Should be something like this to remove expired certs keytool -delete -alias verisignclass2ca -keystore -cacerts -storepass changeit keytool -delete -alias verisignclass3ca -keystore -cacerts -storepass changeit keytool -delete -alias verisignclass4ca -keystore -cacerts -storepass changeit
Verisign appear to recommend that you remove the class1 cert too. keytool -delete -alias verisignclass1ca -keystore -cacerts -storepass changeit Download new certs to {JAVA_HOME}\jre\lib\security directory from http://www.verisign.com/support/roots.html Extract PCA1ss_v4.509,PCA2ss_v4.509,PCA3ss_v4.509 to the same directory Then import them using keytool -import -alias verisignclass1ca -keystore -cacerts -storepass changeit -file PCA1ss_v4.509 keytool -import -alias verisignclass2ca -keystore -cacerts -storepass changeit -file PCA2ss_v4.509 keytool -import -alias verisignclass3ca -keystore -cacerts -storepass changeit -file PCA3ss_v4.509 Verisgn also recommend importing the G2 and G3 certs. Extract releveant files from zip. Use import as above, remembering to give each cert a unique (sensible) alias. There is also at least on other thread on tomcat-user about this. Might be worth a look in the archives. Mark -----Original Message----- From: Tea, Justin [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 11:47 PM To: Tomcat Users List Subject: RE: New to tomcat Thanks! That works. Sure enough, it expired 1/7. Now, how do I get the Verisign intermediate cert in there? <snip> Try this in your {JAVA_HOME}\jre\lib\security directory keytool -list -v -keystore cacerts You'll need to enter your keystore password. This is changeit by default unless someone had the good sense to do the obvious. This will give a long list of the certificates including the validity dates. Mark -----Original Message----- From: Tea, Justin [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 10:56 PM To: Tomcat Users List; [EMAIL PROTECTED] Subject: New to tomcat Hi, I'm new to Tomcat, Apache and JDK world (three things I noticed are loaded on our server). Our custom apps broke around the time Verisign cert expired. How can I tell whether this is indeed the case? Keytool? If so, what's the exact parameter? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]