Re: help needed - keytool import of CA certs
Thanks, Bill. I need to get better at digging through the archives ;-) Robert Bill Barker wrote: 3. What else is needed in addition to an existing server cert file if you don't have to go through the CSR process? If you used keytool to generate the original CSR, then you have to import your cert into the same keystore that you used to generate the CSR. Otherwise you need to import your private key as well. This comes up every couple of weeks like clockwork, so you'll find plenty of pointers in the archives :). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: help needed - keytool import of CA certs
Robert, First thing, tomcat looks for the users home folder of whom is running tomcat for .keystore, if this is not available, or you wish to move the keystore, you can state so in the Connector within server.xml Another thing, the password defaults to 'changeit', if you wish to have an alternative password, you will need to specify again within the connector element. Third, you appear to be using the trustcacerts, is the cert you specify in hostname.crt the CA root cert (local CA) or the signed certificate? From your description, I assume it is the signed valid cert from Verisign. Off the top of my head, I don't remember the need for the '-trustcacerts' This is a good site that may help as well: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html -Original Message- From: Robert Hall [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 6:56 PM To: Tomcat Users List Subject: help needed - keytool import of CA certs I've been floundering for too many hours/days having ventured into the java/keytool/keystore/CAcert realm for the first time to produce a CA signed certificate for JBoss/Tomcat. We have a Verisign/RSA cert, hostname.crt that produces the following when imported using 'keytool': $ keytool -import -trustcacerts -file hostname.crt -keystore hostname.keystore Enter keystore password: secret Owner: CN=hostname.berkeley.edu, OU=MY-ORG-UNIT, O=University of California, Berkeley, L=Berkeley, ST=California, C=US Issuer: OU=Secure Server Certification Authority, O=RSA Data Security, Inc., C=US Serial number: 63ba7416f9d061ad65db8b61554bd8c3 Valid from: Wed Aug 13 17:00:00 PDT 2003 until: Fri Aug 13 16:59:59 PDT 2004 Certificate fingerprints: MD5: 05:A7:B1:17:6B:C2:0B:FA:9A:B9:80:22:6A:B0:96:6B SHA1: B9:34:D0:58:C4:9C:01:CD:C1:05:D9:FD:C1:D1:45:43:E3:6C:17:1A Trust this certificate? [no]: yes Certificate was added to keystore And if you're still reading, some questions: 1. Should the Trust this certificate? prompt appear if a corresponding CA cert entry exists in $JAVA_HOME/jre/lib/security/cacerts ? 2. Is it necessary to go through the CSR (Certificate Signing Request) process when you already have a server cert file? 3. What else is needed in addition to an existing server cert file if you don't have to go through the CSR process? Thanks, Robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: help needed - keytool import of CA certs
Arthur, Thanks for the reply. Yes, the hostname.crt file is a signed certificate. I've tried importing both with and without the -trustcacerts parameter, the imports are successful, but I get the following exception in JBoss-3.2.3/Tomcat-4.1.29: 16:23:59,561 ERROR [PoolTcpEndpoint] Endpoint [SSL: ServerSocket[addr=/0.0.0.0,port=0,localport=8753]] ignored exception: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:152) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:387) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:569) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:677) at java.lang.Thread.run(Thread.java:536) Thanks, Robert D'Alessandro, Arthur wrote: Robert, First thing, tomcat looks for the users home folder of whom is running tomcat for .keystore, if this is not available, or you wish to move the keystore, you can state so in the Connector within server.xml Another thing, the password defaults to 'changeit', if you wish to have an alternative password, you will need to specify again within the connector element. Third, you appear to be using the trustcacerts, is the cert you specify in hostname.crt the CA root cert (local CA) or the signed certificate? From your description, I assume it is the signed valid cert from Verisign. Off the top of my head, I don't remember the need for the '-trustcacerts' This is a good site that may help as well: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html -Original Message- From: Robert Hall [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 6:56 PM To: Tomcat Users List Subject: help needed - keytool import of CA certs I've been floundering for too many hours/days having ventured into the java/keytool/keystore/CAcert realm for the first time to produce a