I'm sending this email because I've spent the last day and a half putting together the bread crumbs necessary to get a signed key from Verisign to work with Tomcat. I never found one place that has all the necessary information regarding how to deal with Verisign's use of intermediate keys. The funny thing is all this stuff is straightforward (once known). So here are the steps in one place - in the hopes that it might help someone in the future.
Step 1: Our server was not yet using SSL, so we needed to generate a new key and keystore. keytool -genkey -alias tomcat -keyalg rsa -keypass secret -storepass secret -keystore keystore.key This generates a new keystore. Be sure to use "-keyalg rsa" as the default algorithm is dsa, and Verisign will not accept dsa. Also, it's important to remember the alias, "tomcat" in this case. When we receive the signed certificate we'll need to apply it to that alias. That's how clients will know that our private key has been "signed". Be sure to respond to all the prompts correctly, using the proper FQDN of the server. This stuff is well documented - all over the place - so no point in duplicating it here. Step 2: Next we need to generate a certificate signing request. keytool -certreq -alias tomcat -file keystore.csr -keypass secret -storepass secret -keystore keystore.key Be sure to use "tomcat" as the alias again so that the correct private key is referenced. Send the file "keystore.csr" to Verisign for signature. Again, this part is well documented. Step 3 THIS IS THE TRICKY PART: The certificate you get back from Verisign is signed using an intermediate key that needs to be included in your keystore in order to properly sign your key. So far as I can tell, that key is not a part of anything natively included with Java's "cacerts". 3a) The intermediate key is available at http://www.verisign.com/support/install2/intermediate.html 3b) Copy the key from there to your clipboard 3c) Open the text editor of your choice and paste the contents of that key to a new document 3d) Open the certificate Verisign sent you (in response to your request) in the editor of your choice and copy it's contents 3e) Paste that into the same document as the intermediate key - after the intermediate key 3f) Save that document as an all new certificate (I called mine "signed.cer") Step 4: Sign your alias with the certificate you created yourself. keytool -import -trustcacerts -alias tomcat -file signed.cer -keypass secret -storepass secret -keystore keystore.key Note that once again we use the same alias. We need to do this so that the private key in that alias is "signed", as opposed to just having the certificates a part of the contents. Note also that I used the file "signed.cer" that I created myself to sign the key, NOT the certificate sent by Verisign. As I say, I'm sending this in the hopes that it will help someone else down the road. :) --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
