Hi James,
Thanks a lot. I followed your steps but seems I am getting different error
as if the signed certificate is not dns based. The original self signed
certificate was able to work fine in dns based format for keytool when I
imported it into client keystore.
below I created the self signed cert and csr for signing:
keytool -genkey -keyalg RSA -alias tomcat -keystore
${prefix}_keystore_dns.jks -storepass $storepw -keysize 1024 -ext
san=dns:$host" $setup$machine
keytool -certreq -keyalg RSA -alias tomcat -file certreq${prefix}_dns.csr
-keystore ${prefix}_keystore_dns.jks" $storepw
The $host has been set to mhoodws.ril.local
I suppose that during certreq I do not have to use -ext san=dns:$host.
Below are keytsore entries after I imported as per your instructions.
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
mhoodws.ril.local, Jan 17, 2014, trustedCertEntry,
Certificate fingerprint (SHA1):
1E:C9:5E:FB:2F:6A:0B:27:BA:36:14:76:8B:5A:48:F7:4D:02:60:73
root, Jan 17, 2014, trustedCertEntry,
Certificate fingerprint (SHA1):
42:38:43:DA:10:D5:E2:C9:20:69:6B:9D:98:4D:9D:B6:38:88:44:CE
tomcat, Dec 25, 2013, PrivateKeyEntry,
Certificate fingerprint (SHA1):
E0:58:FD:D8:0B:9E:FE:B5:9B:37:71:3E:00:59:2B:24:EC:27:C6:15
The catalina.out complaines with SSL handshake stating No Name matching
mhoodws.ril.local found.
I have defined that mhoodws.ril.local entry in /etc/hots too.
could it be that the signing step done by CA also needs to do dns entry
like I did ?
Regards,
Miten.
On Thu, Jan 16, 2014 at 10:37 PM, James H. H. Lampert <
[email protected]> wrote:
> On 1/16/14 9:01 AM, Miten Mehta wrote:
>
>> Hi,
>>
>> I am understanding SSL for tomcat using
>> http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html.
>> 1)I create jks using self signed certificate using keytool.
>> 2) I generate CSR from that keystore/certificate.
>> 3) I get it signed by CA who gives me root certificate and signed
>> certificate.
>>
>
> So far, so good.
>
>
> 4) I need to delete the existing certificate from keystore and then import
>> root and signed one ?
>>
>
> NO! ABSOLUTELY NOT!
>
> You import the signed certificate into THE SAME KEYSTORE, UNDER THE SAME
> ALIAS, *ON TOP OF* THE UNSIGNED CERTIFICATE!
>
> Not only will it not "complain"; it is the ONLY way to apply the CSR reply.
>
> --
> James H. H. Lampert
> Touchtone Corporation
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