CA signed certificate for JBoss/Tomcat. We have a Verisign/RSA cert, hostname.crt that produces the following when imported using 'keytool': $ keytool -import -trustcacerts -file hostname.crt -keystore hostname.keystore Enter keystore password: secret Owner: CN=hostname.berkeley.edu, OU=MY-ORG-UNIT, O=University of California, Berkeley, L=Berkeley, ST=California, C=US Issuer: OU=Secure Server Certification Authority, O=RSA Data Security, Inc., C=US Serial number: 63ba7416f9d061ad65db8b61554bd8c3 Valid from: Wed Aug 13 17:00:00 PDT 2003 until: Fri Aug 13 16:59:59 PDT 2004 Certificate fingerprints: MD5: 05:A7:B1:17:6B:C2:0B:FA:9A:B9:80:22:6A:B0:96:6B SHA1: B9:34:D0:58:C4:9C:01:CD:C1:05:D9:FD:C1:D1:45:43:E3:6C:17:1A Trust this certificate? [no]: yes Certificate was added to keystore And if you're still reading, some questions: 1. Should the Trust this certificate? prompt appear if a corresponding CA cert entry exists in $JAVA_HOME/jre/lib/security/cacerts ? 2. Is it necessary to go through the CSR (Certificate Signing Request) process when you already have a server cert file? 3. What else is needed in addition to an existing server cert file if you don't have to go through the CSR process? Thanks, Robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: help needed - keytool import of CA certs
I'm not too familiar with Jboss, is it within tomcat? If so, what does your server.xml connector snippplet look like? -Original Message- From: Robert Hall [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 8:06 PM To: Tomcat Users List Subject: Re: help needed - keytool import of CA certs Arthur, Thanks for the reply. Yes, the hostname.crt file is a signed certificate. I've tried importing both with and without the -trustcacerts parameter, the imports are successful, but I get the following exception in JBoss-3.2.3/Tomcat-4.1.29: 16:23:59,561 ERROR [PoolTcpEndpoint] Endpoint [SSL: ServerSocket[addr=/0.0.0.0,port=0,localport=8753]] ignored exception: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocke tFactory.java:152) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint. java:387) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:56 9) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool .java:677) at java.lang.Thread.run(Thread.java:536) Thanks, Robert D'Alessandro, Arthur wrote: Robert, First thing, tomcat looks for the users home folder of whom is running tomcat for .keystore, if this is not available, or you wish to move the keystore, you can state so in the Connector within server.xml Another thing, the password defaults to 'changeit', if you wish to have an alternative password, you will need to specify again within the connector element. Third, you appear to be using the trustcacerts, is the cert you specify in hostname.crt the CA root cert (local CA) or the signed certificate? From your description, I assume it is the signed valid cert from Verisign. Off the top of my head, I don't remember the need for the '-trustcacerts' This is a good site that may help as well: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html -Original Message- From: Robert Hall [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 6:56 PM To: Tomcat Users List Subject: help needed - keytool import of CA certs I've been floundering for too many hours/days having ventured into the java/keytool/keystore/CAcert realm for the first time to produce a CA signed certificate for JBoss/Tomcat. We have a Verisign/RSA cert, hostname.crt that produces the following when imported using 'keytool': $ keytool -import -trustcacerts -file hostname.crt -keystore hostname.keystore Enter keystore password: secret Owner: CN=hostname.berkeley.edu, OU=MY-ORG-UNIT, O=University of California, Berkeley, L=Berkeley, ST=California, C=US Issuer: OU=Secure Server Certification Authority, O=RSA Data Security, Inc., C=US Serial number: 63ba7416f9d061ad65db8b61554bd8c3 Valid from: Wed Aug 13 17:00:00 PDT 2003 until: Fri Aug 13 16:59:59 PDT 2004 Certificate fingerprints: MD5: 05:A7:B1:17:6B:C2:0B:FA:9A:B9:80:22:6A:B0:96:6B SHA1: B9:34:D0:58:C4:9C:01:CD:C1:05:D9:FD:C1:D1:45:43:E3:6C:17:1A Trust this certificate? [no]: yes Certificate was added to keystore And if you're still reading, some questions: 1. Should the Trust this certificate? prompt appear if a corresponding CA cert entry exists in $JAVA_HOME/jre/lib/security/cacerts ? 2. Is it necessary to go through the CSR (Certificate Signing Request) process when you already have a server cert file? 3. What else is needed in addition to an existing server cert file if you don't have to go through the CSR process? Thanks, Robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: help needed - keytool import of CA certs
JBoss has Tomcat embedded and it uses jboss-service.xml instead of
Tomcat's server.xml.
