I use Tomcat 4.1.12. I am writing my own Certification Authority (CA) called Demo CA, and want to give it a shot.
I read the tomcat SSL-HOWTO doc and did it like this: 1. Create a local Certificate like this: keytool -genkey -alias tomcat -keyalg RSA -keystore I used John Doe as my name for this certificate. 2. I visited the website of my own CA through HTTPS, and got the CA's certificate, which I saved on hard drive as cacert.cer. 3. I requested an certificate from this CA and got a valid X509 certificate of version 3 from it shortly, this I saved on hard drive and named it webcert.cer, because i am going to run a demo banking web service. By default, certificates issued by my CA are valid for 12 months. 4. I did not create a local Certificate Signing Request (CSR), since I am not getting a certificate from a real CA like Verisign or Thawte. 5. I imported the CA certificate like this: keytool -import -alias root -keystore -trustcacerts -file cacert.cer. and this was successful. 6. Finally I imported my new Certificate which I got from the CA like so: keytool -import -alias tomcat -keystore -trustcacerts -file webcert.cer. and this was also successful. Then I was able to run the demo banking web server with SSL at https://www.mockbank.com. When I visit https://www.mockbank.com from a client machine with Internet Explorer(IE), as I expected, IE presents me with the Security Alert about the certificate of my mockbank. The security alert says 3 things: 1. The certificate was issued by a company you have not chosen to trust, view the certificate and decide if you wanna trust the CA. 2. The certificate date is valid. 3. The name on the certificate is invalid or does not match the name of the site. When I view the certificate, I see that the certificate was issued to John Doe and was issued by John Doe, and it is valid for only 6 months, and it is of version 1 instead of version 3! Obviously, this is the self-signed certificate that I created by keytool. It is not the certificate that I obtained from my CA. Then does this mean that I should have used my domain name www.mockbank.com instead of john doe as my name when I requested the certificate from my CA? Besides this, did I do anything wrong? Thanks a lot in advance. __________________________________________________ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
