Re: Installing certificate chain on Tomat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael, On 4/12/2010 4:55 PM, Michael Dockery wrote: > because tomcat has the root for the client cert loaded into its truststore, > and the matching client cert "subject" name (ie: user) loaded in its auth > realm > the client is therefore authenticated Right: Tomcat can authenticate the client certificate because it has the required trust roots. The OP as asking about the opposite: the client is complaining that the server's cert is untrusted (or, rather, that the cert chain doesn't lead to a known, trusted root). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvEc90ACgkQ9CaO5/Lv0PDmCgCdE1pCXpY8yoVMmogSFPBXvvXQ WwYAnRITkLQcCnYHkp31UpUzY5FYVCQm =wp2q -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
in my case, i am testing with clients authenticating to tomcat with dod cac
cards. (smartcards)
i downloaded the dod root p7b cert files
i checked/verified the root cert for the client cac card certs,
matched the dod root certs (in the p7b files)
i extracted ONLY the root cert's from each p7b file
into x.509 base64_encoded .cer file's
then i imported ONLY those dod x509 root certs into tomcat's truststorefile
now when a client browses to tomcat, it tries to authenticate with the
client-cert (from the cac card)
because tomcat has the root for the client cert loaded into its truststore,
and the matching client cert "subject" name (ie: user) loaded in its auth
realm
the client is therefore authenticated
i have more to do but that much is working.
From: Christopher Schultz
To: Tomcat Users List
Sent: Mon, April 12, 2010 9:32:32 AM
Subject: Re: Installing certificate chain on Tomat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
/U,
On 4/10/2010 3:31 PM, /U wrote:
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"
> keystoreFile="/users/me/.keystore" keystorePass="changeit"
> />
Are you using APR (aka Tomcat native)?
> I have received the following keys/certs from CA:
> - file1: private key for myhost
> - file2: identity certificate for "myhost" signed by "CA1"
> - file3: certificate for "CA1" signed by "entrust"
>
> I installed private key (file1) and "myhost" cert (file2) into
> /users/me/.keystore
> using the ImportKey utility.
> I installed the CA1's certificated into "/users/me/.keystore" using keytool.
> My keytool lookslike this:
> $ keytool -list -keystore /users/me/.keystore
> <...password...>
Heh... you mean it's not "changeit"? :)
> Keystore type: JKS
> Keystore provider: SUN
>
> Your keystore contains 2 entries
Shouldn't that be 3 entries?
> CA1, Apr 10, 2010, trustedCertEntry,
> Certificate fingerprint (MD5):
> 2F:B3:00:F2:FA:12:7B:BD:82:95:70:05:99:12:17:DB:BE
> tomcat, Apr 10, 2010, PrivateKeyEntry,
> Certificate fingerprint (MD5):
> CD:D9:06:11:30:CD:C2:60:33:33:68:A2:30:5C:01:50
What about the "entrust" one?
> I did not install any certificates into truststore
> (jre/lib/security/cacerts).
>
> When I connect browser to https://myhost, i get a cert error that
> "myhost" is signed by "CA1"and cannot be trusted.
> Browser show only one cert (for "myhost") and not show the full
> cert chain ("myhost" -> "CA1" and "CA1" -> entrust).
> Why is the full cert chain not sent to browser.
Because you haven't provided the whole certificate chain to Tomcat.
Tomcat can only send what it already has.
> Since "entrust" CA cert is in browser CA list, if tomcat send full cert
> chain
> to browser, it would be trusted.
Maybe, maybe not. It's possible that the real cert chain goes like this:
myhost -> CA1 -> Entrust -> Entrust Global
If your browser only knows about the "Entrust Global" cert, then your
chain is broken.
Did you follow the instructions on Entrust's web site?
http://www.entrust.net/knowledge-base/technote.cfm?tn=7559
(for chain certs)
http://www.entrust.net/knowledge-base/technote.cfm?tn=7583
(for bare certs, I guess)
Perhaps they are the ones to ask about this.
You might want to ask why they don't "support" a version of Tomcat after
4.1.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkvDIPAACgkQ9CaO5/Lv0PDmAACfce9J55S5uIHkXTiku9l1YQKa
FGkAnjPIXGcvn2B2CQlguGbaz0eTmwkU
=G6eH
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
/U,
On 4/10/2010 4:13 PM, /U wrote:
> i am confused about one thing: whil keystore is explicitly specified
> in connector config, what about the truststore?
