Re: Installing certificate chain on Tomat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael, On 4/12/2010 4:55 PM, Michael Dockery wrote: > because tomcat has the root for the client cert loaded into its truststore, > and the matching client cert "subject" name (ie: user) loaded in its auth > realm > the client is therefore authenticated Right: Tomcat can authenticate the client certificate because it has the required trust roots. The OP as asking about the opposite: the client is complaining that the server's cert is untrusted (or, rather, that the cert chain doesn't lead to a known, trusted root). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvEc90ACgkQ9CaO5/Lv0PDmCgCdE1pCXpY8yoVMmogSFPBXvvXQ WwYAnRITkLQcCnYHkp31UpUzY5FYVCQm =wp2q -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
in my case, i am testing with clients authenticating to tomcat with dod cac cards. (smartcards) i downloaded the dod root p7b cert files i checked/verified the root cert for the client cac card certs, matched the dod root certs (in the p7b files) i extracted ONLY the root cert's from each p7b file into x.509 base64_encoded .cer file's then i imported ONLY those dod x509 root certs into tomcat's truststorefile now when a client browses to tomcat, it tries to authenticate with the client-cert (from the cac card) because tomcat has the root for the client cert loaded into its truststore, and the matching client cert "subject" name (ie: user) loaded in its auth realm the client is therefore authenticated i have more to do but that much is working. From: Christopher Schultz To: Tomcat Users List Sent: Mon, April 12, 2010 9:32:32 AM Subject: Re: Installing certificate chain on Tomat -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 /U, On 4/10/2010 3:31 PM, /U wrote: > maxThreads="150" scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" > keystoreFile="/users/me/.keystore" keystorePass="changeit" > /> Are you using APR (aka Tomcat native)? > I have received the following keys/certs from CA: > - file1: private key for myhost > - file2: identity certificate for "myhost" signed by "CA1" > - file3: certificate for "CA1" signed by "entrust" > > I installed private key (file1) and "myhost" cert (file2) into > /users/me/.keystore > using the ImportKey utility. > I installed the CA1's certificated into "/users/me/.keystore" using keytool. > My keytool lookslike this: > $ keytool -list -keystore /users/me/.keystore > <...password...> Heh... you mean it's not "changeit"? :) > Keystore type: JKS > Keystore provider: SUN > > Your keystore contains 2 entries Shouldn't that be 3 entries? > CA1, Apr 10, 2010, trustedCertEntry, > Certificate fingerprint (MD5): > 2F:B3:00:F2:FA:12:7B:BD:82:95:70:05:99:12:17:DB:BE > tomcat, Apr 10, 2010, PrivateKeyEntry, > Certificate fingerprint (MD5): > CD:D9:06:11:30:CD:C2:60:33:33:68:A2:30:5C:01:50 What about the "entrust" one? > I did not install any certificates into truststore > (jre/lib/security/cacerts). > > When I connect browser to https://myhost, i get a cert error that > "myhost" is signed by "CA1"and cannot be trusted. > Browser show only one cert (for "myhost") and not show the full > cert chain ("myhost" -> "CA1" and "CA1" -> entrust). > Why is the full cert chain not sent to browser. Because you haven't provided the whole certificate chain to Tomcat. Tomcat can only send what it already has. > Since "entrust" CA cert is in browser CA list, if tomcat send full cert > chain > to browser, it would be trusted. Maybe, maybe not. It's possible that the real cert chain goes like this: myhost -> CA1 -> Entrust -> Entrust Global If your browser only knows about the "Entrust Global" cert, then your chain is broken. Did you follow the instructions on Entrust's web site? http://www.entrust.net/knowledge-base/technote.cfm?tn=7559 (for chain certs) http://www.entrust.net/knowledge-base/technote.cfm?tn=7583 (for bare certs, I guess) Perhaps they are the ones to ask about this. You might want to ask why they don't "support" a version of Tomcat after 4.1. