Return-Path: Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 575 invoked from network); 5 Sep 2003 13:13:51 -0000 Received: from unknown (HELO mta5.wss.scd.yahoo.com) (66.218.85.36) by daedalus.apache.org with SMTP; 5 Sep 2003 13:13:51 -0000 Received: from jgarala (65.88.185.3) by mta5.wss.scd.yahoo.com (7.0.016) (authenticated as jay@electrosoft-inc.com) id 3F5822E200023ED9 for tomcat-user@jakarta.apache.org; Fri, 5 Sep 2003 06:11:05 -0700 From: "Jay Garala" To: "'Tomcat Users List'" Subject: RE: SSL/Verisign Confusion Date: Fri, 5 Sep 2003 09:11:33 -0400 Organization: Electrosoft Services Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 In-Reply-To: X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Try the Java keytool help: http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html Tomcat how-to: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html If you have OpenSSL: http://forum.java.sun.com/thread.jsp?forum=3D2&thread=3D4240 Jay -----Original Message----- From: Dave Wood [mailto:dave@woodtopia.org]=20 Sent: Friday, September 05, 2003 1:04 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks Bill. I think this highlights something I'm really not understanding... Didn't I generate an important "private key" somewhere along the line = that I can't just regenerate if I blow away my keystore? I assumed the = certificate I got back from verisign would only work if I still had the original = private key I generated before sending them my request. Is that wrong? (I'll take a look at the link you sent...at first glance, it looks a = little hard to follow, but hopefully not). Thanks again. Dave -----Original Message----- From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker Sent: Thursday, September 04, 2003 11:06 PM To: tomcat-user@jakarta.apache.org Subject: Re: SSL/Verisign Confusion Firstly, it looks like you should wipe you keystore and start again. To = use a VS cert with Tomcat, the two options I know are: 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm. 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, = and use that as your keystore (remember to set 'keystoreType=3D"pkcs12"' on = the Factory in server.xml). "Dave Wood" wrote in message news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org... > I'm having a problem getting an SSL certificate from Verisign working > correctly. I'm going to include everything I can think of that MIGHT = be a > problem. Unfortunately, there are a couple things I can't quite = remember > for certain. Here's the situation: > > 1. I generated the initial key using an alias other than "tomcat" = (we'll > call it "company") > 2. I generated the CSR and sent it to verisign. I still have this = file. > 3. Verisign changed the company name during the verification process = (from > an acronym to the full spelling of the name) > 4. I now have the certificate that they sent back after the validation > process. > 5. One thing I can't account for is why when I see this: > > $ keytool -list > > Keystore type: jks > Keystore provider: SUN > > Your keystore contains 4 entries: (...others removed...) > > company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry, > Certificate fingerprint (MD5): > 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't = really > 0's) > > ...I think I must have self-signed or something (I was doing a couple = of > these things and don't recall exactly), but I'm surprised to see > "trustedCertEntry" here. > > The problem I'm having is this: > > $ keytool -import -trustcacerts -alias company -file public.crt > Enter keystore password: xxx > keytool error: java.lang.Exception: Certificate not imported, alias > already exists > > (but I'm thinking it should be REPLACING this entry, so the fact that = it > exists shouldn't be a problem???) > > So, I have several questions: > > 1. Am I hosed completely because I didn't use "tomcat" as the alias? > 2. How does the private key get stored exactly? I assume that if I = delete > the current entry for the "company" alias, I'll be losing the private = key, > right? > 3. Can someone provide steps I should take to get this working given = what I > have said above. > > Thanks so much in advance. Sorry to be so long-winded. > > -Dave > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-user-help@jakarta.apache.org --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-user-help@jakarta.apache.org