It can also be configured in the . Have you not read any of
the documentation?
> i assume truststore stores the trusted CA certs (as opposed to
> private keys/identity cert). Is this correct?
http://lmgtfy.com/?q=java+keystore+versus+truststore
> Why does not connector config not refer to truststore config ?
Because most people don't need it. It's getting more common to see
chained certificates, but I'm not entirely sure that the truststore is
required. Patches to the documentation are always welcome.
> Or is that by default become ${JAVA_HOME}/jre/lib/security/cacerts?
Please read the HTTP Connector documentation: it really does tell you
what all thee defaults are.
> What is the relation/differences (as far as tomcat is concerned) between
> keystore, truststore and {JAVA_HOME}/jre/lib/security/cacerts?
http://lmg... oh, I can't even bring myself to finish that.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkvDIeIACgkQ9CaO5/Lv0PC+OQCgtKM5wE/B8FTxLsIChrh3nmn+
WQ4Anjq85Qgqzs/NuM1tMDA3mR2WutvS
=p3cW
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
/U,
On 4/10/2010 3:31 PM, /U wrote:
>maxThreads="150" scheme="https" secure="true"
>clientAuth="false" sslProtocol="TLS"
>keystoreFile="/users/me/.keystore" keystorePass="changeit"
> />
Are you using APR (aka Tomcat native)?
> I have received the following keys/certs from CA:
> - file1: private key for myhost
> - file2: identity certificate for "myhost" signed by "CA1"
> - file3: certificate for "CA1" signed by "entrust"
>
> I installed private key (file1) and "myhost" cert (file2) into
> /users/me/.keystore
> using the ImportKey utility.
> I installed the CA1's certificated into "/users/me/.keystore" using keytool.
> My keytool lookslike this:
>$ keytool -list -keystore /users/me/.keystore
><...password...>
Heh... you mean it's not "changeit"? :)
>Keystore type: JKS
>Keystore provider: SUN
>
>Your keystore contains 2 entries
Shouldn't that be 3 entries?
>CA1, Apr 10, 2010, trustedCertEntry,
>Certificate fingerprint (MD5):
> 2F:B3:00:F2:FA:12:7B:BD:82:95:70:05:99:12:17:DB:BE
>tomcat, Apr 10, 2010, PrivateKeyEntry,
>Certificate fingerprint (MD5):
> CD:D9:06:11:30:CD:C2:60:33:33:68:A2:30:5C:01:50
What about the "entrust" one?
> I did not install any certificates into truststore
> (jre/lib/security/cacerts).
>
> When I connect browser to https://myhost, i get a cert error that
> "myhost" is signed by "CA1"and cannot be trusted.
> Browser show only one cert (for "myhost") and not show the full
> cert chain ("myhost" -> "CA1" and "CA1" -> entrust).
> Why is the full cert chain not sent to browser.
Because you haven't provided the whole certificate chain to Tomcat.
Tomcat can only send what it already has.
> Since "entrust" CA cert is in browser CA list, if tomcat send full cert
> chain
> to browser, it would be trusted.
Maybe, maybe not. It's possible that the real cert chain goes like this:
myhost -> CA1 -> Entrust -> Entrust Global
If your browser only knows about the "Entrust Global" cert, then your
chain is broken.
Did you follow the instructions on Entrust's web site?
http://www.entrust.net/knowledge-base/technote.cfm?tn=7559
(for chain certs)
http://www.entrust.net/knowledge-base/technote.cfm?tn=7583
(for bare certs, I guess)
Perhaps they are the ones to ask about this.
You might want to ask why they don't "support" a version of Tomcat after
4.1.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkvDIPAACgkQ9CaO5/Lv0PDmAACfce9J55S5uIHkXTiku9l1YQKa
FGkAnjPIXGcvn2B2CQlguGbaz0eTmwkU
=G6eH
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
I tried this on different systems (*nix and XP) and hence the
differences in my excerpts. but in each case, the connector
config correct refers to keystore. i am sorry i quoted different
configs - will stick to *nix from now on.
i am confused about one thing: whil keystore is explicitly specified
in connector config, what about the truststore?
i assume truststore stores the trusted CA certs (as opposed to
private keys/identity cert). Is this correct?
Why does not connector config not refer to truststore config ?
Or is that by default become ${JAVA_HOME}/jre/lib/security/cacerts?
