"Martin Jericho" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > I am trying to use Windows Certificate Server to sign my client > certificates. > > First I tried to use a certificate that was generated in IE, but that didn't > seem to work (has anyone gotten this to work before?), so now I am trying > certificates generated by IBM's keyman program. > > These are the steps I take: > > 1. In keyman, generate a key pair in a PKCS#12 file. > 2. Create a certificate request based on this key pair > 3. In Microsoft Certificate Server's certsrv webpage, select the following > options: > - "Request a certificate" > - "Advanced Request" > - "Submit a certificate request using a base64 encoded PKCS #10 file or > a renewal request using a base64 encoded PKCS #7 file" > 4. Paste the certificate request into the window > 5. Issue the certificate request on the server > 6. In Microsoft Certificate Server's certsrv webpage, select "Check on a > pending certificate" and select the saved-request certificate > 7. Click on the "Download CA Certification Path" link, and save the > certnew.p7b file to disk > 8. In keyman, import the .p7b file. This attaches itself to the original > key pair. > 9. Save the keystore as a .p12 file > 10. Import this .p12 file into IE > 11. Export the signing certificate from IE into a file called MyCA.cer > 12. Import this cer file into Java's cacerts keystore > 13. Restart tomcat > > At this stage everything should work, but it doesn't. I can only get it to > work by exporting the new certificate itself into a .cer file and importing > that into the cacerts file. For some reason, tomcat doesn't trust Windows > Certificate Server's root certificate, or at least doesn't trust any > certificates signed by it, even after I have imported it into the cacerts > file. > > Has anyone done this before?
Yup, it should work as you've described. I don't know anything about WCS (or care to know :), but does it sign with an intermediate cert? If so, they you'll probably have to import the intermediate cert as well (so that Tomcat can verify BasicConstraints etc.). > > Thanks > Martin --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
