tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "KUMAR,PANKAJ (HP-Cupertino,ex1)" <>
Subject RE: Openssl
Date Thu, 23 May 2002 17:38:41 GMT
You can do this in one of the two ways:

A. Use keytool to generate certificate signing request and openssl to sign
   1. Generate key-pair using keytool ( -genkey operation )
   2. Generate Certificate Signing Request or CSR ( -certreq )
   3. Sign CSR with openssl ( ca operation in openssl )
   4. Import openssl CA certificate into keystore specified in step 1.
	to use a different alias than in step 1.
   5. Import the signed certificate ( generated by step 3 ) into the
      Remember to use the same alias as in step 1.
   6. Remove the CA certificate entry from the keystore.

Without step 4, step 5 will fail ( as keytool cannot form a certificate
chain ). Without step 6, there is a possiblity that tomcat might present the
wrong certificate to the client ( as JSSE uses the first certificate it
finds in the keystore, using an order determined by a hash function ).

B. Create a PKCS8 certificate ( or certificate chain ) and import it in a
    -- steps left as an exercise.

Note: If you find the steps bit complicated and hard to get right, You are
not alone :). I spent many frustrating hours to get it right. But you get an
I do have plans to document these but have not been able to find time.

Pankaj Kumar
Web Services Architect
HP Middleware

> -----Original Message-----
> From: Lee Chin Khiong []
> Sent: Wednesday, May 22, 2002 10:21 PM
> To: ''
> Subject: Openssl
> Does anyone know how to generate cert using openssl an apply to tomcat
> instead of keytool ?

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message