Re: help needed - keytool import of CA certs
Thanks, Bill. I need to get better at digging through the archives ;-) Robert Bill Barker wrote: 3. What else is needed in addition to an existing server cert file if you don't have to go through the CSR process? If you used keytool to generate the original CSR, then you have to import your cert into the same keystore that you used to generate the CSR. Otherwise you need to import your private key as well. This comes up every couple of weeks like clockwork, so you'll find plenty of pointers in the archives :). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: help needed - keytool import of CA certs
Robert, First thing, tomcat looks for the users home folder of whom is running tomcat for .keystore, if this is not available, or you wish to move the keystore, you can state so in the Connector within server.xml Another thing, the password defaults to 'changeit', if you wish to have an alternative password, you will need to specify again within the connector element. Third, you appear to be using the trustcacerts, is the cert you specify in hostname.crt the CA root cert (local CA) or the signed certificate? From your description, I assume it is the signed valid cert from Verisign. Off the top of my head, I don't remember the need for the '-trustcacerts' This is a good site that may help as well: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html -Original Message- From: Robert Hall [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 6:56 PM To: Tomcat Users List Subject: help needed - keytool import of CA certs I've been floundering for too many hours/days having ventured into the java/keytool/keystore/CAcert realm for the first time to produce a CA signed certificate for JBoss/Tomcat. We have a Verisign/RSA cert, hostname.crt that produces the following when imported using 'keytool': $ keytool -import -trustcacerts -file hostname.crt -keystore hostname.keystore Enter keystore password: secret Owner: CN=hostname.berkeley.edu, OU=MY-ORG-UNIT, O=University of California, Berkeley, L=Berkeley, ST=California, C=US Issuer: OU=Secure Server Certification Authority, O=RSA Data Security, Inc., C=US Serial number: 63ba7416f9d061ad65db8b61554bd8c3 Valid from: Wed Aug 13 17:00:00 PDT 2003 until: Fri Aug 13 16:59:59 PDT 2004 Certificate fingerprints: MD5: 05:A7:B1:17:6B:C2:0B:FA:9A:B9:80:22:6A:B0:96:6B SHA1: B9:34:D0:58:C4:9C:01:CD:C1:05:D9:FD:C1:D1:45:43:E3:6C:17:1A Trust this certificate? [no]: yes Certificate was added to keystore And if you're still reading, some questions: 1. Should the Trust this certificate? prompt appear if a corresponding CA cert entry exists in $JAVA_HOME/jre/lib/security/cacerts ? 2. Is it necessary to go through the CSR (Certificate Signing Request) process when you already have a server cert file? 3. What else is needed in addition to an existing server cert file if you don't have to go through the CSR process? Thanks, Robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: help needed - keytool import of CA certs
Arthur, Thanks for the reply. Yes, the hostname.crt file is a signed certificate. I've tried importing both with and without the -trustcacerts parameter, the imports are successful, but I get the following exception in JBoss-3.2.3/Tomcat-4.1.29: 16:23:59,561 ERROR [PoolTcpEndpoint] Endpoint [SSL: ServerSocket[addr=/0.0.0.0,port=0,localport=8753]] ignored exception: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:152) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:387) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:569) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:677) at java.lang.Thread.run(Thread.java:536) Thanks, Robert D'Alessandro, Arthur wrote: Robert, First thing, tomcat looks for the users home folder of whom is running tomcat for .keystore, if this is not available, or you wish to move the keystore, you can state so in the Connector within server.xml Another thing, the password defaults to 'changeit', if you wish to have an alternative password, you will need to specify again within the connector element. Third, you appear to be using the trustcacerts, is the cert you specify in hostname.crt the CA root cert (local CA) or the signed certificate? From your description, I assume it is the signed valid cert from Verisign. Off the top of my head, I don't remember the need for the '-trustcacerts' This is a good site that may help as well: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html -Original Message- From: Robert Hall [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 6:56 PM To: Tomcat Users List Subject: help needed - keytool import of CA certs I've been floundering for too many hours/days having ventured into the java/keytool/keystore/CAcert realm for the first time to produce a CA signed certificate for