On 04/04/2014 22:00, Mark Murphy wrote: > So let me try to understand what is going on here. I generate a keystore > using keytool, that contains a key. At this point it is equal to a self > signed certificate, and it works, but the browser complains that there is > no CA. I then need to create a certificate request ad send that off to > goDaddy. What is this? a public key that matches up with the private key? > Then I have to import the certificates that goDaddy returns to me because > that validates the private key that is already in the keystore?
You *really* need to attend my talk on SSL at ApacheCon next week. I go through this is a lot more detail (the slides and audio recordings of all the ApacheCon presentations should be available after the conference). The short version is: You generate the keystore with keytool. At this point the keystore contains your private key and your public key. You generate a Certificate Signing Request (CSR) which is essentially a copy of your public key and your server's identity information (i.e. the FQDN). You send this CSR to your chosen Certificate Authority (CA). The CA generates a certificate for you. This certificate is essentially your public key, your server's identify information (i.e. everything from the CSR) plus the digital signature from the CA to confirm that they have validated the identity information. You import the certificate into the keystore and it replaces the public key with the certificate (remembering that the cert is public key + id + digital signature so you haven't lost anything). The CA that signed your certificate might not be one of the root CAs trusted by the user agent. Most likely it is an intermediate CA. The root CA will have signed the intermediate CA's certificate and the intermediate CA will have signed your certificate. In practice, there can be several layers of intermediate CAs. What you end up with is a trust chain from the Root CA to your certificate. To make it easier for the browsers to validate, you need to be able to provide all of these certificates as part of the SSL handshake. Therefore you CA will tell you that you need to import 1 or more additional certs into your keystore. HTH, Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org