What is the relation/differences (as far as tomcat is concerned) between
keystore, truststore and {JAVA_HOME}/jre/lib/security/cacerts?
with sincere thanx!
/U
Christopher Schultz-2 wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> /U,
>
> On 4/10/2010 12:01 AM, /U wrote:
>> i am installing certificate chain on tomcat 6.x (JRE 1.6). From my CA I
>> have
>> private key (PEM),
>> identity cert (PEM) (CA X trusts myhost)
>>and a cert chain file (PEM file) (entrust trusts CA X)
>>
>> The cert chain is: (entrust) === trusts ==> (CA X) == trusts ==> myhost
>>
>> I have converted the private key and identify cert into DER form
>> and have imported into /etc/keystore (tomcat's keystore).
>
> Tomcat does not use /etc/keystore unless you tell it to do so. Can you
> show us your server.xml, specifically your SSL element?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkvAtWgACgkQ9CaO5/Lv0PDQBgCgnPJP17/F6OI2UXPRaQ7xnKau
> RTUAoLYShr4IVwKZJrOfyvZKGkGAvnUQ
> =/uks
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
--
View this message in context:
http://old.nabble.com/Installing-certificate-chain-on-Tomat-tp28199836p2820.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
Thank you Chris for your suggestion.
Here is my connector:
I have received the following keys/certs from CA:
- file1: private key for myhost
- file2: identity certificate for "myhost" signed by "CA1"
- file3: certificate for "CA1" signed by "entrust"
I installed private key (file1) and "myhost" cert (file2) into
/users/me/.keystore
using the ImportKey utility.
I installed the CA1's certificated into "/users/me/.keystore" using keytool.
My keytool lookslike this:
$ keytool -list -keystore /users/me/.keystore
<...password...>
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
CA1, Apr 10, 2010, trustedCertEntry,
Certificate fingerprint (MD5):
2F:B3:00:F2:FA:12:7B:BD:82:95:70:05:99:12:17:DB:BE
tomcat, Apr 10, 2010, PrivateKeyEntry,
Certificate fingerprint (MD5):
CD:D9:06:11:30:CD:C2:60:33:33:68:A2:30:5C:01:50
$
I did not install any certificates into truststore
(jre/lib/security/cacerts).
When I connect browser to https://myhost, i get a cert error that
"myhost" is signed by "CA1"and cannot be trusted.
Browser show only one cert (for "myhost") and not show the full
cert chain ("myhost" -> "CA1" and "CA1" -> entrust).
Why is the full cert chain not sent to browser.
Since "entrust" CA cert is in browser CA list, if tomcat send full cert
chain
to browser, it would be trusted.
Also, when I use openss client, I see that full cert chain is not sent:
C:\> openssl s_client -connect myhost:443
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=YY/L=XX/O=myhost Inc./OU=IT/CN=myhost
i:/C=US/O=CA1, Inc./OU=www.CA1.net is incorporated by reference/OU=...,
Inc./CN=CA1Certification Authority
Why does this chain not have CA1->entrust certificate.
what i do wrong? should all CA certs be in truststore?
what is the defaulttruststore of tomcat? what is difference between
"truststore" and
"keystore". is it correct to say all CA certs be in "truststore" and private
key and identity cert
be in "keystore"?
many thanx,
/U
Christopher Schultz-2 wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> /U,
>
> On 4/10/2010 12:01 AM, /U wrote:
>> i am installing certificate chain on tomcat 6.x (JRE 1.6). From my CA I
>> have
>> private key (PEM),
>> identity cert (PEM) (CA X trusts myhost)
>>and a cert chain file (PEM file) (entrust trusts CA X)
>>
>> The cert chain is: (entrust) === trusts ==> (CA X) == trusts ==> myhost
>>
>> I have converted the private key and identify cert into DER form
>> and have imported into /etc/keystore (tomcat's keystore).
