Try this - don't delete the alias before importing the response. What happens is: > keytool -genkey -alias tomcat -keyalg RSA Creates your private and public key > keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr wraps a copy of your _public_ key in a certficate request > ... got the certs... CA uses their private key to sign your public key - this is essentially your certificate > keytool -delete -alias tomcat This deletes your private key. This is bad. > keytool -import -alias root -trustcacerts -file rootcert.cer (root/intermediate/chain cert, as appropriate for the CA) Adds the public key of your CA to your trusted certs. > keytool -import -alias tomcat -trustcacerts -file testcert.cer With your private key still in place, this replaces your unsigned public key with a signed public key
You may find that the format the cert comes back in is not compatible with keytool. I normally do the following: 1. In windows, change extension to .cer 2. Double click on .cer file. 3. On "Details" tab click "Copy to file..." 4. Select the .p7b output format and tick the box to include all certs in path. 5. Specify a file name. 6. Use key tool to import this file. Sorry this is a windows solution but if you don't use windows as along as you can get access to a windows box you should be able to do this. Mark -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, January 16, 2004 11:03 PM To: [EMAIL PROTECTED] Subject: Using CA-issued certificates in Tomcat 5 I thought I had all my Tomcat issues resolved and was ready to go from the self-signed cert to one issued by a CA. So I followed all the steps, generated a CSR, got the root cert and test cert, installed them into the keytool, and restarted the server. An exception is thrown saying: No available certificate corresponds to the SSL cipher suites which are enabled --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