The Connector element:
Connector className = org.apache.coyote.tomcat4.CoyoteConnector
address=${jboss.bind.address} port = 8753 scheme = https
secure = true enableLookups= true
Factory className =
org.apache.coyote.tomcat4.CoyoteServerSocketFactory
SSLImplementation=org.apache.tomcat.util.net.jsse.JSSEImplementation
keystoreFile=${jboss.server.home.dir}/conf/hostname.keystore
keystorePass=secret
clientAuth=false
protocol = TLS/
/Connector
Thanks,
Robert
D'Alessandro, Arthur wrote:
I'm not too familiar with Jboss, is it within tomcat? If so, what does
your server.xml connector snippplet look like?
-Original Message-
From: Robert Hall [mailto:[EMAIL PROTECTED]
Sent: Monday, April 12, 2004 8:06 PM
To: Tomcat Users List
Subject: Re: help needed - keytool import of CA certs
Arthur,
Thanks for the reply. Yes, the hostname.crt file is a signed
certificate.
I've tried importing both with and without the -trustcacerts parameter,
the imports are successful, but I get the following exception in
JBoss-3.2.3/Tomcat-4.1.29:
16:23:59,561 ERROR [PoolTcpEndpoint] Endpoint [SSL:
ServerSocket[addr=/0.0.0.0,port=0,localport=8753]] ignored exception:
java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException:
No available certificate
corresponds to the SSL cipher suites which are enabled.
java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException:
No available certificate
corresponds to the SSL cipher suites which are enabled.
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocke
tFactory.java:152)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.
java:387)
at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:56
9)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool
.java:677)
at java.lang.Thread.run(Thread.java:536)
Thanks,
Robert
D'Alessandro, Arthur wrote:
Robert,
First thing, tomcat looks for the users home folder of whom is running
tomcat for .keystore, if this is not available, or you wish to move the
keystore, you can state so in the Connector within server.xml
Another thing, the password defaults to 'changeit', if you wish to have
an alternative password, you will need to specify again within the
connector element.
Third, you appear to be using the trustcacerts, is the cert you specify
in hostname.crt the CA root cert (local CA) or the signed certificate?
From your description, I assume it is the signed valid cert from
Verisign.
Off the top of my head, I don't remember the need for the
'-trustcacerts'
This is a good site that may help as well:
http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html
-Original Message-
From: Robert Hall [mailto:[EMAIL PROTECTED]
Sent: Monday, April 12, 2004 6:56 PM
To: Tomcat Users List
Subject: help needed - keytool import of CA certs
I've been floundering for too many hours/days having ventured into the
java/keytool/keystore/CAcert realm for the first time to produce a
CA signed certificate for JBoss/Tomcat.
We have a Verisign/RSA cert, hostname.crt that produces the following
when
imported using 'keytool':
$ keytool -import -trustcacerts -file hostname.crt -keystore
hostname.keystore
Enter keystore password: secret
Owner: CN=hostname.berkeley.edu, OU=MY-ORG-UNIT, O=University of
California, Berkeley, L=Berkeley, ST=California, C=US
Issuer: OU=Secure Server Certification Authority, O=RSA Data Security,
Inc., C=US
Serial number: 63ba7416f9d061ad65db8b61554bd8c3
Valid from: Wed Aug 13 17:00:00 PDT 2003 until: Fri Aug 13 16:59:59 PDT
2004
Certificate fingerprints:
MD5: 05:A7:B1:17:6B:C2:0B:FA:9A:B9:80:22:6A:B0:96:6B
SHA1:
B9:34:D0:58:C4:9C:01:CD:C1:05:D9:FD:C1:D1:45:43:E3:6C:17:1A
Trust this certificate? [no]: yes
Certificate was added to keystore
And if you're still reading, some questions:
1. Should the Trust this certificate? prompt appear if a
corresponding
CA cert entry
exists in $JAVA_HOME/jre/lib/security/cacerts ?