>
> Tomcat does not use /etc/keystore unless you tell it to do so. Can you
> show us your server.xml, specifically your SSL element?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkvAtWgACgkQ9CaO5/Lv0PDQBgCgnPJP17/F6OI2UXPRaQ7xnKau
> RTUAoLYShr4IVwKZJrOfyvZKGkGAvnUQ
> =/uks
> -----END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
--
View this message in context:
http://old.nabble.com/Installing-certificate-chain-on-Tomat-tp28199836p28204196.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 /U, On 4/10/2010 10:07 AM, /U wrote: > am i right in assuming that the identity certificate+private key is > installed > in keystoreFile of the SSL connector (C:\keystore below) and the CA > certificate chain is installed in jre/lib/security/cacerts? > > protocol="HTTP/1.1" SSLEnabled="true" >maxThreads="150" scheme="https" secure="true" >clientAuth="false" sslProtocol="TLS" >keystoreFile="C:\keystore" keystorePass="changeit" > /> Wait, last time you said /etc/keystore. Is this *NIX or Microsoft Windows? If you have "C:\keystore" as your keystore, then the keystore file should be in (you guessed it) C:\keystore - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvAtbsACgkQ9CaO5/Lv0PDXOACgodvxD9VWjn9tFRsDk+LLGlf3 IacAn0I58CRoEZ/R81Nf4wwvxeyfDxco =n2Tx -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 /U, On 4/10/2010 12:01 AM, /U wrote: > i am installing certificate chain on tomcat 6.x (JRE 1.6). From my CA I have > private key (PEM), > identity cert (PEM) (CA X trusts myhost) >and a cert chain file (PEM file) (entrust trusts CA X) > > The cert chain is: (entrust) === trusts ==> (CA X) == trusts ==> myhost > > I have converted the private key and identify cert into DER form > and have imported into /etc/keystore (tomcat's keystore). Tomcat does not use /etc/keystore unless you tell it to do so. Can you show us your server.xml, specifically your SSL element? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvAtWgACgkQ9CaO5/Lv0PDQBgCgnPJP17/F6OI2UXPRaQ7xnKau RTUAoLYShr4IVwKZJrOfyvZKGkGAvnUQ =/uks -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
On 04/10/2010 12:01 AM, /U wrote:
i am installing certificate chain on tomcat 6.x (JRE 1.6). From my CA I have
private key (PEM),
identity cert (PEM) (CA X trusts myhost)
and a cert chain file (PEM file) (entrust trusts CA X)
The cert chain is: (entrust) === trusts ==> (CA X) == trusts ==> myhost
I have converted the private key and identify cert into DER form
and have imported into /etc/keystore (tomcat's keystore).
I have imported the certificate chain PEM file into
${JAVA_HOME}/jre/lib/security/cacerts.
when I login to tomcat i get warning that certificate
myhost isused by CA X is not trrusted.
It seems like browser does not get full cert chain (entrust => CA X =>
myhost).
what could I be doing wrong? pl help.
Regs,
/U
Hello,
You may want to take a look at Comodo's documentation for Tomcat.
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1204
It shows how to easily install a trusted certificate for use with Tomcat
(and most Java based Web Servers). I've used this documentation quite a
few times and it has always been spot on.
You may want to view the contents of the keystore: keytool -v -list
-keystore KEYSTORE_FILE; to see what is missing. Tomcat should have the
Intermediate Cert(s) and the Entity/Domain Cert inside the keystore.
Hope this helps!
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
Thank you for the suggestion. could you pl share your connection configuration? also, if no explicit truststore is set in the configuration,would the SSL connector not fall back to JRE truststore which is $JAVA_HOME/jre/lib/security/cacerts ? Also, did you install the private key andthe identity cert in keystoreFile and the CA cert chain in truststorefile? many thanks! /U dockeryjavaman wrote: > > i had to install my ca root certs in a keystore specificed/referenced by > the "truststorefile" parameter > NOT the keystorefile parm > > > > > From: /U > To: users@tomcat.apache.org > Sent: Sat, April 10, 2010 10:07:47 AM > Subject: Re: Installing certificate chain on Tomat > > > hello Pid, > > am i right in assuming that the identity certificate+private key is > installed > in keystoreFile of the SSL connector (C:\keystore below) and the CA > certificate chain is installed in jre/lib/security/cacerts? > > protocol="HTTP/1.1" SSLEnabled="true" >maxThreads="150" scheme="https" secure="true" >clientAuth="false" sslProtocol="TLS" >keystoreFile="C:\keystore" keystorePass="changeit" > /> > > > any assistance appreciated, > > /U > > > -Original Message- >> From: "/U" [uma...@comcast.net] >> Date: 04/10/2010 12:02 AM >> To: users@tomcat.apache.org >> Subject: Re: Installing certificate chain on Tomat >> >> Note: Original message sent as attachment >> >> --------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > > -- > > -- > pidster.com > > > > -- > View this message in context: > http://old.nabble.com/Installing-certificate-chain-on-Tomat-tp28199836p28202227.html > Sent from the Tomcat - User mailing list archive at Nabble.com. > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > -- View this message in context: http://old.nabble.com/Installing-certificate-chain-on-Tomat-tp28199836p28203076.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
