Return-Path: Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 36152 invoked from network); 5 Sep 2003 17:40:51 -0000 Received: from unknown (HELO mail.pcisys.net) (216.229.32.240) by daedalus.apache.org with SMTP; 5 Sep 2003 17:40:51 -0000 Received: from morpheus (rbe-216-229-36-31.den.pcisys.net [216.229.36.31]) by mail.pcisys.net (8.12.9/8.12.9) via SMTP id h85HeLmr008549 for ; Fri, 5 Sep 2003 11:40:22 -0600 (MDT) env-from (dave@woodtopia.org) From: "Dave Wood" To: "Tomcat Users List" Subject: RE: SSL/Verisign Confusion Date: Fri, 5 Sep 2003 11:40:11 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <01eb01c373c4$5f363c40$6402a8c0@inmezzo.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Well, after all this, I just discovered that VeriSign will basically let you start over if it's within 30 days (which it is). So, for now, I'm going down this path. Just talked to someone at V/S who said it would take just a couple hours. Oh, and I made a BACKUP of my new keystore file this time that now contains a single "keyEntry" with the alias "tomcat". I try to avoid being stupid in the same way more than once! :) As for the programmatic approach, FWIW, I started down that path as well, but somehow I had no private key entry in the keystore (best I can tell). Still not sure how I got in that messed up state. Thanks, Dave -----Original Message----- From: Christopher Williams [mailto:ccwilliams3@ntlworld.com] Sent: Friday, September 05, 2003 9:43 AM To: Tomcat Users List Subject: Re: SSL/Verisign Confusion Have you thought of manipulating the keystore programmatically? Here's what you'd do: 1. Open your existing keystore 2. Find the entry with your private key and (presumably) a temporary self-signed certificate. 3. Open the certificate you got from Versign. 4. Change the certificate in your key entry to your Verisign certificate. 5. Save and close the keystore. OpenSSL doesn't understand most of the Java keystore formats, although it can manipulate PKCS#12 files which Keytool can handle. If you download the BouncyCastle crypto provider, then you can use keytool to write PKCS#12 files as well. Also, if the person who originally posted the question doesn't feel up to monkeying around with the Keystore classes, I have some code that I can adapt to stick your Verisign certificate in your keystore. Get in touch with me personally and I'll see what I can do. ----- Original Message ----- From: "Jay Garala" To: "'Tomcat Users List'" Sent: Friday, September 05, 2003 3:36 PM Subject: RE: SSL/Verisign Confusion NOTE: You cannot export private key from keystore. -----Original Message----- From: Dave Wood [mailto:dave@woodtopia.org] Sent: Friday, September 05, 2003 10:32 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks. With the exception of the openssl doc, I've been over these quite a bit. The result is the problem I've mentioned where keytool says it can't import my certificate because the alias already exists. After some help I got last night, I think the question boils down to this: * once I have extracted my private key from keytool (haven't done this yet), how do I take that key, the VeriSign intermediate certificate and my public key certificate and get them to play together. I'm hoping the openssl stuff will take care of this, because keytool doesn't really seem to recognize private keys as things that you can work with directly. Thanks again, Dave -----Original Message----- From: Jay Garala [mailto:jay@electrosoft-inc.com] Sent: Friday, September 05, 2003 7:12 AM To: 'Tomcat Users List' Subject: RE: SSL/Verisign Confusion Try the Java keytool help: http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html Tomcat how-to: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html If you have OpenSSL: http://forum.java.sun.com/thread.jsp?forum=2&thread=4240 Jay -----Original Message----- From: Dave Wood [mailto:dave@woodtopia.org] Sent: Friday, September 05, 2003 1:04 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks Bill. I think this highlights something I'm really not understanding... Didn't I generate an important "private key" somewhere along the line that I can't just regenerate if I blow away my keystore? I assumed the certificate I got back from verisign would only work if I still had the original private key I generated before sending them my request. Is that wrong? (I'll take a look at the link you sent...at first glance, it looks a little hard to follow, but hopefully not). Thanks again. Dave -----Original Message----- From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker Sent: Thursday, September 04, 2003 11:06 PM To: tomcat-user@jakarta.apache.org Subject: Re: SSL/Verisign Confusion Firstly, it looks like you should wipe you keystore and start again. To use a VS cert with Tomcat, the two options I know are: 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm. 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and use that as your keystore (remember to set 'keystoreType="pkcs12"' on the Factory in server.xml). "Dave Wood" wrote in message news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org... > I'm having a problem getting an SSL certificate from Verisign working > correctly. I'm going to include everything I can think of that MIGHT be a > problem. Unfortunately, there are a couple things I can't quite remember > for certain. Here's the situation: > > 1. I generated the initial key using an alias other than "tomcat" (we'll > call it "company") > 2. I generated the CSR and sent it to verisign. I still have this file. > 3. Verisign changed the company name during the verification process (from > an acronym to the full spelling of the name) > 4. I now have the certificate that they sent back after the validation > process. > 5. One thing I can't account for is why when I see this: > > $ keytool -list > > Keystore type: jks > Keystore provider: SUN > > Your keystore contains 4 entries: (...others removed...) > > company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry, > Certificate fingerprint (MD5): > 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really > 0's) > > ...I think I must have self-signed or something (I was doing a couple of > these things and don't recall exactly), but I'm surprised to see > "trustedCertEntry" here. > > The problem I'm having is this: > > $ keytool -import -trustcacerts -alias company -file public.crt > Enter keystore password: xxx > keytool error: java.lang.Exception: Certificate not imported, alias > already exists > > (but I'm thinking it should be REPLACING this entry, so the fact that it > exists shouldn't be a problem???) > > So, I have several questions: > > 1. Am I hosed completely because I didn't use "tomcat" as the alias? > 2. How does the private key get stored exactly? I assume that if I delete > the current entry for the "company" alias, I'll be losing the private key, > right? > 3. Can someone provide steps I should take to get this working given what I > have said above. > > Thanks so much in advance. Sorry to be so long-winded. > > -Dave > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-user-help@jakarta.apache.org --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-user-help@jakarta.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-user-help@jakarta.apache.org --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-user-help@jakarta.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-user-help@jakarta.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-user-help@jakarta.apache.org --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003