2. Is it necessary to go through the CSR (Certificate Signing Request)
process when
you already have a server cert file?
3. What else is needed in addition to an existing server cert file if
you don't have to go
through the CSR process?
Thanks,
Robert
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED
RE: help needed - keytool import of CA certs
Have you tried the tc4 org.apache.catalina.net.SSLServerSocketFactory
Connector className = org.apache.coyote.tomcat4.CoyoteConnector
address=${jboss.bind.address} port = 8753 scheme = https
secure = true enableLookups= true
Factory className=org.apache.catalina.net.SSLServerSocketFactory
keystoreFile=${jboss.server.home.dir}/conf/hostname.keystore
keystorePass=secret
clientAuth=false
protocol = TLS/
/Connector
The other thing, what does the keystore look like:
keytool -list -v -keystore hostname.keystore
I am not 100% sure if tomcat requires the cert to be inside of an alias
of 'tomcat', that is how the tutorials, and how I've implemented ours.
It's not difficult to copy to another alias
Keytool -keyclone -alias current alias -dest tomcat
-Original Message-
From: Robert Hall [mailto:[EMAIL PROTECTED]
Sent: Monday, April 12, 2004 8:32 PM
To: Tomcat Users List
Subject: Re: help needed - keytool import of CA certs
JBoss has Tomcat embedded and it uses jboss-service.xml instead of
Tomcat's server.xml.
The Connector element:
Connector className = org.apache.coyote.tomcat4.CoyoteConnector
address=${jboss.bind.address} port = 8753 scheme = https
secure = true enableLookups= true
Factory className =
org.apache.coyote.tomcat4.CoyoteServerSocketFactory
SSLImplementation=org.apache.tomcat.util.net.jsse.JSSEImplementation
keystoreFile=${jboss.server.home.dir}/conf/hostname.keystore
keystorePass=secret
clientAuth=false
protocol = TLS/
/Connector
Thanks,
Robert
D'Alessandro, Arthur wrote:
I'm not too familiar with Jboss, is it within tomcat? If so, what does
your server.xml connector snippplet look like?
-Original Message-
From: Robert Hall [mailto:[EMAIL PROTECTED]
Sent: Monday, April 12, 2004 8:06 PM
To: Tomcat Users List
Subject: Re: help needed - keytool import of CA certs
Arthur,
Thanks for the reply. Yes, the hostname.crt file is a signed
certificate.
I've tried importing both with and without the -trustcacerts parameter,
the imports are successful, but I get the following exception in
JBoss-3.2.3/Tomcat-4.1.29:
16:23:59,561 ERROR [PoolTcpEndpoint] Endpoint [SSL:
ServerSocket[addr=/0.0.0.0,port=0,localport=8753]] ignored exception:
java.net.SocketException: SSL handshake
errorjavax.net.ssl.SSLException:
No available certificate
corresponds to the SSL cipher suites which are enabled.
java.net.SocketException: SSL handshake
errorjavax.net.ssl.SSLException:
No available certificate
corresponds to the SSL cipher suites which are enabled.
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESock
e
tFactory.java:152)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint
.
java:387)
at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:5
6
9)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPoo
l
.java:677)
at java.lang.Thread.run(Thread.java:536)
Thanks,
Robert
D'Alessandro, Arthur wrote:
Robert,
First thing, tomcat looks for the users home folder of whom is running
tomcat for .keystore, if this is not available, or you wish to move
the
keystore, you can state so in the Connector within server.xml
Another thing, the password defaults to 'changeit', if you wish to
have
an alternative password, you will need to specify again within the
connector element.
Third, you appear to be using the trustcacerts, is the cert you
specify
in hostname.crt the CA root cert (local CA) or the signed certificate?
From your description, I assume it is the signed valid cert from
Verisign.