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvDIPAACgkQ9CaO5/Lv0PDmAACfce9J55S5uIHkXTiku9l1YQKa FGkAnjPIXGcvn2B2CQlguGbaz0eTmwkU =G6eH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 /U, On 4/10/2010 4:13 PM, /U wrote: > i am confused about one thing: whil keystore is explicitly specified > in connector config, what about the truststore? It can also be configured in the . Have you not read any of the documentation? > i assume truststore stores the trusted CA certs (as opposed to > private keys/identity cert). Is this correct? http://lmgtfy.com/?q=java+keystore+versus+truststore > Why does not connector config not refer to truststore config ? Because most people don't need it. It's getting more common to see chained certificates, but I'm not entirely sure that the truststore is required. Patches to the documentation are always welcome. > Or is that by default become ${JAVA_HOME}/jre/lib/security/cacerts? Please read the HTTP Connector documentation: it really does tell you what all thee defaults are. > What is the relation/differences (as far as tomcat is concerned) between > keystore, truststore and {JAVA_HOME}/jre/lib/security/cacerts? http://lmg... oh, I can't even bring myself to finish that. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvDIeIACgkQ9CaO5/Lv0PC+OQCgtKM5wE/B8FTxLsIChrh3nmn+ WQ4Anjq85Qgqzs/NuM1tMDA3mR2WutvS =p3cW -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 /U, On 4/10/2010 3:31 PM, /U wrote: >maxThreads="150" scheme="https" secure="true" >clientAuth="false" sslProtocol="TLS" >keystoreFile="/users/me/.keystore" keystorePass="changeit" > /> Are you using APR (aka Tomcat native)? > I have received the following keys/certs from CA: > - file1: private key for myhost > - file2: identity certificate for "myhost" signed by "CA1" > - file3: certificate for "CA1" signed by "entrust" > > I installed private key (file1) and "myhost" cert (file2) into > /users/me/.keystore > using the ImportKey utility. > I installed the CA1's certificated into "/users/me/.keystore" using keytool. > My keytool lookslike this: >$ keytool -list -keystore /users/me/.keystore ><...password...> Heh... you mean it's not "changeit"? :) >Keystore type: JKS >Keystore provider: SUN > >Your keystore contains 2 entries Shouldn't that be 3 entries? >CA1, Apr 10, 2010, trustedCertEntry, >Certificate fingerprint (MD5): > 2F:B3:00:F2:FA:12:7B:BD:82:95:70:05:99:12:17:DB:BE >tomcat, Apr 10, 2010, PrivateKeyEntry, >Certificate fingerprint (MD5): > CD:D9:06:11:30:CD:C2:60:33:33:68:A2:30:5C:01:50 What about the "entrust" one? > I did not install any certificates into truststore > (jre/lib/security/cacerts). > > When I connect browser to https://myhost, i get a cert error that > "myhost" is signed by "CA1"and cannot be trusted. > Browser show only one cert (for "myhost") and not show the full > cert chain ("myhost" -> "CA1" and "CA1" -> entrust). > Why is the full cert chain not sent to browser. Because you haven't provided the whole certificate chain to Tomcat. Tomcat can only send what it already has. > Since "entrust" CA cert is in browser CA list, if tomcat send full cert > chain > to browser, it would be trusted. Maybe, maybe not. It's possible that the real cert chain goes like this: myhost -> CA1 -> Entrust -> Entrust Global If your browser only knows about the "Entrust Global" cert, then your chain is broken. Did you follow the instructions on Entrust's web site? http://www.entrust.net/knowledge-base/technote.cfm?tn=7559 (for chain certs) http://www.entrust.net/knowledge-base/technote.cfm?tn=7583 (for bare certs, I guess) Perhaps they are the ones to ask about this. You might want to ask why they don't "support" a version of Tomcat after 4.1. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvDIPAACgkQ9CaO5/Lv0PDmAACfce9J55S5uIHkXTiku9l1YQKa FGkAnjPIXGcvn2B2CQlguGbaz0eTmwkU =G6eH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
I tried this on different systems (*nix and XP) and hence the differences in my excerpts. but in each case, the connector config correct refers to keystore. i am sorry i quoted different configs - will stick to *nix from now on. i am confused about one thing: whil keystore is explicitly specified in connector config, what about the truststore? i assume truststore stores the trusted CA certs (as opposed to private keys/identity cert). Is this correct? Why does not connector config not refer to truststore config ? Or is that by default become ${JAVA_HOME}/jre/lib/security/cacerts? What is the relation/differences (as far as tomcat is concerned) between keystore, truststore and {JAVA_HOME}/jre/lib/security/cacerts? with sincere thanx! /U Christopher Schultz-2 wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > /U, > > On 4/10/2010 12:01 AM, /U wrote: >> i am installing certificate chain on tomcat 6.x (JRE 1.6). From my CA I >> have >> private key (PEM), >> identity cert (PEM) (CA X trusts myhost) >>and a cert chain file (PEM file) (entrust trusts CA X) >> >> The cert chain is: (entrust) === trusts ==> (CA X) == trusts ==> myhost >> >> I have converted the private key and identify cert into DER form >> and have imported into /etc/keystore (tomcat's keystore). > > Tomcat does not use /etc/keystore unless you tell it to do so. Can you > show us your server.xml, specifically your SSL element? > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkvAtWgACgkQ9CaO5/Lv0PDQBgCgnPJP17/F6OI2UXPRaQ7xnKau > RTUAoLYShr4IVwKZJrOfyvZKGkGAvnUQ > =/uks > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- View this message in context: http://old.nabble.com/Installing-certificate-chain-on-Tomat-tp28199836p2820.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
Thank you Chris for your suggestion. Here is my connector: I have received the following keys/certs from CA: - file1: private key for myhost - file2: identity certificate for "myhost" signed by "CA1" - file3: certificate for "CA1" signed by "entrust" I installed private key (file1) and "myhost" cert (file2) into /users/me/.keystore using the ImportKey utility. I installed the CA1's certificated into "/users/me/.keystore" using keytool. My keytool lookslike this: $ keytool -list -keystore /users/me/.keystore <...password...> Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries CA1, Apr 10, 2010, trustedCertEntry, Certificate fingerprint (MD5): 2F:B3:00:F2:FA:12:7B:BD:82:95:70:05:99:12:17:DB:BE tomcat, Apr 10, 2010, PrivateKeyEntry, Certificate fingerprint (MD5): CD:D9:06:11:30:CD:C2:60:33:33:68:A2:30:5C:01:50 $ I did not install any certificates into truststore (jre/lib/security/cacerts). When I connect browser to https://myhost, i get a cert error that "myhost" is signed by "CA1"and cannot be trusted. Browser show only one cert (for "myhost") and not show the full cert chain ("myhost" -> "CA1" and "CA1" -> entrust). Why is the full cert chain not sent to browser. Since "entrust" CA cert is in browser CA list, if tomcat send full cert chain to browser, it would be trusted. Also, when I use openss client, I see that full cert chain is not sent: C:\> openssl s_client -connect myhost:443 verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=YY/L=XX/O=myhost Inc./OU=IT/CN=myhost i:/C=US/O=CA1, Inc./OU=www.CA1.net is incorporated by reference/OU=..., Inc./CN=CA1Certification Authority Why does this chain not have CA1->entrust certificate. what i do wrong? should all CA certs be in truststore? what is the defaulttruststore of tomcat? what is difference between "truststore" and "keystore". is it correct to say all CA certs be in "truststore" and private key and identity cert be in "keystore"? many thanx, /U Christopher Schultz-2 wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > /U, > > On 4/10/2010 12:01 AM, /U wrote: >> i am installing certificate chain on tomcat 6.x (JRE 1.6). From my CA I >> have >> private key (PEM), >> identity cert (PEM) (CA X trusts myhost) >>and a cert chain file (PEM file) (entrust trusts CA X) >> >> The cert chain is: (entrust) === trusts ==> (CA X) == trusts ==> myhost >> >> I have converted the private key and identify cert into DER form >> and have imported into /etc/keystore (tomcat's keystore). > > Tomcat does not use /etc/keystore unless you tell it to do so. Can you > show us your server.xml, specifically your SSL element? > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkvAtWgACgkQ9CaO5/Lv0PDQBgCgnPJP17/F6OI2UXPRaQ7xnKau > RTUAoLYShr4IVwKZJrOfyvZKGkGAvnUQ > =/uks > -----END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- View this message in context: http://old.nabble.com/Installing-certificate-chain-on-Tomat-tp28199836p28204196.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 /U, On 4/10/2010 10:07 AM, /U wrote: > am i right in assuming that the identity certificate+private key is > installed > in keystoreFile of the SSL connector (C:\keystore below) and the CA > certificate chain is installed in jre/lib/security/cacerts? > > protocol="HTTP/1.1" SSLEnabled="true" >maxThreads="150" scheme="https" secure="true" >clientAuth="false" sslProtocol="TLS" >keystoreFile="C:\keystore" keystorePass="changeit" > /> Wait, last time you said /etc/keystore. Is this *NIX or Microsoft Windows? If you have "C:\keystore" as your keystore, then the keystore file should be in (you guessed it) C:\keystore - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvAtbsACgkQ9CaO5/Lv0PDXOACgodvxD9VWjn9tFRsDk+LLGlf3 