tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject RE: Using CA-issued certificates in Tomcat 5
Date Mon, 19 Jan 2004 14:49:04 GMT
keytool in JDK 1.4.2_03 no longer seems to accept PKCS#7 certificates by default and I have
not found a parameter to tell it to use them.  

When I do as you suggested (or download a Thawte pkcs#7 certificate) I get "keytool error:
java.lang.Exception:  Input not an X.509 certificate".  

Also, keytool does not not allowing the import for the cert under the "tomcat" alias if the
self-signed cert is already in the keystore with the alias "tomcat".

Can it be that Sun royally messed up the keytool implementation when moving from PKCS#7 to
X.509 certificates?

-----Original Message-----
From: ext Mark Thomas []
Sent: Friday, January 16, 2004 5:20 PM
To: 'Tomcat Users List'
Subject: RE: Using CA-issued certificates in Tomcat 5

Try this - don't delete the alias before importing the response. 

What happens is:
> keytool -genkey -alias tomcat -keyalg RSA
Creates your private and public key
> keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
wraps a copy of your _public_ key in a certficate request
> ... got the certs...
CA uses their private key to sign your public key - this is essentially your
> keytool -delete -alias tomcat
This deletes your private key. This is bad.
> keytool -import -alias root -trustcacerts -file rootcert.cer
(root/intermediate/chain cert, as appropriate for the CA)
Adds the public key of your CA to your trusted certs.
> keytool -import -alias tomcat -trustcacerts -file testcert.cer
With your private key still in place, this replaces your unsigned public key
with a signed public key

You may find that the format the cert comes back in is not compatible with
keytool. I normally do the following:
1. In windows, change extension to .cer
2. Double click on .cer file.
3. On "Details" tab click "Copy to file..."
4. Select the .p7b output format and tick the box to include all certs in path.
5. Specify a file name.
6. Use key tool to import this file.

Sorry this is a windows solution but if you don't use windows as along as you
can get access to a windows box you should be able to do this.


-----Original Message-----
From: [] 
Sent: Friday, January 16, 2004 11:03 PM
Subject: Using CA-issued certificates in Tomcat 5

I thought I had all my Tomcat issues resolved and was ready to go from the
self-signed cert to one issued by a CA.  So I followed all the steps, generated
a CSR, got the root cert and test cert, installed them into the keytool, and
restarted the server.  An exception is thrown saying:

 No available certificate corresponds to the SSL cipher suites which are enabled

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message