Tomcat 6 SSL CA Certificate does not work, but Self signed Certificate does
I am trying to set up SSL on tomcat with a CA certificate from goDaddy. I am unable to load the Web Page using HTTPS. When I try to use a self signed certificate, everything works as expected, but when I change the keystore to point to the one with the CA certificate in it, I get nothing. There is nothing in the log that isn't there for the Self-Signed startup either. Here is the Connector declaration: Connector protocol=org.apache.coyote.http11.Http11NioProtocol port=443 scheme=https secure=true SSLEnabled=true keystoreFile=mykeystore.keystore keystorePass= keyAlias=tcat clientAuth=false sslProtocol=TLS / The keystore contains tcat as one of the three keys. The other two entries are root and intermed from goDaddy. Where can I look to find the issue?
Re: Tomcat 6 SSL CA Certificate does not work, but Self signed Certificate does
On Apr 4, 2014, at 1:24 PM, Mark Murphy jmarkmur...@gmail.com wrote: I am trying to set up SSL on tomcat with a CA certificate from goDaddy. I am unable to load the Web Page using HTTPS. What exactly happens when you try to access it? Please include browser behavior and any errors / messages it gives you about the connection. When I try to use a self signed certificate, everything works as expected, but when I change the keystore to point to the one with the CA certificate in it, I get nothing. What steps / instructions did you follow to generate your keystore file? Dan There is nothing in the log that isn't there for the Self-Signed startup either. Here is the Connector declaration: Connector protocol=org.apache.coyote.http11.Http11NioProtocol port=443 scheme=https secure=true SSLEnabled=true keystoreFile=mykeystore.keystore keystorePass= keyAlias=tcat clientAuth=false sslProtocol=TLS / The keystore contains tcat as one of the three keys. The other two entries are root and intermed from goDaddy. Where can I look to find the issue? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6 SSL CA Certificate does not work, but Self signed Certificate does
Created my keystore according to the directions here: http://support.godaddy.com/help/article/5239/generating-a-csr-and-installing-an-ssl-certificate-in-tomcat-4x5x6x7x This is what I see in Chrome: SSL Connection Error Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have. Error code: ERR_SSL_PROTOCOL_ERROR Here is a non-SSL URL: http://www.myerstorquetracker.com With SSL: https://www.myerstorquetracker.com I am trying to set up SSL on tomcat with a CA certificate from goDaddy. I am unable to load the Web Page using HTTPS. What exactly happens when you try to access it? Please include browser behavior and any errors / messages it gives you about the connection. When I try to use a self signed certificate, everything works as expected, but when I change the keystore to point to the one with the CA certificate in it, I get nothing. What steps / instructions did you follow to generate your keystore file? Dan There is nothing in the log that isn't there for the Self-Signed startup either. Here is the Connector declaration: Connector protocol=org.apache.coyote.http11.Http11NioProtocol port=443 scheme=https secure=true SSLEnabled=true keystoreFile=mykeystore.keystore keystorePass= keyAlias=tcat clientAuth=false sslProtocol=TLS / The keystore contains tcat as one of the three keys. The other two entries are root and intermed from goDaddy. Where can I look to find the issue? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6 SSL CA Certificate does not work, but Self signed Certificate does
On Apr 4, 2014, at 2:52 PM, Mark Murphy jmarkmur...@gmail.com wrote: Created my keystore according to the directions here: http://support.godaddy.com/help/article/5239/generating-a-csr-and-installing-an-ssl-certificate-in-tomcat-4x5x6x7x Ok. Good start. This is what I see in Chrome: SSL Connection Error Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have. Error code: ERR_SSL_PROTOCOL_ERROR Here is a non-SSL URL: http://www.myerstorquetracker.com With SSL: https://www.myerstorquetracker.com Interesting. What JVM (java -version) are you using? Dan I am trying to set up SSL on tomcat with a CA certificate from goDaddy. I am unable to load the Web Page using HTTPS. What exactly happens when you try to access it? Please include browser behavior and any errors / messages it gives you about the connection. When I try to use a self signed certificate, everything works as expected, but when I change the keystore to point to the one with the CA certificate in it, I get nothing. What steps / instructions did you follow to generate your keystore file? Dan There is nothing in the log that isn't there for the Self-Signed startup either. Here is the Connector declaration: Connector protocol=org.apache.coyote.http11.Http11NioProtocol port=443 scheme=https secure=true SSLEnabled=true keystoreFile=mykeystore.keystore keystorePass= keyAlias=tcat clientAuth=false sslProtocol=TLS / The keystore contains tcat as one of the three keys. The other two entries are root and intermed from goDaddy. Where can I look to find the issue? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6 SSL CA Certificate does not work, but Self signed Certificate does
