tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From VeriSignTechSupport <>
Subject Re: Using key signed by Verisign in Tomcat (mini howto)
Date Fri, 23 May 2008 22:02:31 GMT

Hi Chris,

I am a Technical Support Rep at VeriSign.  I apologize if you are unable to
find any documentation regarding the installation of the intermediate
certificate for Tomcat.  

Once you have the VeriSign Intermediate CA certificate, you can run this
command to import it into your keystore:

keytool -import -alias intermediateCA -keystore <your_keystore_filename>
-trustcacerts -file intermediateCA.cer
NOTE: The alias name, "intermediateCA" in this command is different than the
alias name used during the generation of the private key and CSR.

After the intermediate certificate is installed, you import the SSL
certificate into the same keystore / alias where you generated the private

We also have this information documented on our site.  You will also find
these instructions on our Support Page:

Hopefully, this helps.

Thank You,


VeriSign Technical Support

Parker, Chris-2 wrote:
> I'm sending this email because I've spent the last day and a half
> putting together the bread crumbs necessary to get a signed key from
> Verisign to work with Tomcat.  I never found one place that has all the
> necessary information regarding how to deal with Verisign's use of
> intermediate keys.  The funny thing is all this stuff is straightforward
> (once known).  So here are the steps in one place - in the hopes that it
> might help someone in the future.
> Step 1:
> Our server was not yet using SSL, so we needed to generate a new key and
> keystore. 
> keytool -genkey -alias tomcat -keyalg rsa -keypass secret -storepass
> secret -keystore keystore.key
> This generates a new keystore.  Be sure to use "-keyalg rsa" as the
> default algorithm is dsa, and Verisign will not accept dsa.  Also, it's
> important to remember the alias, "tomcat" in this case.  When we receive
> the signed certificate we'll need to apply it to that alias.  That's how
> clients will know that our private key has been "signed".  Be sure to
> respond to all the prompts correctly, using the proper FQDN of the
> server.  This stuff is well documented - all over the place - so no
> point in duplicating it here.
> Step 2:
> Next we need to generate a certificate signing request.
> keytool -certreq -alias tomcat -file keystore.csr -keypass secret
> -storepass secret -keystore keystore.key
> Be sure to use "tomcat" as the alias again so that the correct private
> key is referenced.  Send the file "keystore.csr" to Verisign for
> signature.  Again, this part is well documented.
> The certificate you get back from Verisign is signed using an
> intermediate key that needs to be included in your keystore in order to
> properly sign your key.  So far as I can tell, that key is not a part of
> anything natively included with Java's "cacerts".
>  3a) The intermediate key is available at
>  3b) Copy the key from there to your clipboard
>  3c) Open the text editor of your choice and paste the contents of that
> key to a new document
>  3d) Open the certificate Verisign sent you (in response to your
> request) in the editor of your choice and copy it's contents
>  3e) Paste that into the same document as the intermediate key - after
> the intermediate key
>  3f) Save that document as an all new certificate (I called mine
> "signed.cer")
> Step 4:
> Sign your alias with the certificate you created yourself.
> keytool -import -trustcacerts -alias tomcat -file signed.cer -keypass
> secret -storepass secret -keystore keystore.key
> Note that once again we use the same alias.  We need to do this so that
> the private key in that alias is "signed", as opposed to just having the
> certificates a part of the contents.  Note also that I used the file
> "signed.cer" that I created myself to sign the key, NOT the certificate
> sent by Verisign.
> As I say, I'm sending this in the hopes that it will help someone else
> down the road.  :)
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View this message in context:
Sent from the Tomcat - User mailing list archive at

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message