tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: SSL/Verisign Confusion
Date Fri, 05 Sep 2003 06:17:55 GMT

"Dave Wood" <dave@woodtopia.org> wrote in message
news:EBEBKKMEAECJFOHFOLHLIELNCIAA.dave@woodtopia.org...
> Thanks Bill.  I think this highlights something I'm really not
> understanding...
>
> Didn't I generate an important "private key" somewhere along the line that
I
> can't just regenerate if I blow away my keystore?  I assumed the
certificate
> I got back from verisign would only work if I still had the original
private
> key I generated before sending them my request.  Is that wrong?
>

Of course you need your original private key.  A lapse on my part, since I
always use openssl to generate the CSR for VS :(.  If you used keytool to
generate the PK, then you'll have to extract it first.

> (I'll take a look at the link you sent...at first glance, it looks a
little
> hard to follow, but hopefully not).
>
> Thanks again.
>
> Dave
>
> -----Original Message-----
> From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker
> Sent: Thursday, September 04, 2003 11:06 PM
> To: tomcat-user@jakarta.apache.org
> Subject: Re: SSL/Verisign Confusion
>
>
> Firstly, it looks like you should wipe you keystore and start again.  To
use
> a VS cert with Tomcat, the two options I know are:
> 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm.
> 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and
> use that as your keystore (remember to set 'keystoreType="pkcs12"' on the
> Factory in server.xml).
>
>
> "Dave Wood" <dave@woodtopia.org> wrote in message
> news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org...
> > I'm having a problem getting an SSL certificate from Verisign working
> > correctly.  I'm going to include everything I can think of that MIGHT be
a
> > problem.  Unfortunately, there are a couple things I can't quite
remember
> > for certain.  Here's the situation:
> >
> > 1. I generated the initial key using an alias other than "tomcat" (we'll
> > call it "company")
> > 2. I generated the CSR and sent it to verisign.  I still have this file.
> > 3. Verisign changed the company name during the verification process
(from
> > an acronym to the full spelling of the name)
> > 4. I now have the certificate that they sent back after the validation
> > process.
> > 5. One thing I can't account for is why when I see this:
> >
> > $ keytool -list
> >
> > Keystore type: jks
> > Keystore provider: SUN
> >
> > Your keystore contains 4 entries: (...others removed...)
> >
> > company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
> > Certificate fingerprint (MD5):
> > 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't
really
> > 0's)
> >
> > ...I think I must have self-signed or something (I was doing a couple of
> > these things and don't recall exactly), but I'm surprised to see
> > "trustedCertEntry" here.
> >
> > The problem I'm having is this:
> >
> > $ keytool -import -trustcacerts -alias company -file public.crt
> > Enter keystore password: xxx
> > keytool error: java.lang.Exception: Certificate not imported, alias
> > <company> already exists
> >
> > (but I'm thinking it should be REPLACING this entry, so the fact that it
> > exists shouldn't be a problem???)
> >
> > So, I have several questions:
> >
> > 1. Am I hosed completely because I didn't use "tomcat" as the alias?
> > 2. How does the private key get stored exactly?  I assume that if I
delete
> > the current entry for the "company" alias, I'll be losing the private
key,
> > right?
> > 3. Can someone provide steps I should take to get this working given
what
> I
> > have said above.
> >
> > Thanks so much in advance.  Sorry to be so long-winded.
> >
> > -Dave
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003




Mime
View raw message