everything I can think of that MIGHT be a problem. Unfortunately, there are a couple things I can't quite remember for certain. Here's the situation: 1. I generated the initial key using an alias other than tomcat (we'll call it company) 2. I generated the CSR and sent it to verisign. I still have this file. 3. Verisign changed the company name during the verification process (from an acronym to the full spelling of the name) 4. I now have the certificate that they sent back after the validation process. 5. One thing I can't account for is why when I see this: $ keytool -list Keystore type: jks Keystore provider: SUN Your keystore contains 4 entries: (...others removed...) company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry, Certificate fingerprint (MD5): 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really 0's) ...I think I must have self-signed or something (I was doing a couple of these things and don't recall exactly), but I'm surprised to see trustedCertEntry here. The problem I'm having is this: $ keytool -import -trustcacerts -alias company -file public.crt Enter keystore password: xxx keytool error: java.lang.Exception: Certificate not imported
Re: SSL/Verisign Confusion
I always use openssl myself, but from the sound of this thread, it sure sounds like it is desperately needed! Thanks! John Lawrence, Gabriel wrote: I'm working on a tool to pull out the private key. It should be done by the end of the day. I will send something to the list when I have it finished. Kind of funny how just as I'm getting around to a project that has been on my plate all week someone else needs it too ;-) -gabe -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 8:07 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion I realize you can't do this with keytool. Is there no way to do it at all? I'm beginning to think I might be totally hosed here. Thanks, Dave -Original Message- From: Jay Garala [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 8:37 AM To: 'Tomcat Users List' Subject: RE: SSL/Verisign Confusion NOTE: You cannot export private key from keystore. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL/Verisign Confusion
Have you thought of manipulating the keystore programmatically? Here's what you'd do: 1. Open your existing keystore 2. Find the entry with your private key and (presumably) a temporary self-signed certificate. 3. Open the certificate you got from Versign. 4. Change the certificate in your key entry to your Verisign certificate. 5. Save and close the keystore. OpenSSL doesn't understand most of the Java keystore formats, although it can manipulate PKCS#12 files which Keytool can handle. If you download the BouncyCastle crypto provider, then you can use keytool to write PKCS#12 files as well. Also, if the person who originally posted the question doesn't feel up to monkeying around with the Keystore classes, I have some code that I can adapt to stick your Verisign certificate in your keystore. Get in touch with me personally and I'll see what I can do. - Original Message - From: Jay Garala [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, September 05, 2003 3:36 PM Subject: RE: SSL/Verisign Confusion NOTE: You cannot export private key from keystore. -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 10:32 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks. With the exception of the openssl doc, I've been over these quite a bit. The result is the problem I've mentioned where keytool says it can't import my certificate because the alias already exists. After some help I got last night, I think the question boils down to this: * once I have extracted my private key from keytool (haven't done this yet), how do I take that key, the VeriSign intermediate certificate and my public key certificate and get them to play together. I'm hoping the openssl stuff will take care of this, because keytool doesn't really seem to recognize private keys as things that you can work with directly. Thanks again, Dave -Original Message- From: Jay Garala [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 7:12 AM To: 'Tomcat Users List' Subject: RE: SSL/Verisign Confusion Try the Java keytool help: http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html Tomcat how-to: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html If you have OpenSSL: http://forum.java.sun.com/thread.jsp?forum=2thread=4240 Jay -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 1:04 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks Bill. I think this highlights something I'm really not understanding... Didn't I generate an important private key somewhere along the line that I can't just regenerate if I blow away my keystore? I assumed the certificate I got back from verisign would only work if I still had the original private key I generated before sending them my request. Is that wrong? (I'll take a look at the link you sent...at first glance, it looks a little hard to follow, but hopefully not). Thanks again. Dave -Original Message- From: news [mailto:[EMAIL PROTECTED] Behalf Of Bill Barker Sent: Thursday, September 04, 2003 11:06 PM To: [EMAIL PROTECTED] Subject: Re: SSL/Verisign Confusion Firstly, it looks like you should wipe you keystore and start again. To use a VS cert with Tomcat, the two options I know are: 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm. 