Your Certificate Authority (The certificate used to sign your other certificates, in this case provided by your Windows CA Server) is not trusted by your clients.
Are your clients internal or external to your company? If your clients are internal, you can add the certificate to the trusted roots on each client machine truststore or each user's truststore that Windows keeps in the registry. (I would assume that your Windows 2008 CA Server may have a way to push the certificate into your domain computers, but I have never used the product, so I don't know) If your clients are external, then you cannot expect them trust your certificate authority. You need to obtain a certificate from Verisign, Thawte or any other company providing certificates. On Sat, Feb 26, 2011 at 12:42 AM, Joseph L. Casale <jcas...@activenetwerx.com> wrote: > I have setup a keystore as follows: > keytool -genkey -alias tomcat -keyalg RSA -dname CN=<server FQDN>,OU="Company > Name",O=" Company Name ",L=city,ST=province,C=CA \ > -keystore /path/keystore -keypass phrase -storepass phrase > > I then generated a CSR: > keytool -certreq -keyalg RSA -alias tomcat -file /path/certreq.csr -keystore > /path/keystore > > I signed the certificate on our Windows Server 2008 R2 CA Server: > certreq.exe -attrib "CertificateTemplate:WebServer" c:\data\certreq.csr > c:\data\certreq.cer > > I added the signed sert: > keytool -import -alias tomcat2 -keystore /path/keystore -trustcacerts -file > /path/certreq.cer > > Lastly I added the Base 64 encoded X.509 root ca from our active directory ca: > keytool -keystore /path/keystore -keyalg RSA -import -trustcacerts -alias > cacert -file /path/root-ca.crt > > This all completed w/o error, so I created the connector in the server.xml > yet when > domain clients connect to the ssl site, they are prompted with warnings > suggesting > the root cert is not trusted? > > Any pointers where I erred? > Thanks! > jlc > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
