On Tue, 21 Sep 2004, Dennis Dai wrote:
I was able to export a p12 cert with complete chain half a year ago, but I
couldn't reproduce it now. However, I found this:
http://sense.bigbrother.net/archives/00000275.html
thanks for that tip. tried it, correctly i think. no love.
first i generate the .p12 from the server cert provided by verisign:
openssl pkcs12 -export -inkey server.key -in server.crt -name tomcat \
-out server.p12
then i place server.p12 and intermediateCA.crt onto a windows box, fire
up IE. in IE: Internet Options -> Content -> Certificates... under
Personal tab, i import the server.p12 file, place no password on it, and
"Mark it as exportable".
from windows box, i grab another copy of verisign's intermediate cert
and save it. under "Intermediate Cert Authorities" tab, i import
verisign's intermediate cert.
now to export - export the server.p12 from IE: select it, hit export,
yes - export private key, check "include all certs in cert path".
i move that new .pfx file onto the tomcat server, in a place where
server.xml will use it. same error:
SEVERE: Error initializing endpoint
java.io.IOException: Unable to verify MAC.
at com.ibm.crypto.provider.PKCS12KeyStore.engineLoad(Unknown Source)
at java.security.KeyStore.load(KeyStore.java:695)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocket Factory.java:278)
--
[EMAIL PROTECTED]
office: 650.616.6708
Reality is that which, when you stop believing in it, doesn't go away.
- Philip K. Dick
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