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and use that as your keystore (remember to set 'keystoreType=pkcs12' on the Factory in server.xml). Dave Wood [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm having a problem getting an SSL certificate from Verisign working correctly. I'm going to include everything I can think of that MIGHT be a problem. Unfortunately, there are a couple things I can't quite remember for certain. Here's the situation: 1. I generated the initial key using an alias other than tomcat (we'll call it company) 2. I generated the CSR and sent it to verisign. I still have this file. 3. Verisign changed the company name during the verification process (from an acronym to the full spelling of the name) 4. I now have the certificate that they sent back after the validation process. 5. One thing I can't account for is why when I see this: $ keytool -list Keystore type: jks Keystore provider: SUN Your keystore contains 4 entries: (...others removed...) company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry, Certificate fingerprint (MD5): 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really 0's) ...I think I must have self-signed or something (I was doing a couple of these things and don't recall exactly), but I'm surprised to see trustedCertEntry here. The problem I'm having is this: $ keytool -import -trustcacerts -alias company -file public.crt Enter keystore password: xxx keytool error: java.lang.Exception
RE: SSL/Verisign Confusion
Well, after all this, I just discovered that VeriSign will basically let you start over if it's within 30 days (which it is). So, for now, I'm going down this path. Just talked to someone at V/S who said it would take just a couple hours. Oh, and I made a BACKUP of my new keystore file this time that now contains a single keyEntry with the alias tomcat. I try to avoid being stupid in the same way more than once! :) As for the programmatic approach, FWIW, I started down that path as well, but somehow I had no private key entry in the keystore (best I can tell). Still not sure how I got in that messed up state. Thanks, Dave -Original Message- From: Christopher Williams [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 9:43 AM To: Tomcat Users List Subject: Re: SSL/Verisign Confusion Have you thought of manipulating the keystore programmatically? Here's what you'd do: 1. Open your existing keystore 2. Find the entry with your private key and (presumably) a temporary self-signed certificate. 3. Open the certificate you got from Versign. 4. Change the certificate in your key entry to your Verisign certificate. 5. Save and close the keystore. OpenSSL doesn't understand most of the Java keystore formats, although it can manipulate PKCS#12 files which Keytool can handle. If you download the BouncyCastle crypto provider, then you can use keytool to write PKCS#12 files as well. Also, if the person who originally posted the question doesn't feel up to monkeying around with the Keystore classes, I have some code that I can adapt to stick your Verisign certificate in your keystore. Get in touch with me personally and I'll see what I can do. - Original Message - From: Jay Garala [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, September 05, 2003 3:36 PM Subject: RE: SSL/Verisign Confusion NOTE: You cannot export private key from keystore. -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 10:32 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks. With the exception of the openssl doc, I've been over these quite a bit. The result is the problem I've mentioned where keytool says it can't import my certificate because the alias already exists. After some help I got last night, I think the question boils down to this: * once I have extracted my private key from keytool (haven't done this yet), how do I take that key, the VeriSign intermediate certificate and my public key certificate and get them to play together. I'm hoping the openssl stuff will take care of this, because keytool doesn't really seem to recognize private keys as things that you can work with directly. Thanks again, Dave -Original Message- From: Jay Garala [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 7:12 AM To: 'Tomcat Users List' Subject: RE: SSL/Verisign Confusion Try the Java keytool help: http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html Tomcat how-to: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html If you have OpenSSL: http://forum.java.sun.com/thread.jsp?forum=2thread=4240 Jay -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 1:04 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks Bill. I think this highlights something I'm really not understanding... Didn't I generate an important private key somewhere along the line that I can't just regenerate if I blow away my keystore? I assumed the certificate I got back from verisign would only work if I still had the original private key I generated before sending them my request. Is that wrong? (I'll take a look at the link you sent...at first glance, it looks a little hard to follow, but hopefully not). Thanks again. Dave -Original Message- From: news [mailto:[EMAIL PROTECTED] Behalf Of Bill Barker Sent: Thursday, September 04, 2003 11:06 PM To: [EMAIL PROTECTED] Subject: Re: SSL/Verisign Confusion Firstly, it looks like you should wipe you keystore and start again. To use a VS cert with Tomcat, the two options I know are: 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm. 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and use that as your keystore (remember to set 'keystoreType=pkcs12' on the Factory in server.xml). Dave Wood [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm having a problem getting an SSL certificate from Verisign working correctly. I'm going to include everything I can think of that MIGHT be a problem. Unfortunately, there are a couple things I can't quite remember for certain. Here's the situation: 1. I generated the initial key using an alias other than tomcat (we'll call it company) 2. I generated the CSR and sent it to verisign. I still have this file. 3. Verisign changed the company name during the verification process (from
