tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Spreitzer" <mspre...@us.ibm.com>
Subject Re: Tomcat SSL & Equifax
Date Mon, 02 Apr 2001 22:03:55 GMT
I won't call it "stupid", but you are still doing something wrong.  In a 
little greater detail, here are instructions I wrote for the procedure I 
use (with Tomcat 3.2.1 and IBM JDK 1.3 currently):

In response to a Certificate Signing Request, EquifaxSecure sends a mail 
message containing two "certificates".  The first asserts the key binding 
requested, and is signed by EquifaxSecure.  The second is actually a chain 
of two certificates: one asserts EquifaxSecure's key and is signed by 
Thawte, and the other is a self-signed certificate of Thawte's.
I first tried `keytool -import` on the web server's certificate.  This 
lead to a complaint about keytool not being able to establish trust in the 
certificate.  I fixed this by: (1) using `keytool` to load, as a "new 
trusted certificate", the certificate-that's-actually-a-chain into 
$JAVA_HOME/jre/lib/security/cacerts on the web server machine, and (2) 
adding the "-trustcacerts" flag to the `keytool -import` of the web 
server's certificate.  After that, `keytool -list` shows a chain of three 
certificates associated with the "tomcat" alias.  Upon restarting Tomcat, 
I find that Netscape 4.75 and IE 5 on my Win 2K laptop both recognize the 
web site as secure without pestering the user --- provided there is only 
one key entry in the keystore used by Tomcat (when there is more than one 
key entry, Tomcat seems to pick one at random to use as the server's 
SSL/TLS identity).

I hope this helps.
Mike

Mime
View raw message