Off the top of my head, I don't remember the need for the
'-trustcacerts'
This is a good site that may help as well:
http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html
-Original Message-
From: Robert Hall [mailto:[EMAIL PROTECTED]
Sent: Monday, April 12, 2004 6:56 PM
To: Tomcat Users List
Subject: help needed - keytool import of CA certs
I've been floundering for too many hours/days having ventured into the
java/keytool/keystore/CAcert realm for the first time to produce a
CA signed certificate for JBoss/Tomcat.
We have a Verisign/RSA cert, hostname.crt that produces the following
when
imported using 'keytool':
$ keytool -import -trustcacerts -file hostname.crt -keystore
hostname.keystore
Enter keystore password: secret
Owner: CN=hostname.berkeley.edu, OU=MY-ORG-UNIT, O=University of
California, Berkeley, L=Berkeley, ST=California, C=US
Issuer: OU=Secure Server Certification Authority, O=RSA Data
Security,
Inc., C=US
Serial number: 63ba7416f9d061ad65db8b61554bd8c3
Valid from: Wed Aug 13 17:00:00 PDT 2003 until: Fri Aug 13 16:59:59
PDT
2004
Certificate fingerprints:
MD5: 05:A7:B1:17:6B:C2:0B:FA:9A:B9:80:22:6A:B0:96:6B
SHA1:
B9:34:D0:58:C4:9C:01:CD:C1:05:D9:FD:C1:D1:45:43:E3:6C:17:1A
Trust this certificate
Re: help needed - keytool import of CA certs
No, haven't tried it, but I will.
Thanks, again.
Robert
D'Alessandro, Arthur wrote:
Have you tried the tc4 org.apache.catalina.net.SSLServerSocketFactory
Connector className = org.apache.coyote.tomcat4.CoyoteConnector
address=${jboss.bind.address} port = 8753 scheme = https
secure = true enableLookups= true
Factory className=org.apache.catalina.net.SSLServerSocketFactory
keystoreFile=${jboss.server.home.dir}/conf/hostname.keystore
keystorePass=secret
clientAuth=false
protocol = TLS/
/Connector
The other thing, what does the keystore look like:
keytool -list -v -keystore hostname.keystore
I am not 100% sure if tomcat requires the cert to be inside of an alias
of 'tomcat', that is how the tutorials, and how I've implemented ours.
It's not difficult to copy to another alias
Keytool -keyclone -alias current alias -dest tomcat
-Original Message-
From: Robert Hall [mailto:[EMAIL PROTECTED]
Sent: Monday, April 12, 2004 8:32 PM
To: Tomcat Users List
Subject: Re: help needed - keytool import of CA certs
JBoss has Tomcat embedded and it uses jboss-service.xml instead of
Tomcat's server.xml.
The Connector element:
Connector className = org.apache.coyote.tomcat4.CoyoteConnector
address=${jboss.bind.address} port = 8753 scheme = https
secure = true enableLookups= true
Factory className =
org.apache.coyote.tomcat4.CoyoteServerSocketFactory
SSLImplementation=org.apache.tomcat.util.net.jsse.JSSEImplementation
keystoreFile=${jboss.server.home.dir}/conf/hostname.keystore
keystorePass=secret
clientAuth=false
protocol = TLS/
/Connector
Thanks,
Robert
D'Alessandro, Arthur wrote:
I'm not too familiar with Jboss, is it within tomcat? If so, what does
your server.xml connector snippplet look like?
-Original Message-
From: Robert Hall [mailto:[EMAIL PROTECTED]
Sent: Monday, April 12, 2004 8:06 PM
To: Tomcat Users List
Subject: Re: help needed - keytool import of CA certs
Arthur,
Thanks for the reply. Yes, the hostname.crt file is a signed
certificate.
I've tried importing both with and without the -trustcacerts parameter,
the imports are successful, but I get the following exception in
JBoss-3.2.3/Tomcat-4.1.29:
16:23:59,561 ERROR [PoolTcpEndpoint] Endpoint [SSL:
ServerSocket[addr=/0.0.0.0,port=0,localport=8753]] ignored exception:
java.net.SocketException: SSL handshake
errorjavax.net.ssl.SSLException:
No available certificate
corresponds to the SSL cipher suites which are enabled.
java.net.SocketException: SSL handshake
errorjavax.net.ssl.SSLException:
No available certificate
corresponds to the SSL cipher suites which are enabled.