Re: SSL/Verisign Confusion
Firstly, it looks like you should wipe you keystore and start again. To use a VS cert with Tomcat, the two options I know are: 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm. 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and use that as your keystore (remember to set 'keystoreType=pkcs12' on the Factory in server.xml). Dave Wood [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm having a problem getting an SSL certificate from Verisign working correctly. I'm going to include everything I can think of that MIGHT be a problem. Unfortunately, there are a couple things I can't quite remember for certain. Here's the situation: 1. I generated the initial key using an alias other than tomcat (we'll call it company) 2. I generated the CSR and sent it to verisign. I still have this file. 3. Verisign changed the company name during the verification process (from an acronym to the full spelling of the name) 4. I now have the certificate that they sent back after the validation process. 5. One thing I can't account for is why when I see this: $ keytool -list Keystore type: jks Keystore provider: SUN Your keystore contains 4 entries: (...others removed...) company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry, Certificate fingerprint (MD5): 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really 0's) ...I think I must have self-signed or something (I was doing a couple of these things and don't recall exactly), but I'm surprised to see trustedCertEntry here. The problem I'm having is this: $ keytool -import -trustcacerts -alias company -file public.crt Enter keystore password: xxx keytool error: java.lang.Exception: Certificate not imported, alias company already exists (but I'm thinking it should be REPLACING this entry, so the fact that it exists shouldn't be a problem???) So, I have several questions: 1. Am I hosed completely because I didn't use tomcat as the alias? 2. How does the private key get stored exactly? I assume that if I delete the current entry for the company alias, I'll be losing the private key, right? 3. Can someone provide steps I should take to get this working given what I have said above. Thanks so much in advance. Sorry to be so long-winded. -Dave --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL/Verisign Confusion
Thanks Bill. I think this highlights something I'm really not understanding... Didn't I generate an important private key somewhere along the line that I can't just regenerate if I blow away my keystore? I assumed the certificate I got back from verisign would only work if I still had the original private key I generated before sending them my request. Is that wrong? (I'll take a look at the link you sent...at first glance, it looks a little hard to follow, but hopefully not). Thanks again. Dave -Original Message- From: news [mailto:[EMAIL PROTECTED] Behalf Of Bill Barker Sent: Thursday, September 04, 2003 11:06 PM To: [EMAIL PROTECTED] Subject: Re: SSL/Verisign Confusion Firstly, it looks like you should wipe you keystore and start again. To use a VS cert with Tomcat, the two options I know are: 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm. 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and use that as your keystore (remember to set 'keystoreType=pkcs12' on the Factory in server.xml). Dave Wood [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm having a problem getting an SSL certificate from Verisign working correctly. I'm going to include everything I can think of that MIGHT be a problem. Unfortunately, there are a couple things I can't quite remember for certain. Here's the situation: 1. I generated the initial key using an alias other than tomcat (we'll call it company) 2. I generated the CSR and sent it to verisign. I still have this file. 3. Verisign changed the company name during the verification process (from an acronym to the full spelling of the name) 4. I now have the certificate that they sent back after the validation process. 5. One thing I can't account for is why when I see this: $ keytool -list Keystore type: jks Keystore provider: SUN Your keystore contains 4 entries: (...others removed...) company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry, Certificate fingerprint (MD5): 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really 0's) ...I think I must have self-signed or something (I was doing a couple of these things and don't recall exactly), but I'm surprised to see trustedCertEntry here. The problem I'm having is this: $ keytool -import -trustcacerts -alias company -file public.crt Enter keystore password: xxx keytool error: java.lang.Exception: Certificate not imported, alias company already exists (but I'm thinking it should be REPLACING this entry, so the fact that it exists shouldn't be a problem???) So, I have several questions: 1. Am I hosed completely because I didn't use tomcat as the alias? 2. How does the private key get stored exactly? I assume that if I delete the current entry for the company alias, I'll be losing the private key, right? 3. Can someone provide steps I should take to get this working given what I have said above. Thanks so much in advance. Sorry to be so long-winded. -Dave --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