1.5.0_15 On Fri, Apr 4, 2014 at 3:23 PM, Daniel Mikusa dmik...@gopivotal.com wrote: On Apr 4, 2014, at 2:52 PM, Mark Murphy jmarkmur...@gmail.com wrote: Created my keystore according to the directions here: http://support.godaddy.com/help/article/5239/generating-a-csr-and-installing-an-ssl-certificate-in-tomcat-4x5x6x7x Ok. Good start. This is what I see in Chrome: SSL Connection Error Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have. Error code: ERR_SSL_PROTOCOL_ERROR Here is a non-SSL URL: http://www.myerstorquetracker.com With SSL: https://www.myerstorquetracker.com Interesting. What JVM (java -version) are you using? Dan I am trying to set up SSL on tomcat with a CA certificate from goDaddy. I am unable to load the Web Page using HTTPS. What exactly happens when you try to access it? Please include browser behavior and any errors / messages it gives you about the connection. When I try to use a self signed certificate, everything works as expected, but when I change the keystore to point to the one with the CA certificate in it, I get nothing. What steps / instructions did you follow to generate your keystore file? Dan There is nothing in the log that isn't there for the Self-Signed startup either. Here is the Connector declaration: Connector protocol=org.apache.coyote.http11.Http11NioProtocol port=443 scheme=https secure=true SSLEnabled=true keystoreFile=mykeystore.keystore keystorePass= keyAlias=tcat clientAuth=false sslProtocol=TLS / The keystore contains tcat as one of the three keys. The other two entries are root and intermed from goDaddy. Where can I look to find the issue? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6 SSL CA Certificate does not work, but Self signed Certificate does
I saw something on StackOverflow that said the key type in the keystore needs to be PrivateKeyEntry and not trustedCertEntry. Is this true? When I look at my keystore, it is trustedCertEntry for all the certs. But when I look at the type for the self signed certificate (which works), it shows keyEntry. Does, or should this matter? and if so, how do I change the type? On Fri, Apr 4, 2014 at 4:34 PM, Mark Murphy jmarkmur...@gmail.com wrote: 1.5.0_15 On Fri, Apr 4, 2014 at 3:23 PM, Daniel Mikusa dmik...@gopivotal.com wrote: On Apr 4, 2014, at 2:52 PM, Mark Murphy jmarkmur...@gmail.com wrote: Created my keystore according to the directions here: http://support.godaddy.com/help/article/5239/generating-a-csr-and-installing-an-ssl-certificate-in-tomcat-4x5x6x7x Ok. Good start. This is what I see in Chrome: SSL Connection Error Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have. Error code: ERR_SSL_PROTOCOL_ERROR Here is a non-SSL URL: http://www.myerstorquetracker.com With SSL: https://www.myerstorquetracker.com Interesting. What JVM (java -version) are you using? Dan I am trying to set up SSL on tomcat with a CA certificate from goDaddy. I am unable to load the Web Page using HTTPS. What exactly happens when you try to access it? Please include browser behavior and any errors / messages it gives you about the connection. When I try to use a self signed certificate, everything works as expected, but when I change the keystore to point to the one with the CA certificate in it, I get nothing. What steps / instructions did you follow to generate your keystore file? Dan There is nothing in the log that isn't there for the Self-Signed startup either. Here is the Connector declaration: Connector protocol=org.apache.coyote.http11.Http11NioProtocol port=443 scheme=https secure=true SSLEnabled=true keystoreFile=mykeystore.keystore keystorePass= keyAlias=tcat clientAuth=false sslProtocol=TLS / The keystore contains tcat as one of the three keys. The other two entries are root and intermed from goDaddy. Where can I look to find the issue? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6 SSL CA Certificate does not work, but Self signed Certificate does
On Apr 4, 2014, at 4:34 PM, Mark Murphy jmarkmur...@gmail.com wrote: 1.5.0_15 Any chance you could try a more recent JVM? Java 6 or preferably Java 7. That’s really old. Dan On Fri, Apr 4, 2014 at 3:23 PM, Daniel Mikusa dmik...@gopivotal.com wrote: On Apr 4, 2014, at 2:52 PM, Mark Murphy jmarkmur...