Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: SSL/Verisign Confusion
Date: Fri, 5 Sep 2003 09:13:00 -0700
Message-ID: <EA2F826214B88F4F93BC97ACB47386A47B4C79@act-exchange.ucsd.edu>
Thread-Topic: SSL/Verisign Confusion
Thread-Index: AcNzv6wH6guEsYthTf+3SK8ocFKSogACOOJg
From: "Lawrence, Gabriel" <glawrence@ucsd.edu>
To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>

I'm working on a tool to pull out the private key. It should be done by
the end of the day. I will send something to the list when I have it
finished. Kind of funny how just as I'm getting around to a project that
has been on my plate all week someone else needs it too ;-)

-gabe

-----Original Message-----
From: Dave Wood [mailto:dave@woodtopia.org]=20
Sent: Friday, September 05, 2003 8:07 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

I realize you can't do this with keytool.  Is there no way to do it at
all?

I'm beginning to think I might be totally hosed here.

Thanks,
Dave

-----Original Message-----
From: Jay Garala [mailto:jay@electrosoft-inc.com]
Sent: Friday, September 05, 2003 8:37 AM
To: 'Tomcat Users List'
Subject: RE: SSL/Verisign Confusion


NOTE: You cannot export private key from keystore.

-----Original Message-----
From: Dave Wood [mailto:dave@woodtopia.org]
Sent: Friday, September 05, 2003 10:32 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

Thanks.  With the exception of the openssl doc, I've been over these
quite a
bit.  The result is the problem I've mentioned where keytool says it
can't
import my certificate because the alias already exists.

After some help I got last night, I think the question boils down to
this:

* once I have extracted my private key from keytool (haven't done this
yet),
how do I take that key, the VeriSign intermediate certificate and my
public
key certificate and get them to play together.  I'm hoping the openssl
stuff
will take care of this, because keytool doesn't really seem to recognize
private keys as things that you can work with directly.

Thanks again,
Dave

-----Original Message-----
From: Jay Garala [mailto:jay@electrosoft-inc.com]
Sent: Friday, September 05, 2003 7:12 AM
To: 'Tomcat Users List'
Subject: RE: SSL/Verisign Confusion


Try the Java keytool help:
 http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html

Tomcat how-to:
 http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html

If you have OpenSSL:
 http://forum.java.sun.com/thread.jsp?forum=3D2&thread=3D4240

Jay
-----Original Message-----
From: Dave Wood [mailto:dave@woodtopia.org]
Sent: Friday, September 05, 2003 1:04 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

Thanks Bill.  I think this highlights something I'm really not
understanding...

Didn't I generate an important "private key" somewhere along the line
that I
can't just regenerate if I blow away my keystore?  I assumed the
certificate
I got back from verisign would only work if I still had the original
private
key I generated before sending them my request.  Is that wrong?

(I'll take a look at the link you sent...at first glance, it looks a
little
hard to follow, but hopefully not).

Thanks again.

Dave

-----Original Message-----
From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker
Sent: Thursday, September 04, 2003 11:06 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: SSL/Verisign Confusion


Firstly, it looks like you should wipe you keystore and start again.  To
use
a VS cert with Tomcat, the two options I know are:
1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm.
2) Using openssl or otherwise, convert your cert+key to a pkcs12 file,
and
use that as your keystore (remember to set 'keystoreType=3D"pkcs12"' on
the
Factory in server.xml).


"Dave Wood" <dave@woodtopia.org> wrote in message
news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org...
> I'm having a problem getting an SSL certificate from Verisign working
> correctly.  I'm going to include everything I can think of that MIGHT
be a
> problem.  Unfortunately, there are a couple things I can't quite
remember
> for certain.  Here's the situation:
>
> 1. I generated the initial key using an alias other than "tomcat"
(we'll
> call it "company")
> 2. I generated the CSR and sent it to verisign.  I still have this
file.
> 3. Verisign changed the company name during the verification process
(from
> an acronym to the full spelling of the name)
> 4. I now have the certificate that they sent back after the validation
> process.
> 5. One thing I can't account for is why when I see this:
>
> $ keytool -list
>
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 4 entries: (...others removed...)
>
> company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
> Certificate fingerprint (MD5):
> 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't
really
> 0's)
>
> ...I think I must have self-signed or something (I was doing a couple
of
> these things and don't recall exactly), but I'm surprised to see
> "trustedCertEntry" here.
>
> The problem I'm having is this:
>
> $ keytool -import -trustcacerts -alias company -file public.crt
> Enter keystore password: xxx
> keytool error: java.lang.Exception: Certificate not imported, alias
> <company> already exists
>
> (but I'm thinking it should be REPLACING this entry, so the fact that
it
> exists shouldn't be a problem???)
>
> So, I have several questions:
>
> 1. Am I hosed completely because I didn't use "tomcat" as the alias?
> 2. How does the private key get stored exactly?  I assume that if I
delete
> the current entry for the "company" alias, I'll be losing the private
key,
> right?
> 3. Can someone provide steps I should take to get this working given
what
I
> have said above.
>
> Thanks so much in advance.  Sorry to be so long-winded.
>
> -Dave
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org