tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <ahardy.str...@cyberspaceroad.com>
Subject Re: SOLUTION: SSL certificates HOW-TO
Date Wed, 04 Feb 2004 10:18:20 GMT
Good one Bruno.

On 02/03/2004 10:09 PM Bruno.Melloni@nokia.com wrote:
> It seems that obtaining and installing SSL certificates from different Certificate Authorities
is not consistent.  Even within the same CA, the procedure for real and test certificates
is not necessarily the same.  To make matters worse there appear to be differences in the
operation of the Java keystore from 1.3.x to 1.4.2.  Finally, documentation in Tomcat and
in the CA sites is slightly out of date.  These things combined make life difficult.
> 
> The following is a summary of procedures that I have found to work with JDK 1.4.2_03
and Tomcat 5.0.
> 
> For all options:
> · Use password "changeit" for BOTH the keystore and the keys.
> · Use the server's fully qualified hostname as "first and last name" as first &
last name, i.e.: myserver.mydomain.com
> · When requesting certificates, you must get an X.509 server certificate.  If you get
a PKCS#7 certificate you must convert it to an X.509 one before use.
> Using a self-signed certificate:
> · cd
> · keytool -genkey -alias tomcat -keyalg RSA
> Using Verisign certificate:
> The official Verisign instructions were incorrect at the time of this writing, but the
following procedure will work for "REAL" certificates.  For test certificates you theoretically
only need and install the test root and test server certificates steps (not successfully tested),
which are different from the regular root and server certificates.
> · cd 
> · keytool -genkey -alias tomcat -keyalg RSA
> · keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
> · Use the .csr to request a certificate
> · Obtain the Verisign root certificate, intermediate certificate and server certificate
> · keytool -import -alias verisignroot -trustcacert -file verisignroot.cer
> · keytool -import -alias root -file intermediate.cer
> · keytool -import -alias tomcat -file server.cer
> Using Thawte certificate
> The Thawte instructions were incorrect at the time of this writing, but the following
procedure will work for (at least) test certificates.
> · cd
> · keytool -genkey -alias mykey -keyalg RSA
> · keytool -certreq -keyalg RSA -alias mykey -file certreq.csr
> · Use the .csr to request an X.509 certificate, you will get a server certificate.
> · keytool -import -alias tomcat -trustcacerts -file server.cer
> I hope this helps others to avoid the headaches I experienced. :P
> 
> Bruno 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 


-- 
struts 1.1 + tomcat 5.0.16 + java 1.4.2
Linux 2.4.20 Debian


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message