Thanks Bill for the info. Verisign gave me a cert.cer file. So I am not sure how to handle this. My connector currently is this: <Service name="Catalina"> <Connector port="80" // the normal http port /> // here is what I am working with that is currently commented out // I was able to add the cert to the keystore using this:
keytool -import -alias <your alias> -keystore <your_keystore> -trustcacerts -file <cert.cer> <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> // but this is the one that is working using openSSL and the certificate made from the below link: <Connector port="443" maxHttpHeaderSize="8192" maxThreads="15" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" scheme="https" secure="true" SSLEngine="on" SSLCertificateFile="C:\Tomcat\bin\server.crt" SSLCertificateKeyFile="C:\Tomcat\bin\server.key" /> I am getting messed up because I am not sure what is the private key and what is the public key as I am reading. Verisign made me create a "keystore", then a "csr" file which I posted to them, and then I received a "cert.cer" file back. Originally I tried just doing this: <Connector port="443" maxHttpHeaderSize="8192" keystoreFile="C:/Tomcat/bin/uniqueKeystore" keystorePass="unique10" truststoreFile="C:/Tomcat/bin/cert.cer" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" /> But it hung and never responded. That is when I tried doing the example from the openssl notes. ?Thanks Scott ----- Original Message ----- From: "Bill Barker" <[EMAIL PROTECTED]> To: <users@tomcat.apache.org> Sent: Saturday, December 03, 2005 6:09 PM Subject: Re: Verisign Certificate Still Giving Me Troubles: > Well, firstly, Verisign should have given you a cert.crt file :). > > Verisign uses an intermediate cert to sign with (available from their site). > Based on configuring mod_ssl I'm guessing that you need to download it and > set: > SSLCertificateChainFile="/path/to/int/cert.crt" > in your <Connector> element. > > From the previous threads, I'm assuming that you are still using the APR > connector. If you are using the Java connector, then simply import the > intermediate cert into your keystore (and ignore the above). > > "Scott Purcell" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > > > Hello, > > A few people helped me out last week, to get simple SSL running. IN > particular Dhaval, Remy and Nate. Anyway, I have followed the directions > from here: http://www.fatofthelan.com/articles/articles.php?pid=12 section 3 > and all works well. > > So that means my tomcat is all configured and happy. > > But this was a "generic" certificate. I gave Verisign a certreq.csr file and > they gave me a certificate last week and it was called cert.cer. > > I cannot for the life of me figure out how to get the certreq.csr working? > > I have been following these steps here: > Based upon my knowledge,to incorporate Verisign certificate, steps are as > follows: > (Derived from http://www.fatofthelan.com/articles/articles.php?pid=12 ) > (1) openssl req -new -out server.csr (This will generate csr and private > key. Make sure you feel > the values correctly on openssl command prompt. ) > (2) openssl rsa -in privkey.pem -out server.key (This removes the passphrase > from the private key. > Also delete generated .rnd file) > (3) Here there are two (either or) possibilities: > > > But honestly do not know where to substitute my "certreq.csr" that verisign > gave me in this equation. > > Regards > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]