@gmail.com wrote: Created my keystore according to the directions here: http://support.godaddy.com/help/article/5239/generating-a-csr-and-installing-an-ssl-certificate-in-tomcat-4x5x6x7x Ok. Good start. This is what I see in Chrome: SSL Connection Error Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have. Error code: ERR_SSL_PROTOCOL_ERROR Here is a non-SSL URL: http://www.myerstorquetracker.com With SSL: https://www.myerstorquetracker.com Interesting. What JVM (java -version) are you using? Dan I am trying to set up SSL on tomcat with a CA certificate from goDaddy. I am unable to load the Web Page using HTTPS. What exactly happens when you try to access it? Please include browser behavior and any errors / messages it gives you about the connection. When I try to use a self signed certificate, everything works as expected, but when I change the keystore to point to the one with the CA certificate in it, I get nothing. What steps / instructions did you follow to generate your keystore file? Dan There is nothing in the log that isn't there for the Self-Signed startup either. Here is the Connector declaration: Connector protocol=org.apache.coyote.http11.Http11NioProtocol port=443 scheme=https secure=true SSLEnabled=true keystoreFile=mykeystore.keystore keystorePass= keyAlias=tcat clientAuth=false sslProtocol=TLS / The keystore contains tcat as one of the three keys. The other two entries are root and intermed from goDaddy. Where can I look to find the issue? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6 SSL CA Certificate does not work, but Self signed Certificate does
On 04/04/2014 21:42, Mark Murphy wrote: I saw something on StackOverflow that said the key type in the keystore needs to be PrivateKeyEntry and not trustedCertEntry. Is this true? When I look at my keystore, it is trustedCertEntry for all the certs. But when I look at the type for the self signed certificate (which works), it shows keyEntry. Does, or should this matter? and if so, how do I change the type? Yes, this matters a lot. You must import the cert you receive from the CA into the same keystore you used to generate the CSR since that is where the private key is and the server has to have access to the private key. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6 SSL CA Certificate does not work, but Self signed Certificate does
On Apr 4, 2014, at 4:42 PM, Mark Murphy jmarkmur...@gmail.com wrote: I saw something on StackOverflow that said the key type in the keystore needs to be PrivateKeyEntry and not trustedCertEntry. Is this true? When I look at my keystore, it is trustedCertEntry for all the certs. But when I look at the type for the self signed certificate (which works), it shows keyEntry. Does, or should this matter? and if so, how do I change the type? Did you run the commands exactly as described in the link that you provided? If not you should go through the process again and follow them exactly. You can pretty much copy and paste them as they are listed in that document. Dan On Fri, Apr 4, 2014 at 4:34 PM, Mark Murphy jmarkmur...@gmail.com wrote: 1.5.0_15 On Fri, Apr 4, 2014 at 3:23 PM, Daniel Mikusa dmik...@gopivotal.com wrote: On Apr 4, 2014, at 2:52 PM, Mark Murphy jmarkmur...@gmail.com wrote: Created my keystore according to the directions here: http://support.godaddy.com/help/article/5239/generating-a-csr-and-installing-an-ssl-certificate-in-tomcat-4x5x6x7x Ok. Good start. This is what I see in Chrome: SSL Connection Error Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have. Error code: ERR_SSL_PROTOCOL_ERROR Here is a non-SSL URL: http://www.myerstorquetracker.com With SSL: https://www.myerstorquetracker.com Interesting. What JVM (java -version) are you using? Dan I am trying to set up SSL on tomcat with a CA certificate from goDaddy. I am unable to load the Web Page using HTTPS. What exactly happens when you try to access it? Please include browser behavior and any errors / messages it gives you about the connection. When I try to use a self signed certificate, everything works as expected, but when I change the keystore to point to the one with the CA certificate in it, I get nothing. What steps / instructions did you follow to generate your keystore file? Dan There is nothing in the log that isn't there for the Self-Signed startup either. Here is the Connector declaration: Connector protocol=org.apache.coyote.http11.Http11NioProtocol port=443 scheme=https secure=true SSLEnabled=true keystoreFile=mykeystore.keystore keystorePass= keyAlias=tcat clientAuth=false sslProtocol=TLS / The keystore contains tcat as one of the three keys. The other two entries are root and intermed from goDaddy. Where can I look to find the issue? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6 SSL CA Certificate does not work, but Self signed Certificate does
So let me try to understand what is going on here. I generate a keystore using keytool, that contains a key. At this point it is equal to a self signed certificate, and it works, but the browser complains that there is no CA. I then need to create a certificate request ad send that off to goDaddy. What is this? a public key that matches up with the private key? Then I have to import the certificates that goDaddy returns to me because that validates the private key that is already in the keystore? On Fri, Apr 4, 2014 at 4:46 PM, Mark Thomas ma...@apache.org wrote: On 04/04/2014 21:42, Mark Murphy wrote: I saw something on StackOverflow that said the key type in the keystore needs to be PrivateKeyEntry and not trustedCertEntry. Is this true? When I look at my keystore, it is trustedCertEntry for all the certs. But when I look at the type for the self signed certificate (which works), it shows keyEntry. Does, or should this matter? and if so, how do I change the type? Yes, this matters a lot. You must import the cert you receive from the CA into the same keystore you used to generate the CSR since that is where the private key is and the server has to have access to the private key. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6 SSL CA Certificate does not work, but Self signed Certificate does