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESock
e
tFactory.java:152)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint
.
java:387)
at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:5
6
9)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPoo
l
.java:677)
at java.lang.Thread.run(Thread.java:536)
Thanks,
Robert
D'Alessandro, Arthur wrote:
Robert,
First thing, tomcat looks for the users home folder of whom is running
tomcat for .keystore, if this is not available, or you wish to move
the
keystore, you can state so in the Connector within server.xml
Another thing, the password defaults to 'changeit', if you wish to
have
an alternative password, you will need to specify again within the
connector element.
Third, you appear to be using the trustcacerts, is the cert you
specify
in hostname.crt the CA root cert (local CA) or the signed certificate?
From your description, I assume it is the signed valid cert from
Verisign.
Off the top of my head, I don't remember the need for the
'-trustcacerts'
This is a good site that may help as well:
http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html
-Original Message-
From: Robert Hall [mailto:[EMAIL PROTECTED]
Sent: Monday, April 12, 2004 6:56 PM
To: Tomcat Users List
Subject: help needed - keytool import of CA certs
I've been floundering for too many hours/days having ventured into the
java/keytool/keystore/CAcert realm for the first time to produce a
CA signed certificate for JBoss/Tomcat.
We have a Verisign/RSA cert, hostname.crt that produces the following
when
imported using 'keytool':
$ keytool -import -trustcacerts -file hostname.crt -keystore
hostname.keystore
Enter keystore password: secret
Owner: CN=hostname.berkeley.edu, OU=MY-ORG-UNIT, O=University of
California, Berkeley, L=Berkeley, ST=California, C=US
Issuer: OU=Secure Server Certification Authority, O=RSA Data
Security,
Inc., C=US
Serial number: 63ba7416f9d061ad65db8b61554bd8c3
Valid from: Wed Aug 13 17:00:00 PDT 2003 until: Fri Aug 13 16:59:59
PDT
2004
Certificate fingerprints:
MD5
Re: help needed - keytool import of CA certs
Robert Hall [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I've been floundering for too many hours/days having ventured into the java/keytool/keystore/CAcert realm for the first time to produce a CA signed certificate for JBoss/Tomcat. We have a Verisign/RSA cert, hostname.crt that produces the following when imported using 'keytool': $ keytool -import -trustcacerts -file hostname.crt -keystore hostname.keystore Enter keystore password: secret Owner: CN=hostname.berkeley.edu, OU=MY-ORG-UNIT, O=University of California, Berkeley, L=Berkeley, ST=California, C=US Issuer: OU=Secure Server Certification Authority, O=RSA Data Security, Inc., C=US Serial number: 63ba7416f9d061ad65db8b61554bd8c3 Valid from: Wed Aug 13 17:00:00 PDT 2003 until: Fri Aug 13 16:59:59 PDT 2004 Certificate fingerprints: MD5: 05:A7:B1:17:6B:C2:0B:FA:9A:B9:80:22:6A:B0:96:6B SHA1: B9:34:D0:58:C4:9C:01:CD:C1:05:D9:FD:C1:D1:45:43:E3:6C:17:1A Trust this certificate? [no]: yes Certificate was added to keystore And if you're still reading, some questions: 1. Should the Trust this certificate? prompt appear if a corresponding CA cert entry exists in $JAVA_HOME/jre/lib/security/cacerts ? VS uses an intermediate cert to sign yours. You probably need to import that one (but I don't feel like looking to see if it is already there :). 2. Is it necessary to go through the CSR (Certificate Signing Request) process when you already have a server cert file? No. 3. What else is needed in addition to an existing server cert file if you don't have to go through the CSR process? If you used keytool to generate the original CSR, then you have to import your cert into the same keystore that you used to generate the CSR. Otherwise you need to import your private key as well. This comes up every couple of weeks like clockwork, so you'll find plenty of pointers in the archives :). Thanks, Robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
