Return-Path: Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 99780 invoked from network); 5 Sep 2003 04:56:03 -0000 Received: from unknown (HELO main.gmane.org) (80.91.224.249) by daedalus.apache.org with SMTP; 5 Sep 2003 04:56:03 -0000 Received: from list by main.gmane.org with local (Exim 3.35 #1 (Debian)) id 19v8dw-0004xL-00 for ; Fri, 05 Sep 2003 06:56:20 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: tomcat-user@jakarta.apache.org Received: from sea.gmane.org ([80.91.224.252]) by main.gmane.org with esmtp (Exim 3.35 #1 (Debian)) id 19v8dv-0004xD-00 for ; Fri, 05 Sep 2003 06:56:19 +0200 Received: from news by sea.gmane.org with local (Exim 3.35 #1 (Debian)) id 19v8dR-0003Fx-00 for ; Fri, 05 Sep 2003 06:55:49 +0200 From: "Bill Barker" Subject: Re: SSL/Verisign Confusion Date: Thu, 4 Sep 2003 22:06:27 -0700 Lines: 69 Message-ID: References: X-Complaints-To: usenet@sea.gmane.org X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Sender: news X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Firstly, it looks like you should wipe you keystore and start again. To use a VS cert with Tomcat, the two options I know are: 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm. 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and use that as your keystore (remember to set 'keystoreType="pkcs12"' on the Factory in server.xml). "Dave Wood" wrote in message news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org... > I'm having a problem getting an SSL certificate from Verisign working > correctly. I'm going to include everything I can think of that MIGHT be a > problem. Unfortunately, there are a couple things I can't quite remember > for certain. Here's the situation: > > 1. I generated the initial key using an alias other than "tomcat" (we'll > call it "company") > 2. I generated the CSR and sent it to verisign. I still have this file. > 3. Verisign changed the company name during the verification process (from > an acronym to the full spelling of the name) > 4. I now have the certificate that they sent back after the validation > process. > 5. One thing I can't account for is why when I see this: > > $ keytool -list > > Keystore type: jks > Keystore provider: SUN > > Your keystore contains 4 entries: (...others removed...) > > company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry, > Certificate fingerprint (MD5): > 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really > 0's) > > ...I think I must have self-signed or something (I was doing a couple of > these things and don't recall exactly), but I'm surprised to see > "trustedCertEntry" here. > > The problem I'm having is this: > > $ keytool -import -trustcacerts -alias company -file public.crt > Enter keystore password: xxx > keytool error: java.lang.Exception: Certificate not imported, alias > already exists > > (but I'm thinking it should be REPLACING this entry, so the fact that it > exists shouldn't be a problem???) > > So, I have several questions: > > 1. Am I hosed completely because I didn't use "tomcat" as the alias? > 2. How does the private key get stored exactly? I assume that if I delete > the current entry for the "company" alias, I'll be losing the private key, > right? > 3. Can someone provide steps I should take to get this working given what I > have said above. > > Thanks so much in advance. Sorry to be so long-winded. > > -Dave > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003