Hi Chris, I am a Technical Support Rep at VeriSign. I apologize if you are unable to find any documentation regarding the installation of the intermediate certificate for Tomcat.
Once you have the VeriSign Intermediate CA certificate, you can run this command to import it into your keystore: keytool -import -alias intermediateCA -keystore <your_keystore_filename> -trustcacerts -file intermediateCA.cer NOTE: The alias name, "intermediateCA" in this command is different than the alias name used during the generation of the private key and CSR. After the intermediate certificate is installed, you import the SSL certificate into the same keystore / alias where you generated the private key. We also have this information documented on our site. You will also find these instructions on our Support Page: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR234 https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR234 Hopefully, this helps. Thank You, Jonathan VeriSign Technical Support Parker, Chris-2 wrote: > > I'm sending this email because I've spent the last day and a half > putting together the bread crumbs necessary to get a signed key from > Verisign to work with Tomcat. I never found one place that has all the > necessary information regarding how to deal with Verisign's use of > intermediate keys. The funny thing is all this stuff is straightforward > (once known). So here are the steps in one place - in the hopes that it > might help someone in the future. > > > > Step 1: > Our server was not yet using SSL, so we needed to generate a new key and > keystore. > > keytool -genkey -alias tomcat -keyalg rsa -keypass secret -storepass > secret -keystore keystore.key > > This generates a new keystore. Be sure to use "-keyalg rsa" as the > default algorithm is dsa, and Verisign will not accept dsa. Also, it's > important to remember the alias, "tomcat" in this case. When we receive > the signed certificate we'll need to apply it to that alias. That's how > clients will know that our private key has been "signed". Be sure to > respond to all the prompts correctly, using the proper FQDN of the > server. This stuff is well documented - all over the place - so no > point in duplicating it here. > > > > Step 2: > Next we need to generate a certificate signing request. > > keytool -certreq -alias tomcat -file keystore.csr -keypass secret > -storepass secret -keystore keystore.key > > Be sure to use "tomcat" as the alias again so that the correct private > key is referenced. Send the file "keystore.csr" to Verisign for > signature. Again, this part is well documented. > > > > Step 3 THIS IS THE TRICKY PART: > The certificate you get back from Verisign is signed using an > intermediate key that needs to be included in your keystore in order to > properly sign your key. So far as I can tell, that key is not a part of > anything natively included with Java's "cacerts". > 3a) The intermediate key is available at > http://www.verisign.com/support/install2/intermediate.html > 3b) Copy the key from there to your clipboard > 3c) Open the text editor of your choice and paste the contents of that > key to a new document > 3d) Open the certificate Verisign sent you (in response to your > request) in the editor of your choice and copy it's contents > 3e) Paste that into the same document as the intermediate key - after > the intermediate key > 3f) Save that document as an all new certificate (I called mine > "signed.cer") > > > > Step 4: > Sign your alias with the certificate you created yourself. > > keytool -import -trustcacerts -alias tomcat -file signed.cer -keypass > secret -storepass secret -keystore keystore.key > > Note that once again we use the same alias. We need to do this so that > the private key in that alias is "signed", as opposed to just having the > certificates a part of the contents. Note also that I used the file > "signed.cer" that I created myself to sign the key, NOT the certificate > sent by Verisign. > > > As I say, I'm sending this in the hopes that it will help someone else > down the road. :) > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/error-%3A-java.lang.RuntimeException%3A-Object-not-initialized.-tp17427607p17441760.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
