try keytool -import -trustcacerts -alias tomcat -file /tmp/mine.csr make sure the root CA cert that signed your request is in you keystore or cacerts file as a trusted certificate.
David -----Original Message----- From: Richard S. Huntrods [mailto:[EMAIL PROTECTED]] Sent: Friday, 18 January 2002 6:28 AM To: [EMAIL PROTECTED] Subject: SSL and signed certificates... Greetings! I am hoping someone can provide some assistance regarding SSL and signed certificates. The Tomcat SSL-how-to FAQ stops just short of where I need to be. I have self-signed certificates working just fine with Tomcat 4.0.1. I created a 'csr' request from the working certificate (.keystore) file. The signing authority returned a certificate. I understand that this needs to be chained to the original self-signed certificate, so that the .keystore file will then contain two certs - mine and the signing agencies one. This process is not working. Some examples from this list indicate the use of the '-alias tomcat' flag on all uses of keytool. Unfortunately, the keytool docs explicitly state that two certs in a .keystore file cannot have the same alias, so this will not work when importing. That is, this does not work (I tried it). keytool -genkey -alias tomcat -keyalg RSA keytool -certreq -alias tomcat -file /tmp/mine.csr <paste this into the signing authority request, you get back a cert that you paste into a new file, i.e. mine.cer> keytool -import -alias tomcat -file /tmp/mine.csr THIS LAST COMMAND DOES NOT WORK - you cannot add the new cert to the existing keystore file with the same alias. I get a java exception if I try. So - how does one import the signing authority certificate and make the chain? If you leave off -alias tomcat on the import line, it *will* import and create the chain, but the security level is uchanged from a self-signed cert. The reply from the signing authority is not included in the certificate sent to a browser. If you delete the self-signed .keystore and just import the signing authority cert by itself, it works (even with the tomcat alias), but then Tomcat ceases to serve secure pages (error 404 - not found). SO (again) - how do I import the certificate reply from the signing authority such that it works with tomcat? Thanks, -Richard -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]> -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>