JBoss/Tomcat. We have a Verisign/RSA cert, hostname.crt that produces the following when imported using 'keytool': $ keytool -import -trustcacerts -file hostname.crt -keystore hostname.keystore Enter keystore password: secret Owner: CN=hostname.berkeley.edu, OU=MY-ORG-UNIT, O=University of California, Berkeley, L=Berkeley, ST=California, C=US Issuer: OU=Secure Server Certification Authority, O=RSA Data Security, Inc., C=US Serial number: 63ba7416f9d061ad65db8b61554bd8c3 Valid from: Wed Aug 13 17:00:00 PDT 2003 until: Fri Aug 13 16:59:59 PDT 2004 Certificate fingerprints: MD5: 05:A7:B1:17:6B:C2:0B:FA:9A:B9:80:22:6A:B0:96:6B SHA1: B9:34:D0:58:C4:9C:01:CD:C1:05:D9:FD:C1:D1:45:43:E3:6C:17:1A Trust this certificate? [no]: yes Certificate was added to keystore And if you're still reading, some questions: 1. Should the Trust this certificate? prompt appear if a corresponding CA cert entry exists in $JAVA_HOME/jre/lib/security/cacerts ? 2. Is it necessary to go through the CSR (Certificate Signing Request) process when you already have a server cert file? 3. What else is needed in addition to an existing server cert file if you don't have to go through the CSR process? Thanks, Robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: help needed - keytool import of CA certs
I'm not too familiar with Jboss, is it within tomcat? If so, what does your server.xml connector snippplet look like? -Original Message- From: Robert Hall [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 8:06 PM To: Tomcat Users List Subject: Re: help needed - keytool import of CA certs Arthur, Thanks for the reply. Yes, the hostname.crt file is a signed certificate. I've tried importing both with and without the -trustcacerts parameter, the imports are successful, but I get the following exception in JBoss-3.2.3/Tomcat-4.1.29: 16:23:59,561 ERROR [PoolTcpEndpoint] Endpoint [SSL: ServerSocket[addr=/0.0.0.0,port=0,localport=8753]] ignored exception: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocke tFactory.java:152) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint. java:387) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:56 9) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool .java:677) at java.lang.Thread.run(Thread.java:536) Thanks, Robert D'Alessandro, Arthur wrote: Robert, First thing, tomcat looks for the users home folder of whom is running tomcat for .keystore, if this is not available, or you wish to move the keystore, you can state so in the Connector within server.xml Another thing, the password defaults to 'changeit', if you wish to have an alternative password, you will need to specify again within the connector element. Third, you appear to be using the trustcacerts, is the cert you specify in hostname.crt the CA root cert (local CA) or the signed certificate? From your description, I assume it is the signed valid cert from Verisign. Off the top of my head, I don't remember the need for the '-trustcacerts' This is a good site that may help as well: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html -Original Message- From: Robert Hall [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 6:56 PM To: Tomcat Users List Subject: help needed - keytool import of CA certs I've been floundering for too many hours/days having ventured into the java/keytool/keystore/CAcert realm for the first time to produce a CA signed certificate for JBoss/Tomcat. We have a Verisign/RSA cert, hostname.crt that produces the following when imported using 'keytool': $ keytool -import -trustcacerts -file hostname.crt -keystore hostname.keystore Enter keystore password: secret Owner: CN=hostname.berkeley.edu, OU=MY-ORG-UNIT, O=University of California, Berkeley, L=Berkeley, ST=California, C=US Issuer: OU=Secure Server Certification Authority, O=RSA Data Security, Inc., C=US Serial number: 63ba7416f9d061ad65db8b61554bd8c3 Valid from: Wed Aug 13 17:00:00 PDT 2003 until: Fri Aug 13 16:59:59 PDT 2004 Certificate fingerprints: MD5: 05:A7:B1:17:6B:C2:0B:FA:9A:B9:80:22:6A:B0:96:6B SHA1: B9:34:D0:58:C4:9C:01:CD:C1:05:D9:FD:C1:D1:45:43:E3:6C:17:1A Trust this certificate? [no]: yes Certificate was added to keystore And if you're still reading, some questions: 1. Should the Trust this certificate? prompt appear if a corresponding CA cert entry exists in $JAVA_HOME/jre/lib/security/cacerts ? 2. Is it necessary to go through the CSR (Certificate Signing Request) process when you already have a server cert file? 3. What else is needed in addition to an existing server cert file if you don't have to go through the CSR process? Thanks, Robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: help needed - keytool import of CA certs
