Thanks for your continuing endeavors to help me, Chris.
I'm pointing tomcat to a safe keystore file, not the system keystore or
any particular keystore. So, I don't have to worry about the keystore
getting overwritten when I upgrade. Also, just by changing JAVA_HOME, I
can start up tomcat with Java 1.5 and watch everything work, then shut
it down and start it up in 1.6 and see this niggling issue in Firefox.
I also tried, btw, regenerating the keystore from the private key and
the certificate using the 1.6 version keytool. This new keystore works
with 1.5 java but has the same problem with Firefox when I start up
Tomcat with Java 1.6.
<shrug>
Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Nada,
On 10/6/2009 4:51 PM, Nada O'Neal wrote:
I don't have an EV cert, it's just a standard cert signed by Equifax. I
have similar certs working on other servers. Again, it's the upgrade
from one java to another that seems to cause the problem - running java
1.5, I don't have this issue.
If you've recently upgraded, then any changes you made to the "system"
keystore may have been lost (which I think is a foolish thing to do, but
it looks like each version of the JRE gets its own keystore, and
upgrades don't merge or anything like that).
$ keytool -list -keystore /path/to/keystore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
root, Sep 29, 2009, trustedCertEntry,
Certificate fingerprint (MD5): [...]
tomcat, Sep 29, 2009, PrivateKeyEntry,
Certificate fingerprint (MD5): [...]
... is this wrong?
I'm not sure. That depends on if this is /your/ keystore or the JRE's
keystore. It also depends on what the details of those certs are: do any
of them have to do with Equifax?
All you really need is:
1. Equifax CA cert in your keystore
2. Any Equifax intermediate certificates in your keystore
3. Your own certificate in your keystore
4. The web browser has to trust either #1 or #2
I'm not altogether clear if it all has to be the same keystore: I think
that the JCE reads the system one no matter what, which should include
anything Equifax has at the top-level. You may have to import their
intermediate cert into your own keystore (or into the system one, again,
if you upgraded).
There's nothing you can do about #4 above, except that if the browser
trusts, say, #1, but you aren't providing the certificate chain between
#3 and #1 (via #2), then you'll get this error from the client.
I hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkrMyjcACgkQ9CaO5/Lv0PAlpQCgsBd2nlqqEwa4fqMKaJlf0YAi
ELwAn2+cUWZVBqJOSOKAfm8i81qLucQu
=augc
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
