Hello,
Yeah, that's a good text, I'll add it. Thanks Mike!
Regards,
Karl Avedal
David Ekholm wrote:
> That's what I call an answer! It explained a lot. Orion guys, pleas add that
> to your SSL howto.
> You can also retrieve a cert+CAcert already chained right from Thawte.
> Select an SSL type test cert and also check the chaining setting on the web
> page for test cert generation.
> /David
>
> ----- Original Message -----
> From: Mike Atkin [mailto:[EMAIL PROTECTED]]
> To: "Orion-Interest" <[EMAIL PROTECTED]>
> Subject: SSL question
>
> The problem with the first command is that keytool can't find the root ca
> certificates in your keystore and therefore can't build up the certificate
> chain from your server key to the trusted root certificate authority. With
> the second example, keytool is using the system keystore and can locate the
> root ca certs in <jdk-dir>/jre/lib/security/cacerts.
>
> When I created my keystore I used a certificate from bt trustwise which is
> an intermediate ca so I had yet another cert to add. The commands went
> something like this (assume keystore does not yet exist):
>
> keytool -keystore keystore -import -alias cacert -file cacert.cer
> keytool -keystore keystore -import -alias intercert -file inter.cer // Only
> need this if you are using an intermediate signing authority like BT
> Trustwise
> keytool -keystore keystore -genkey -keyalg RSA -alias serverkey
> keytool -keystore keystore -certreq -file my.host.com.csr
>
> Get cert from csr then:
> keytool -keystore keystore -import -file my.host.com.cer -alias serverkey
>
> That should be that. You can do a keytool -keystore keystore -v -list and
> check that a cert chain has been built.
>
> You can probably get round your problem just by importing the ca certs into
> your keystore and then trying to re-add your server cert.
>
> HTH
>
> Mike
