I am trying to use Windows Certificate Server to sign my client certificates.
First I tried to use a certificate that was generated in IE, but that didn't seem to work (has anyone gotten this to work before?), so now I am trying certificates generated by IBM's keyman program. These are the steps I take: 1. In keyman, generate a key pair in a PKCS#12 file. 2. Create a certificate request based on this key pair 3. In Microsoft Certificate Server's certsrv webpage, select the following options: - "Request a certificate" - "Advanced Request" - "Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file" 4. Paste the certificate request into the window 5. Issue the certificate request on the server 6. In Microsoft Certificate Server's certsrv webpage, select "Check on a pending certificate" and select the saved-request certificate 7. Click on the "Download CA Certification Path" link, and save the certnew.p7b file to disk 8. In keyman, import the .p7b file. This attaches itself to the original key pair. 9. Save the keystore as a .p12 file 10. Import this .p12 file into IE 11. Export the signing certificate from IE into a file called MyCA.cer 12. Import this cer file into Java's cacerts keystore 13. Restart tomcat At this stage everything should work, but it doesn't. I can only get it to work by exporting the new certificate itself into a .cer file and importing that into the cacerts file. For some reason, tomcat doesn't trust Windows Certificate Server's root certificate, or at least doesn't trust any certificates signed by it, even after I have imported it into the cacerts file. Has anyone done this before? Thanks Martin --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]