JBoss has Tomcat embedded and it uses jboss-service.xml instead of Tomcat's server.xml. The Connector element: Connector className = org.apache.coyote.tomcat4.CoyoteConnector address=${jboss.bind.address} port = 8753 scheme = https secure = true enableLookups= true Factory className = org.apache.coyote.tomcat4.CoyoteServerSocketFactory SSLImplementation=org.apache.tomcat.util.net.jsse.JSSEImplementation keystoreFile=${jboss.server.home.dir}/conf/hostname.keystore keystorePass=secret clientAuth=false protocol = TLS/ /Connector Thanks, Robert D'Alessandro, Arthur wrote: I'm not too familiar with Jboss, is it within tomcat? If so, what does your server.xml connector snippplet look like? -Original Message- From: Robert Hall [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 8:06 PM To: Tomcat Users List Subject: Re: help needed - keytool import of CA certs Arthur, Thanks for the reply. Yes, the hostname.crt file is a signed certificate. I've tried importing both with and without the -trustcacerts parameter, the imports are successful, but I get the following exception in JBoss-3.2.3/Tomcat-4.1.29: 16:23:59,561 ERROR [PoolTcpEndpoint] Endpoint [SSL: ServerSocket[addr=/0.0.0.0,port=0,localport=8753]] ignored exception: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocke tFactory.java:152) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint. java:387) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:56 9) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool .java:677) at java.lang.Thread.run(Thread.java:536) Thanks, Robert D'Alessandro, Arthur wrote: Robert, First thing, tomcat looks for the users home folder of whom is running tomcat for .keystore, if this is not available, or you wish to move the keystore, you can state so in the Connector within server.xml Another thing, the password defaults to 'changeit', if you wish to have an alternative password, you will need to specify again within the connector element. Third, you appear to be using the trustcacerts, is the cert you specify in hostname.crt the CA root cert (local CA) or the signed certificate? From your description, I assume it is the signed valid cert from Verisign. Off the top of my head, I don't remember the need for the '-trustcacerts' This is a good site that may help as well: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html -Original Message- From: Robert Hall [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 6:56 PM To: Tomcat Users List Subject: help needed - keytool import of CA certs I've been floundering for too many hours/days having ventured into the java/keytool/keystore/CAcert realm for the first time to produce a CA signed certificate for JBoss/Tomcat. We have a Verisign/RSA cert, hostname.crt that produces the following when imported using 'keytool': $ keytool -import -trustcacerts -file hostname.crt -keystore hostname.keystore Enter keystore password: secret Owner: CN=hostname.berkeley.edu, OU=MY-ORG-UNIT, O=University of California, Berkeley, L=Berkeley, ST=California, C=US Issuer: OU=Secure Server Certification Authority, O=RSA Data Security, Inc., C=US Serial number: 63ba7416f9d061ad65db8b61554bd8c3 Valid from: Wed Aug 13 17:00:00 PDT 2003 until: Fri Aug 13 16:59:59 PDT 2004 Certificate fingerprints: MD5: 05:A7:B1:17:6B:C2:0B:FA:9A:B9:80:22:6A:B0:96:6B SHA1: B9:34:D0:58:C4:9C:01:CD:C1:05:D9:FD:C1:D1:45:43:E3:6C:17:1A Trust this certificate? [no]: yes Certificate was added to keystore And if you're still reading, some questions: 1. Should the Trust this certificate? prompt appear if a corresponding CA cert entry exists in $JAVA_HOME/jre/lib/security/cacerts ? 2. Is it necessary to go through the CSR (Certificate Signing Request) process when you already have a server cert file? 3. What else is needed in addition to an existing server cert file if you don't have to go through the CSR process? Thanks, Robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
RE: help needed - keytool import of CA certs
Have you tried the tc4 org.apache.catalina.net.SSLServerSocketFactory Connector className = org.apache.coyote.tomcat4.CoyoteConnector address=${jboss.bind.address} port = 8753 scheme = https secure = true enableLookups= true Factory className=org.apache.catalina.net.SSLServerSocketFactory keystoreFile=${jboss.server.home.dir}/conf/hostname.keystore keystorePass=secret clientAuth=false protocol = TLS/ /Connector The other thing, what does the keystore look like: keytool -list -v -keystore hostname.keystore I am not 100% sure if tomcat requires the cert to be inside of an alias of 'tomcat', that is how the tutorials, and how I've implemented ours. It's not difficult to copy to another alias Keytool -keyclone -alias current alias -dest tomcat -Original Message- From: Robert Hall [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 8:32 PM To: Tomcat Users List Subject: Re: help needed - keytool import of CA certs JBoss has Tomcat embedded and it uses jboss-service.xml instead of