Return-Path: <dave@woodtopia.org>
Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Delivered-To: mailing list tomcat-user@jakarta.apache.org
Received: (qmail 92549 invoked from network); 5 Sep 2003 03:11:58 -0000
Received: from unknown (HELO mail.pcisys.net) (216.229.32.240)
  by daedalus.apache.org with SMTP; 5 Sep 2003 03:11:58 -0000
Received: from morpheus (rbe-216-229-36-31.den.pcisys.net [216.229.36.31])
	by mail.pcisys.net (8.12.9/8.12.9) via SMTP id h853Bc7o013392
	for <tomcat-user@jakarta.apache.org>; Thu, 4 Sep 2003 21:11:38 -0600 (MDT)
	env-from (dave@woodtopia.org)
From: "Dave Wood" <dave@woodtopia.org>
To: "Tomcat Email List" <tomcat-user@jakarta.apache.org>
Subject: SSL/Verisign Confusion
Date: Thu, 4 Sep 2003 21:11:32 -0600
Message-ID: <EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

I'm having a problem getting an SSL certificate from Verisign working
correctly.  I'm going to include everything I can think of that MIGHT be a
problem.  Unfortunately, there are a couple things I can't quite remember
for certain.  Here's the situation:

1. I generated the initial key using an alias other than "tomcat" (we'll
call it "company")
2. I generated the CSR and sent it to verisign.  I still have this file.
3. Verisign changed the company name during the verification process (from
an acronym to the full spelling of the name)
4. I now have the certificate that they sent back after the validation
process.
5. One thing I can't account for is why when I see this:

$ keytool -list

Keystore type: jks
Keystore provider: SUN

Your keystore contains 4 entries: (...others removed...)

company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
Certificate fingerprint (MD5):
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really
0's)

...I think I must have self-signed or something (I was doing a couple of
these things and don't recall exactly), but I'm surprised to see
"trustedCertEntry" here.

The problem I'm having is this:

$ keytool -import -trustcacerts -alias company -file public.crt
Enter keystore password: xxx
keytool error: java.lang.Exception: Certificate not imported, alias
<company> already exists

(but I'm thinking it should be REPLACING this entry, so the fact that it
exists shouldn't be a problem???)

So, I have several questions:

1. Am I hosed completely because I didn't use "tomcat" as the alias?
2. How does the private key get stored exactly?  I assume that if I delete
the current entry for the "company" alias, I'll be losing the private key,
right?
3. Can someone provide steps I should take to get this working given what I
have said above.

Thanks so much in advance.  Sorry to be so long-winded.

-Dave
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003