Verisign problems on Java 1.4.2_03

Sat, 06 Mar 2004 13:04:32 -0800 

    Dear friends, any suggestions on the following problem will be
appreciated:

Environment: Tomcat 4.1.29 Standalone, Java 1.4.2_03 & RedHat 9

Problem: "Certificate expired or not yet valid" error message
on Internet Explorer, with a valid Verisign certificate in the
keystore.

Details: an existing SSL certificate that was bought from
Verisign (its original CSR request was generated using OpenSSL)
was imported into the Java keystore. This certificate, after
transformed from PKCS12 into JKS format, was imported using
keytool with alias "tomcat". Verisign's new intermediate certificate
was imported with alias "root". My current keystore contains:

--------------------------------------------------------
[EMAIL PROTECTED] root]# keytool -v -list
Enter keystore password:  *******

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: root
Creation date: Mar 5, 2004
Entry type: trustedCertEntry
...
Valid from: Thu Apr 17 1997 until: Tue Oct 25 2011
...
*******************************************

Alias name: tomcat
Creation date: Mar 5, 2004
Entry type: keyEntry
...
Valid from: Wed Dec 03 2003 until: Fri Dec 03 2004
...
*******************************************

--------------------------------------------------------

Here's my SSL settings in Tomcat's server.xml:

--------------------------------------------------------
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
    port="443" minProcessors="5" maxProcessors="75"
    enableLookups="true"
    acceptCount="100" debug="0" scheme="https" secure="true"
    useURIValidationHack="false" disableUploadTimeout="true">
  <Factory
      className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
      clientAuth="false" protocol="TLS"
      keystoreFile="<SOME_PATH>/.keystore" keystorePass="*******"
      keystoreType="JKS" />
</Connector>

--------------------------------------------------------

I listed the entries in <JAVA_HOME>/jre/lib/security/cacerts, and Verisign's
certificate is obviously valid, considering my JDK version.

The question is, given that I'm running the latest JDK with contains the
latest (and valid) Verisign class 3 certificate, and that my keystore also
contains
that certificate, why would my browser say that Verisign's certificate has
expired on Jan 2004?

Thanks,

Guilherme Birckan



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to