I have done the following... (I am running Tomcat 5 on a Windows 2003
Server)
- Recreated the .keystore many different times trying to get one to work...
- Tried different aliases with my domain crt (does the alias matter?)
- Installed the crts in Windows and everthing shows fine there when viewing
the crt.
- Set my config in the server.xml (I have tried SSL and TLS):
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="443" maxHttpHeaderSize="8192" address="192.168.1.190"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="tomcat.keystore"
keystorePass="changeit"/>
- Imported the certificates into my keystore in the following order: root,
intermed, tomcat.
C:\Program Files\Java\jdk1.5.0_05\bin>keytool -list -keystore
tomcat.keystore
Enter keystore password: changeit
Keystore type: jks
Keystore provider: SUN
Your keystore contains 3 entries
root, Nov 13, 2006, trustedCertEntry,
Certificate fingerprint (MD5):
A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
tomcat, Nov 13, 2006, trustedCertEntry,
Certificate fingerprint (MD5):
73:EA:94:A1:38:C8:9A:5D:65:44:7C:C7:65:A7:01:5F
intermed, Nov 13, 2006, trustedCertEntry,
Certificate fingerprint (MD5):
7A:A5:BA:4F:BC:0A:C5:3C:56:E9:50:A0:13:6A:88:A9
C:\Program Files\Java\jdk1.5.0_05\bin>
- When I installed the root crt it said that there was already a system wide
root crt installed, do I want to continue to import it into the keystore
and I said 'yes'.
- All I get is a 'Page cannot be displayed' when trying to access the
browser 'https:'
- If I create a keystore without importing the real crt, then it works, but
just says that the crt it to trusted.
What am I missing? I can't get it to work...
-----Original Message-----
From: news [mailto:[EMAIL PROTECTED] On Behalf Of Saravana Kumar
Sent: Wednesday, November 15, 2006 5:07 AM
To: users@tomcat.apache.org
Subject: Re: Need help w/ installing certificate continued...
Andy Tipton wrote:
> I have read all through the documentation and can't find what I am doing
> wrong. The only thing that I didn't do was the importing of the
> valicert_class2_root.crt file because I wasn't given one when I downloaded
> my certificate. I imported the real one after I imported the intermediate
> crt.
Did you get any error during this step ie., importing intermediate crt after
root?
> So now I have this:
>
> C:\Program Files\Java\jdk1.5.0_05\bin>keytool -list -keystore .keystore
> Enter keystore password: changeit
>
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 2 entries
>
> tomcat5, Nov 13, 2006, trustedCertEntry,
> Certificate fingerprint (MD5):
> 73:EA:94:A1:38:C8:9A:5D:65:44:7C:C7:65:A7:01:5F
> intermed, Nov 13, 2006, trustedCertEntry,
> Certificate fingerprint (MD5):
> 7A:A5:BA:4F:BC:0A:C5:3C:56:E9:50:A0:13:6A:88:A9
>
> C:\Program Files\Java\jdk1.5.0_05\bin>
>
> Could it have to do with the alias? I am can't figure out what it could
> be.
I am not sure of whether this could be the problem with alias.
> I just get a 'page cannot be displayed' when trying to access it. I have
> been reading, but can't find anywhere that really explains who the
> keystore and certificate relate to each other. if the alias matters.
>
> I really need some help here.
Below are the steps i did in one of my Linux box(must work in windows too).
First i generated tomcat.key & CSR with:
$ keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.key
$ keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore
tomcat.key
Got the certs from our CA(Files sf_issuing.crt & _mydomain.crt). Copied the
CA's intermediate cert to valicert_class2_root.crt
First import the CA's intermediate certificate to root, like this:
$ keytool -import -alias root -keystore tomcat.key -trustcacerts -file
valicert_class2_root.crt
Then import issuing cert to intermed:
$ keytool -import -alias intermed -keystore tomcat.key -trustcacerts -file
sf_issuing.crt
Last is to import your domain's cert to tomcat alias:
$ keytool -import -alias tomcat -keystore tomcat.key -trustcacerts -file
_mydomain.crt
The above steps worked perfectly for me. I had to just point the correct key
file in server.xml and https started working.
Let me know if that helped you out.
Regds,
SK
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