Sorry for the dumb questions, I am new to SSL, and want to understand what I am doing, not just run these instructions, and it should work. On Fri, Apr 4, 2014 at 5:00 PM, Mark Murphy jmarkmur...@gmail.com wrote: So let me try to understand what is going on here. I generate a keystore using keytool, that contains a key. At this point it is equal to a self signed certificate, and it works, but the browser complains that there is no CA. I then need to create a certificate request ad send that off to goDaddy. What is this? a public key that matches up with the private key? Then I have to import the certificates that goDaddy returns to me because that validates the private key that is already in the keystore? On Fri, Apr 4, 2014 at 4:46 PM, Mark Thomas ma...@apache.org wrote: On 04/04/2014 21:42, Mark Murphy wrote: I saw something on StackOverflow that said the key type in the keystore needs to be PrivateKeyEntry and not trustedCertEntry. Is this true? When I look at my keystore, it is trustedCertEntry for all the certs. But when I look at the type for the self signed certificate (which works), it shows keyEntry. Does, or should this matter? and if so, how do I change the type? Yes, this matters a lot. You must import the cert you receive from the CA into the same keystore you used to generate the CSR since that is where the private key is and the server has to have access to the private key. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6 SSL CA Certificate does not work, but Self signed Certificate does
Another option I normally use that may work for you (just confirmed it for myself with tomcat): 1. Copy your private key and signed public certificate in PEM format into a single file looking like this: -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,F2CCC247E25D . . . -END RSA PRIVATE KEY- -BEGIN CERTIFICATE- . . -END CERTIFICATE- 2. Run portecle 3. File -- New Keystore (JKS) 4. Tools - Import Key Pair... 5. Select your file, take the defaults. You'll need to provide the password for your private key if you had one. 6. Save your JKS file. Provide a password. 7. Reference it in your tomcat config. Omit the alias. Your server will now present just the signed public certificate but not any others in the chain. Once you get this working, you can update the JKS with portecle to add intermediate certs. HTH, Toby *** Toby Lazar Capital Technology Group Email: tla...@capitaltg.com Mobile: 646-469-5865 *** On Fri, Apr 4, 2014 at 5:01 PM, Mark Murphy jmarkmur...@gmail.com wrote: Sorry for the dumb questions, I am new to SSL, and want to understand what I am doing, not just run these instructions, and it should work. On Fri, Apr 4, 2014 at 5:00 PM, Mark Murphy jmarkmur...@gmail.com wrote: So let me try to understand what is going on here. I generate a keystore using keytool, that contains a key. At this point it is equal to a self signed certificate, and it works, but the browser complains that there is no CA. I then need to create a certificate request ad send that off to goDaddy. What is this? a public key that matches up with the private key? Then I have to import the certificates that goDaddy returns to me because that validates the private key that is already in the keystore? On Fri, Apr 4, 2014 at 4:46 PM, Mark Thomas ma...@apache.org wrote: On 04/04/2014 21:42, Mark Murphy wrote: I saw something on StackOverflow that said the key type in the keystore needs to be PrivateKeyEntry and not trustedCertEntry. Is this true? When I look at my keystore, it is trustedCertEntry for all the certs. But when I look at the type for the self signed certificate (which works), it shows keyEntry. Does, or should this matter? and if so, how do I change the type? Yes, this matters a lot. You must import the cert you receive from the CA into the same keystore you used to generate the CSR since that is where the private key is and the server has to have access to the private key. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6 SSL CA Certificate does not work, but Self signed Certificate does
