tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject RE: Using CA-issued certificates in Tomcat 5
Date Mon, 19 Jan 2004 19:46:48 GMT
DOCUMENTATION MAINTAINERS:  Please read.  Contact me if you have questions.


Thanks, your comments were key to figuring things out the problem.  Apparently the docs are
out of date and incompatible with current the JDK/Tomcat5 behavior.  I still don't know why
keytool refuses the .p7b keys.

FRUSTRATED CERTIFICATE USERS (like I was):  Here are steps that work for CA-issued test certs

0) Use the default Tomcat keystore and key password "changeit" anytime you are asked for a
password.  You can always use something else after you get things working.

1) Delete (or rename) the keystore with the self signed cert you created following the Tomcat

2) Create a new keystore and personal key pair. Ignore the docs and DO NOT USE "tomcat" as
the alias.  If you do, you will not be able to import the CA's key as "tomcat".  Use:

	keytool -genkey -alias mykey -keyalg RSA

3) Generate a CSR using your key:

	keytool -certreq -keyalg RSA -alias mykey -file certreq.csr

4) Use the CSR to get a X.509 certificate (PKCS#7 don't work anymore) from a CA.  Don't use
Verisign - their tech support does not understand Tomcat (and I assume Java) and all they
would do is parrot the docs verbatim, then blame Tomcat for not working.  Thawte worked for
me, but you must ignore their (obsolete) recommendation to use PKCS#7.

5) Install the CA's root test certificates in your browsers.

6) At least for Thawte, DO NOT get/install an intermediate or chain certificate.  That means
you ignore the step in the docs that tells you to do "keytool -import -alias root -trustcacerts
-file <chaincert>".

7) Install the X.509 cert:

	keytool -install -alias tomcat -file svrcert.cer

8) DONE!!!  You may look at your certs/keys with "keytool -list".  You should see mykey and

-----Original Message-----
From: ext Mark Thomas []
Sent: Monday, January 19, 2004 12:38 PM
To: 'Tomcat Users List'
Subject: RE: Using CA-issued certificates in Tomcat 5

I am using 1.4.2_03 without any problems and have successfully imported various
certs (versign, self-signed and Windows cert server signed).

I have never tried to import a CA signed cert on top of a self signed cert. To
be honest, I would expect it to fail. This may be the cause of your problem. Can
you try generating a key, not signing it yourself and sending that to be signed
by the CA? Also, can you confirm that you did the format conversion as described


> -----Original Message-----
> From: [] 
> Sent: Monday, January 19, 2004 2:49 PM
> To:
> Subject: RE: Using CA-issued certificates in Tomcat 5
> keytool in JDK 1.4.2_03 no longer seems to accept PKCS#7 
> certificates by default and I have not found a parameter to 
> tell it to use them.  
> When I do as you suggested (or download a Thawte pkcs#7 
> certificate) I get "keytool error: java.lang.Exception:  
> Input not an X.509 certificate".  
> Also, keytool does not not allowing the import for the cert 
> under the "tomcat" alias if the self-signed cert is already 
> in the keystore with the alias "tomcat".
> Can it be that Sun royally messed up the keytool 
> implementation when moving from PKCS#7 to X.509 certificates?
> -----Original Message-----
> From: ext Mark Thomas []
> Sent: Friday, January 16, 2004 5:20 PM
> To: 'Tomcat Users List'
> Subject: RE: Using CA-issued certificates in Tomcat 5
> Try this - don't delete the alias before importing the response. 
> What happens is:
> > keytool -genkey -alias tomcat -keyalg RSA
> Creates your private and public key
> > keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
> wraps a copy of your _public_ key in a certficate request
> > ... got the certs...
> CA uses their private key to sign your public key - this is 
> essentially your
> certificate
> > keytool -delete -alias tomcat
> This deletes your private key. This is bad.
> > keytool -import -alias root -trustcacerts -file rootcert.cer
> (root/intermediate/chain cert, as appropriate for the CA)
> Adds the public key of your CA to your trusted certs.
> > keytool -import -alias tomcat -trustcacerts -file testcert.cer
> With your private key still in place, this replaces your 
> unsigned public key
> with a signed public key
> You may find that the format the cert comes back in is not 
> compatible with
> keytool. I normally do the following:
> 1. In windows, change extension to .cer
> 2. Double click on .cer file.
> 3. On "Details" tab click "Copy to file..."
> 4. Select the .p7b output format and tick the box to include 
> all certs in path.
> 5. Specify a file name.
> 6. Use key tool to import this file.
> Sorry this is a windows solution but if you don't use windows 
> as along as you
> can get access to a windows box you should be able to do this.
> Mark
> -----Original Message-----
> From: [] 
> Sent: Friday, January 16, 2004 11:03 PM
> To:
> Subject: Using CA-issued certificates in Tomcat 5
> I thought I had all my Tomcat issues resolved and was ready 
> to go from the
> self-signed cert to one issued by a CA.  So I followed all 
> the steps, generated
> a CSR, got the root cert and test cert, installed them into 
> the keytool, and
> restarted the server.  An exception is thrown saying:
>  No available certificate corresponds to the SSL cipher 
> suites which are enabled
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message