Tomcat's server.xml. The Connector element: Connector className = org.apache.coyote.tomcat4.CoyoteConnector address=${jboss.bind.address} port = 8753 scheme = https secure = true enableLookups= true Factory className = org.apache.coyote.tomcat4.CoyoteServerSocketFactory SSLImplementation=org.apache.tomcat.util.net.jsse.JSSEImplementation keystoreFile=${jboss.server.home.dir}/conf/hostname.keystore keystorePass=secret clientAuth=false protocol = TLS/ /Connector Thanks, Robert D'Alessandro, Arthur wrote: I'm not too familiar with Jboss, is it within tomcat? If so, what does your server.xml connector snippplet look like? -Original Message- From: Robert Hall [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 8:06 PM To: Tomcat Users List Subject: Re: help needed - keytool import of CA certs Arthur, Thanks for the reply. Yes, the hostname.crt file is a signed certificate. I've tried importing both with and without the -trustcacerts parameter, the imports are successful, but I get the following exception in JBoss-3.2.3/Tomcat-4.1.29: 16:23:59,561 ERROR [PoolTcpEndpoint] Endpoint [SSL: ServerSocket[addr=/0.0.0.0,port=0,localport=8753]] ignored exception: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESock e tFactory.java:152) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint . java:387) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:5 6 9) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPoo l .java:677) at java.lang.Thread.run(Thread.java:536) Thanks, Robert D'Alessandro, Arthur wrote: Robert, First thing, tomcat looks for the users home folder of whom is running tomcat for .keystore, if this is not available, or you wish to move the keystore, you can state so in the Connector within server.xml Another thing, the password defaults to 'changeit', if you wish to have an alternative password, you will need to specify again within the connector element. Third, you appear to be using the trustcacerts, is the cert you specify in hostname.crt the CA root cert (local CA) or the signed certificate? From your description, I assume it is the signed valid cert from Verisign. Off the top of my head, I don't remember the need for the '-trustcacerts' This is a good site that may help as well: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html -Original Message- From: Robert Hall [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 6:56 PM To: Tomcat Users List Subject: help needed - keytool import of CA certs I've been floundering for too many hours/days having ventured into the java/keytool/keystore/CAcert realm for the first time to produce a CA signed certificate for JBoss/Tomcat. We have a Verisign/RSA cert, hostname.crt that produces the following when imported using 'keytool': $ keytool -import -trustcacerts -file hostname.crt -keystore hostname.keystore Enter keystore password: secret Owner: CN=hostname.berkeley.edu, OU=MY-ORG-UNIT, O=University of California, Berkeley, L=Berkeley, ST=California, C=US Issuer: OU=Secure Server Certification Authority, O=RSA Data Security, Inc., C=US Serial number: 63ba7416f9d061ad65db8b61554bd8c3 Valid from: Wed Aug 13 17:00:00 PDT 2003 until: Fri Aug 13 16:59:59 PDT 2004 Certificate fingerprints: MD5: 05:A7:B1:17:6B:C2:0B:FA:9A:B9:80:22:6A:B0:96:6B SHA1: B9:34:D0:58:C4:9C:01:CD:C1:05:D9:FD:C1:D1:45:43:E3:6C:17:1A Trust this certificate
Re: help needed - keytool import of CA certs
No, haven't tried it, but I will. Thanks, again. Robert D'Alessandro, Arthur wrote: Have you tried the tc4 org.apache.catalina.net.SSLServerSocketFactory Connector className = org.apache.coyote.tomcat4.CoyoteConnector address=${jboss.bind.address} port = 8753 scheme = https secure = true enableLookups= true Factory className=org.apache.catalina.net.SSLServerSocketFactory keystoreFile=${jboss.server.home.dir}/conf/hostname.keystore keystorePass=secret clientAuth=false protocol = TLS/ /Connector The other thing, what does the keystore look like: keytool -list -v -keystore hostname.keystore I am not 100% sure if tomcat requires the cert to be inside of an alias of 'tomcat', that is how the tutorials, and how I've implemented ours. It's not difficult to copy to another alias Keytool -keyclone -alias current alias -dest tomcat -Original Message- From: Robert Hall [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 8:32 PM To: Tomcat Users List Subject: Re: help needed - keytool import of CA certs JBoss has Tomcat embedded and it uses jboss-service.xml instead of Tomcat's server.xml. The Connector element: Connector className = org.apache.coyote.tomcat4.CoyoteConnector address=${jboss.bind.address} port = 8753 scheme = https secure = true enableLookups= true Factory className = org.apache.coyote.tomcat4.CoyoteServerSocketFactory SSLImplementation=org.apache.tomcat.util.net.jsse.JSSEImplementation