Hi Sal, Thanks for the response. I believe there was a bug or issue which caused us to use TLSv1 instead of just "TLS" for the setting. At any rate, this setting has not been an issue in the past, and I can verify that it strictly enforces TLS (which is our requirement -- we don't want it to be able to fall back to SSL). I'll verify that it still works upon removing the v1, and if it does I'll keep it like that. Thanks for the heads up!
*An update: * leaving the old intermediate CA & old certificate, I added the new intermediate CAs and the new certificate with an alias of "tomcat2". I added 'keyAlias="tomcat2"' to my connector to specify the name. The result at this point was good news / bad news -- Tomcat didn't spiral out of control, but the site was inaccessible. When changing the specified alias back to tomcat, at least I could bring the site back up, even with the other certs in the keystore. Previously I'd been unable to get it to do that. -- Sean On Mon, Feb 14, 2011 at 11:20 PM, Crypto Sal <crypto....@gmail.com> wrote: > Hi Sean, > > Have you tried to specify just "TLS" or "SSL" for the sslProtocol? You > presently have this set at "TLSv1", which I do not believe is valid. > > http://tomcat.apache.org/tomcat-6.0-doc/config/http.html > > --Sal > > > > On 02/14/2011 02:46 PM, Sean Killeen wrote: > >> It doesn't -- it tells me that a certificate already exists with that >> alias, >> and the import fails. >> >> -- >> Sean >> >> >> On Mon, Feb 14, 2011 at 12:54 PM, Mark Thomas<ma...@apache.org> wrote: >> >> On 14/02/2011 14:03, Sean Killeen wrote: >>> >>>> The next step seems to throw tomcat off. I believe I need to replace the >>>> "tomcat" alias certificate. Barring a replace function in keytool (which >>>> >>> I >>> >>>> don't think exists, though I could be wrong), I think this means I have >>>> >>> to >>> >>>> delete the old "tomcat" certificate and replace it with the new one. >>>> >>> That will delete the key. I'm fairly sure you can just import the new >>> certificate and it will replace old one. >>> >>> Mark >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >>> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