i had to install my ca root certs in a keystore specificed/referenced by the "truststorefile" parameter NOT the keystorefile parm From: /U To: users@tomcat.apache.org Sent: Sat, April 10, 2010 10:07:47 AM Subject: Re: Installing certificate chain on Tomat hello Pid, am i right in assuming that the identity certificate+private key is installed in keystoreFile of the SSL connector (C:\keystore below) and the CA certificate chain is installed in jre/lib/security/cacerts? any assistance appreciated, /U -Original Message- > From: "/U" [uma...@comcast.net] > Date: 04/10/2010 12:02 AM > To: users@tomcat.apache.org > Subject: Re: Installing certificate chain on Tomat > > Note: Original message sent as attachment > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- -- pidster.com -- View this message in context: http://old.nabble.com/Installing-certificate-chain-on-Tomat-tp28199836p28202227.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
hello Pid, am i right in assuming that the identity certificate+private key is installed in keystoreFile of the SSL connector (C:\keystore below) and the CA certificate chain is installed in jre/lib/security/cacerts? any assistance appreciated, /U -Original Message- > From: "/U" [uma...@comcast.net] > Date: 04/10/2010 12:02 AM > To: users@tomcat.apache.org > Subject: Re: Installing certificate chain on Tomat > > Note: Original message sent as attachment > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- -- pidster.com -- View this message in context: http://old.nabble.com/Installing-certificate-chain-on-Tomat-tp28199836p28202227.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
On 10 April 2010 08:58, nowled.excite wrote: > Maybe you are getting the certificate myhost issued by CA X is not trusted, > because you a fucking virus No need for that. p -Original Message- > From: "/U" [uma...@comcast.net] > Date: 04/10/2010 12:02 AM > To: users@tomcat.apache.org > Subject: Re: Installing certificate chain on Tomat > > Note: Original message sent as attachment > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- -- pidster.com
Re: Installing certificate chain on Tomat
Maybe you are getting the certificate myhost issued by CA X is not trusted,
because you a fucking virus
-Original Message-
From: "/U" [uma...@comcast.net]
Date: 04/10/2010 12:02 AM
To: users@tomcat.apache.org
Subject: Re: Installing certificate chain on Tomat
Note: Original message sent as attachment--- Begin Message ---
i am installing certificate chain on tomcat 6.x (JRE 1.6). From my CA I have
private key (PEM),
identity cert (PEM) (CA X trusts myhost)
and a cert chain file (PEM file) (entrust trusts CA X)
The cert chain is: (entrust) === trusts ==> (CA X) == trusts ==> myhost
I have converted the private key and identify cert into DER form
and have imported into /etc/keystore (tomcat's keystore).
I have imported the certificate chain PEM file into
${JAVA_HOME}/jre/lib/security/cacerts.
when I login to tomcat i get warning that certificate
myhost isused by CA X is not trrusted.
It seems like browser does not get full cert chain (entrust => CA X =>
myhost).
what could I be doing wrong? pl help.
Regs,
/U
--
View this message in context:
http://old.nabble.com/Installing-certificate-chain-on-Tomat-tp28199836p28199836.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
ICBieSBhcGF1
--- End Message ---
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Installing certificate chain on Tomat
i am installing certificate chain on tomcat 6.x (JRE 1.6). From my CA I have
private key (PEM),
identity cert (PEM) (CA X trusts myhost)
and a cert chain file (PEM file) (entrust trusts CA X)
The cert chain is: (entrust) === trusts ==> (CA X) == trusts ==> myhost
I have converted the private key and identify cert into DER form
and have imported into /etc/keystore (tomcat's keystore).
I have imported the certificate chain PEM file into
${JAVA_HOME}/jre/lib/security/cacerts.
when I login to tomcat i get warning that certificate
myhost isused by CA X is not trrusted.
It seems like browser does not get full cert chain (entrust => CA X =>
myhost).
what could I be doing wrong? pl help.
Regs,
/U
--
View this message in context:
http://old.nabble.com/Installing-certificate-chain-on-Tomat-tp28199836p28199836.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
