I have successfully used a server signed cert with tomcat. The step by step guide is quite lengthy. I'll give you the edited highlights and please follow up if you have any more questions.
1. Create key in .keystore with alias tomcat 2. Generate a signing request and sent to CA 3. Receive signed key (cert) and CA cert 4. Import The root cert into cacerts 5. Import CA cert into cacerts (%JAVA_HOME%\jre\lib\security\cacerts) 6. Import tomcat cert into .keystore, with -trustcacerts option and alias tomcat >From your post it looks like you have imported the root cert and the CA cert into .keystore rather than the cacerts file. Mark > -----Original Message----- > From: Oliver Wulff [mailto:[EMAIL PROTECTED] > Sent: Saturday, January 24, 2004 2:25 PM > To: [EMAIL PROTECTED] > Subject: SSL, keystore with ca hierarchy > > > > > > I've created the following keystore for Tomcat 4.1.18: > SET KEYSTORE_FILE=.\.keystore > > keytool -import -keystore %KEYSTORE_FILE% -storepass icebeer > -alias root > -trustcacerts -file CA_Root_APU.pem > keytool -import -keystore %KEYSTORE_FILE% -storepass icebeer -alias > server_ca -trustcacerts -file CA_Server_APU.pem > keytool -import -keystore %KEYSTORE_FILE% -storepass icebeer > -alias tomcat > -trustcacerts -file TestServer_APU.pem > > the root ca is self signed. the tomcat certificate is signed > by server_ca > which is issued by the root ca. the password for the keystore and the > tomcat certificat are identical. Further, I've configured the > server.xml > accordingly: > <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" > port="9443" minProcessors="5" maxProcessors="75" > enableLookups="true" > acceptCount="100" debug="0" scheme="https" secure="true" > useURIValidationHack="false" disableUploadTimeout="true"> > <Factory > className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" > clientAuth="false" protocol="TLS" > keystoreFile="certs/.keystore" > keystorePass="123456" > /> > </Connector> > > Tomcat starts with no problems: > 24.01.2004 15:10:41 org.apache.coyote.http11.Http11Protocol start > INFO: Starting Coyote HTTP/1.1 on port 9080 > 24.01.2004 15:10:41 org.apache.coyote.http11.Http11Protocol start > INFO: Starting Coyote HTTP/1.1 on port 9443 > > But I get the error "The Page Cannot Be Displayed" when I try > to access the > index.html. > > When I create the certificates in the following way it does work: > keytool -genkey -storepass 123456 -alias tomcat -keyalg RSA -keystore > .\dummy.keystore > keytool -rfc -storepass 123456 -export -alias tomcat -keystore > .\dummy.keystore -file dummy.tomcat.pem > > Does Tomcat not support certificates with a ca hierarchy? > > -oliver > > > > > > > > ******************* BITTE BEACHTEN ******************* > Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet > möglicherweise vertrauliche oder gesetzlich geschützte Daten oder > Informationen. Zum Empfang derselben ist (sind) ausschliesslich die > genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht > irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter > Ausschluss jeder Reproduktion zu zerstören und die absendende Person > umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
