tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jorge Medina <>
Subject Re: Trouble setting up ssl
Date Sat, 26 Feb 2011 19:38:43 GMT
Your Certificate Authority (The certificate used to sign your other
certificates, in this case provided by your Windows CA Server) is not
trusted by your clients.

Are your clients internal or external to your company?
If your clients are internal, you can add the certificate to the
trusted roots on each client machine truststore or each user's
truststore that Windows keeps in the registry.  (I would assume that
your Windows 2008 CA Server may have a way to push the certificate
into your domain computers, but I have never used the product, so I
don't know)

If your clients are external, then you cannot expect them trust your
certificate authority. You need to obtain a certificate from Verisign,
Thawte or any other company providing certificates.

On Sat, Feb 26, 2011 at 12:42 AM, Joseph L. Casale
<> wrote:
> I have setup a keystore as follows:
> keytool -genkey -alias tomcat -keyalg RSA -dname CN=<server FQDN>,OU="Company Name",O="
Company Name ",L=city,ST=province,C=CA \
> -keystore /path/keystore -keypass phrase -storepass phrase
> I then generated a CSR:
> keytool -certreq -keyalg RSA -alias tomcat -file /path/certreq.csr -keystore /path/keystore
> I signed the certificate on our Windows Server 2008 R2 CA Server:
> certreq.exe -attrib "CertificateTemplate:WebServer" c:\data\certreq.csr c:\data\certreq.cer
> I added the signed sert:
> keytool -import -alias tomcat2 -keystore /path/keystore -trustcacerts -file /path/certreq.cer
> Lastly I added the Base 64 encoded X.509 root ca from our active directory ca:
> keytool -keystore /path/keystore -keyalg RSA -import -trustcacerts -alias cacert -file
> This all completed w/o error, so I created the connector in the server.xml yet when
> domain clients connect to the ssl site, they are prompted with warnings suggesting
> the root cert is not trusted?
> Any pointers where I erred?
> Thanks!
> jlc
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message