It's because you've not imported their root level cert...you need to do that before you import your cert. You also need their too level cert in your browser.
BTW: I tested all my stuff on JDK 1.3.1 - I have no idea if this will work with earlier versions (based on what you've said though my guess is not!) D -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 25, 2002 7:25 PM To: Tomcat Users List; Dave North Subject: Re: tomcat and SSL (keyfile password) Hi dave i resolved this by moving to jdk1.4 but now my browser says it is self signed ......verisign info is not really imported why ?? thanks in advance bm [EMAIL PROTECTED] wrote: > Hi Dave > > thanks for document. > > Now I got struck when i try to import the verisign certificate. > the error mesg is > keytool error: java.lang.Exception: Input not an X.509 certificate > > I attached my certificate also......can you help me please ? > > it is trial cert from verisign > > Reg > BM > > Dave North wrote: > > > OK, here's what I did (this was using a test versign cert but the > > procedure is the same for a "real" production cert): > > > > STEP A - generate your private key > > > > Pre-req: JDK must be installed > > > > 1) cd to $JAVA_HOME/jre/bin > > > > 2) run ./keytool -genkey -alias tomcat -keyalg RSA -keystore <FULL PATH > > TO KEYSTORE> > > > > 3) You will be prompted for a password for the keystore > > > > 3) at the prompts, enter: > > > > What is your first and last name? > > [Unknown]: <DO NOT USE NAME - ENTER THE NAME OF YOUR MACHINE AS IT'S > > KNOWN TO VISITORS> > > What is the name of your organizational unit? > > [Unknown]: <WHATEVER YOU LIKE> > > What is the name of your organization? > > [Unknown]: <TYPICALLY COMPANY NAME> > > What is the name of your City or Locality? > > [Unknown]: <YOUR CITY> > > What is the name of your State or Province? > > [Unknown]: <STATE OR PROV> > > What is the two-letter country code for this unit? > > [Unknown]: <COUNTRY CODE> > > > > 4) You will then be prompted for another password - use the same (ie. > > Press ENTER) > > > > STEP B - Generate a Certificate Request > > > > 1) cd to $JAVA_HOME/jre/bin > > > > 2) ./keytool -certreq -alias tomcat -file csr.txt -keystore <FULL PATH > > TO SAME KEYSTORE CREATED IN STEP A> > > > > STEP C - Get the new cert from Verisign > > > > www.versign.com has all the info here > > > > STEP D - Install the Verisign ROOT CA cert AND your server cert > > > > When you get your cert in step C, they will provide you with the root > > cert > > > > 1) cd to $JAVA_HOME/jre/bin > > > > 2) ./keytool -import -alias verisign -file <FILE THAT CONTAINS THE > > VERSIGN ROOT CA CERT> -keystore <PATH TO KEYSTORE> > > > > 3) ./keytool -import -trustcacerts -alias tomcat -file <FILE THAT > > CONTAINS YOUR CERT FROM VERISIGN> -keystore <PATH TO KEYSTORE> > > > > STEP E - Configure an SSL listener for tomcat > > > > 1) edit $JAKARTA_HOME/conf/server.xml and add the following: > > > > <!-- Define an SSL HTTP/1.1 Connector on port 443 --> > > <Connector className="org.apache.catalina.connector.http.HttpConnector" > > port="443" minProcessors="5" maxProcessors="75" > > enableLookups="true" > > acceptCount="10" debug="10" scheme="https" secure="true"> > > <Factory className="org.apache.catalina.net.SSLServerSocketFactory" > > clientAuth="false" protocol="TLS" > > keystoreFile="<FULL PATH TO KEYSTORE FILE>" > > keystorePass="<PASSWORD HERE>"/> > > </Connector> > > > > 2) Stop and start the tomcat server > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, April 25, 2002 2:29 PM > > To: Tomcat Users List > > Subject: Re: tomcat and SSL (keyfile password) > > > > Hi Dave > > > > ohhh...good to know that. > > > > I need to set up the tomcat 4.0.3 with verisign. > > > > Can you please send those doc to me ? > > > > I appreciate your help > > > > thanks in advance > > BM > > > > Dave North wrote: > > > > > Hello, > > > After a few hours trying to get this working, I've finally got > > > my tomcat server working with a certificate signed by Verisign. This > > > all works great. However, to do this, I need to configure the > > > keyfilePass into the server.xml file. This is bad as our security > > > policy is "thou shall not have any passwords in plain text". We also > > > use SSL on our iPlanet server and it prompts at start time for the > > > password (they use the term software token but it's the same). So, > > the > > > question is: is it possible to have tomcat prompt for this and/or how > > > have others got around keeping this in plain text? > > > > > > BTW: if anyone's interested, I have the complete step-by-step of how I > > > got the versign cert working...the info is out there but it seems to > > be > > > all over the place. > > > > > > Thanks > > > > > > Dave > > > > > > Dave North > > > SIGNIANT Inc. > > > Trusted Data Transfer Services > > > www.signiant.com > > > Phone: 613-761-3623 > > > Mobile: 613-294-3231 > > > Fax: 613-761-3629 > > > Email: [EMAIL PROTECTED] > > > > > > -- > > > To unsubscribe: <mailto:[EMAIL PROTECTED]> > > > For additional commands: <mailto:[EMAIL PROTECTED]> > > > Troubles with the list: <mailto:[EMAIL PROTECTED]> > > > > -- > > To unsubscribe: <mailto:[EMAIL PROTECTED]> > > For additional commands: <mailto:[EMAIL PROTECTED]> > > Troubles with the list: <mailto:[EMAIL PROTECTED]> > > > > -- > > To unsubscribe: <mailto:[EMAIL PROTECTED]> > > For additional commands: <mailto:[EMAIL PROTECTED]> > > Troubles with the list: <mailto:[EMAIL PROTECTED]> > > ------------------------------------------------------------------------ > Name: bm.cer > bm.cer Type: Security Certificate (application/x-x509-ca-cert) > Encoding: base64 -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