keystoreFile=${jboss.server.home.dir}/conf/hostname.keystore keystorePass=secret clientAuth=false protocol = TLS/ /Connector Thanks, Robert D'Alessandro, Arthur wrote: I'm not too familiar with Jboss, is it within tomcat? If so, what does your server.xml connector snippplet look like? -Original Message- From: Robert Hall [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 8:06 PM To: Tomcat Users List Subject: Re: help needed - keytool import of CA certs Arthur, Thanks for the reply. Yes, the hostname.crt file is a signed certificate. I've tried importing both with and without the -trustcacerts parameter, the imports are successful, but I get the following exception in JBoss-3.2.3/Tomcat-4.1.29: 16:23:59,561 ERROR [PoolTcpEndpoint] Endpoint [SSL: ServerSocket[addr=/0.0.0.0,port=0,localport=8753]] ignored exception: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESock e tFactory.java:152) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint . java:387) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:5 6 9) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPoo l .java:677) at java.lang.Thread.run(Thread.java:536) Thanks, Robert D'Alessandro, Arthur wrote: Robert, First thing, tomcat looks for the users home folder of whom is running tomcat for .keystore, if this is not available, or you wish to move the keystore, you can state so in the Connector within server.xml Another thing, the password defaults to 'changeit', if you wish to have an alternative password, you will need to specify again within the connector element. Third, you appear to be using the trustcacerts, is the cert you specify in hostname.crt the CA root cert (local CA) or the signed certificate? From your description, I assume it is the signed valid cert from Verisign. Off the top of my head, I don't remember the need for the '-trustcacerts' This is a good site that may help as well: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html -Original Message- From: Robert Hall [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 6:56 PM To: Tomcat Users List Subject: help needed - keytool import of CA certs I've been floundering for too many hours/days having ventured into the java/keytool/keystore/CAcert realm for the first time to produce a CA signed certificate for JBoss/Tomcat. We have a Verisign/RSA cert, hostname.crt that produces the following when imported using 'keytool': $ keytool -import -trustcacerts -file hostname.crt -keystore hostname.keystore Enter keystore password: secret Owner: CN=hostname.berkeley.edu, OU=MY-ORG-UNIT, O=University of California, Berkeley, L=Berkeley, ST=California, C=US Issuer: OU=Secure Server Certification Authority, O=RSA Data Security, Inc., C=US Serial number: 63ba7416f9d061ad65db8b61554bd8c3 Valid from: Wed Aug 13 17:00:00 PDT 2003 until: Fri Aug 13 16:59:59 PDT 2004 Certificate fingerprints: MD5
Re: help needed - keytool import of CA certs
Robert Hall [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I've been floundering for too many hours/days having ventured into the java/keytool/keystore/CAcert realm for the first time to produce a CA signed certificate for JBoss/Tomcat. We have a Verisign/RSA cert, hostname.crt that produces the following when imported using 'keytool': $ keytool -import -trustcacerts -file hostname.crt -keystore hostname.keystore Enter keystore password: secret Owner: CN=hostname.berkeley.edu, OU=MY-ORG-UNIT, O=University of California, Berkeley, L=Berkeley, ST=California, C=US Issuer: OU=Secure Server Certification Authority, O=RSA Data Security, Inc., C=US Serial number: 63ba7416f9d061ad65db8b61554bd8c3 Valid from: Wed Aug 13 17:00:00 PDT 2003 until: Fri Aug 13 16:59:59 PDT 2004 Certificate fingerprints: MD5: 05:A7:B1:17:6B:C2:0B:FA:9A:B9:80:22:6A:B0:96:6B SHA1: B9:34:D0:58:C4:9C:01:CD:C1:05:D9:FD:C1:D1:45:43:E3:6C:17:1A Trust this certificate? [no]: yes Certificate was added to keystore And if you're still reading, some questions: 1. Should the Trust this certificate? prompt appear if a corresponding CA cert entry exists in $JAVA_HOME/jre/lib/security/cacerts ? VS uses an intermediate cert to sign yours. You probably need to import that one (but I don't feel like looking to see if it is already there :). 2. Is it necessary to go through the CSR (Certificate Signing Request) process when you already have a server cert file? No. 3. What else is needed in addition to an existing server cert file if you don't have to go through the CSR process? If you used keytool to generate the original CSR, then you have to import your cert into the same keystore that you used to generate the CSR. Otherwise you need to import your private key as well. This comes up every couple of weeks like clockwork, so you'll find plenty of pointers in the archives :). Thanks, Robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]