On 04/04/2014 22:00, Mark Murphy wrote: So let me try to understand what is going on here. I generate a keystore using keytool, that contains a key. At this point it is equal to a self signed certificate, and it works, but the browser complains that there is no CA. I then need to create a certificate request ad send that off to goDaddy. What is this? a public key that matches up with the private key? Then I have to import the certificates that goDaddy returns to me because that validates the private key that is already in the keystore? You *really* need to attend my talk on SSL at ApacheCon next week. I go through this is a lot more detail (the slides and audio recordings of all the ApacheCon presentations should be available after the conference). The short version is: You generate the keystore with keytool. At this point the keystore contains your private key and your public key. You generate a Certificate Signing Request (CSR) which is essentially a copy of your public key and your server's identity information (i.e. the FQDN). You send this CSR to your chosen Certificate Authority (CA). The CA generates a certificate for you. This certificate is essentially your public key, your server's identify information (i.e. everything from the CSR) plus the digital signature from the CA to confirm that they have validated the identity information. You import the certificate into the keystore and it replaces the public key with the certificate (remembering that the cert is public key + id + digital signature so you haven't lost anything). The CA that signed your certificate might not be one of the root CAs trusted by the user agent. Most likely it is an intermediate CA. The root CA will have signed the intermediate CA's certificate and the intermediate CA will have signed your certificate. In practice, there can be several layers of intermediate CAs. What you end up with is a trust chain from the Root CA to your certificate. To make it easier for the browsers to validate, you need to be able to provide all of these certificates as part of the SSL handshake. Therefore you CA will tell you that you need to import 1 or more additional certs into your keystore. HTH, Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6 SSL CA Certificate does not work, but Self signed Certificate does
Mark, On 4.4.2014 23:00, Mark Murphy wrote: So let me try to understand what is going on here. I generate a keystore using keytool, that contains a key. At this point it is equal to a self signed certificate, and it works, but the browser complains that there is no CA. (Standard on this list is to answer below the quote.) By using keytool -genkeypair you generate keypair -- a private key and a public key. Public key is stored inside self signed certificate. Both of them (private key and public key inside certificate) are stored in the keystore that may be in various formats. I then need to create a certificate request ad send that off to goDaddy. What is this? a public key that matches up with the private key? It is a public key, plus information identifying server (or individual) packed in one message that CAs understand. Then I have to import the certificates that goDaddy returns to me because that validates the private key that is already in the keystore? First of all, you must use the same keystore you used to generate keypair. Then, you will most probably need to import root and intermediate certificates first to your keystore. Then, you need to import server certificate, using the same keystre and the same alias you used to generate keypair in the first place. If you do everything right, that final call to keytool -importcert will replace self signed certificate from your keystore with a new certificate chain. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6 SSL CA Certificate does not work, but Self signed Certificate does
Mark, On 4.4.2014 23:54, Mark Thomas wrote: The CA that signed your certificate might not be one of the root CAs trusted by the user agent. Most likely it is an intermediate CA. The root CA will have signed the intermediate CA's certificate and the intermediate CA will have signed your certificate. In practice, there can be several layers of intermediate CAs. What you end up with is a trust chain from the Root CA to your certificate. To make it easier for the browsers to validate, you need to be able to provide all of these certificates as part of the SSL handshake. Therefore you CA will tell you that you need to import 1 or more additional certs into your keystore. Few additional notes: If root certificate is in Java system keystore then there is no need to import root certificate. If not, a user must import it, either in system keystore or user keystore. Order of imports is important. You first need to (optionally) import root certificate, then intermediate certificates (if any), and server certificate in the end. Messing up import order may cause server serving incomplete certificate chain. Incomplete chain, though not recommended, may serve its purpose for some browsers. Other clients (like Java) will fail. Browsers have means to reconstruct incomplete certificate chains, but this shuldn't be relied upon. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6 SSL CA Certificate does not work, but Self signed Certificate does
Thanks everyone, this has been very informative.