IacAn0I58CRoEZ/R81Nf4wwvxeyfDxco =n2Tx -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 /U, On 4/10/2010 12:01 AM, /U wrote: > i am installing certificate chain on tomcat 6.x (JRE 1.6). From my CA I have > private key (PEM), > identity cert (PEM) (CA X trusts myhost) >and a cert chain file (PEM file) (entrust trusts CA X) > > The cert chain is: (entrust) === trusts ==> (CA X) == trusts ==> myhost > > I have converted the private key and identify cert into DER form > and have imported into /etc/keystore (tomcat's keystore). Tomcat does not use /etc/keystore unless you tell it to do so. Can you show us your server.xml, specifically your SSL element? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvAtWgACgkQ9CaO5/Lv0PDQBgCgnPJP17/F6OI2UXPRaQ7xnKau RTUAoLYShr4IVwKZJrOfyvZKGkGAvnUQ =/uks -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
On 04/10/2010 12:01 AM, /U wrote: i am installing certificate chain on tomcat 6.x (JRE 1.6). From my CA I have private key (PEM), identity cert (PEM) (CA X trusts myhost) and a cert chain file (PEM file) (entrust trusts CA X) The cert chain is: (entrust) === trusts ==> (CA X) == trusts ==> myhost I have converted the private key and identify cert into DER form and have imported into /etc/keystore (tomcat's keystore). I have imported the certificate chain PEM file into ${JAVA_HOME}/jre/lib/security/cacerts. when I login to tomcat i get warning that certificate myhost isused by CA X is not trrusted. It seems like browser does not get full cert chain (entrust => CA X => myhost). what could I be doing wrong? pl help. Regs, /U Hello, You may want to take a look at Comodo's documentation for Tomcat. https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1204 It shows how to easily install a trusted certificate for use with Tomcat (and most Java based Web Servers). I've used this documentation quite a few times and it has always been spot on. You may want to view the contents of the keystore: keytool -v -list -keystore KEYSTORE_FILE; to see what is missing. Tomcat should have the Intermediate Cert(s) and the Entity/Domain Cert inside the keystore. Hope this helps! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
Thank you for the suggestion. could you pl share your connection configuration? also, if no explicit truststore is set in the configuration,would the SSL connector not fall back to JRE truststore which is $JAVA_HOME/jre/lib/security/cacerts ? Also, did you install the private key andthe identity cert in keystoreFile and the CA cert chain in truststorefile? many thanks! /U dockeryjavaman wrote: > > i had to install my ca root certs in a keystore specificed/referenced by > the "truststorefile" parameter > NOT the keystorefile parm > > > > > From: /U > To: users@tomcat.apache.org > Sent: Sat, April 10, 2010 10:07:47 AM > Subject: Re: Installing certificate chain on Tomat > > > hello Pid, > > am i right in assuming that the identity certificate+private key is > installed > in keystoreFile of the SSL connector (C:\keystore below) and the CA > certificate chain is installed in jre/lib/security/cacerts? > > protocol="HTTP/1.1" SSLEnabled="true" >maxThreads="150" scheme="https" secure="true" >clientAuth="false" sslProtocol="TLS" >keystoreFile="C:\keystore" keystorePass="changeit" > /> > > > any assistance appreciated, > > /U > > > -Original Message- >> From: "/U" [uma...@comcast.net] >> Date: 04/10/2010 12:02 AM >> To: users@tomcat.apache.org >> Subject: Re: Installing certificate chain on Tomat >> >> Note: Original message sent as attachment >> >> --------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > > -- > > -- > pidster.com > > > > -- > View this message in context: > http://old.nabble.com/Installing-certificate-chain-on-Tomat-tp28199836p28202227.html > Sent from the Tomcat - User mailing list archive at Nabble.com. > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > -- View this message in context: http://old.nabble.com/Installing-certificate-chain-on-Tomat-tp28199836p28203076.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
i had to install my ca root certs in a keystore specificed/referenced by the "truststorefile" parameter NOT the keystorefile parm From: /U To: users@tomcat.apache.org Sent: Sat, April 10, 2010 10:07:47 AM Subject: Re: Installing certificate chain on Tomat hello Pid, am i right in assuming that the identity certificate+private key is installed in keystoreFile of the SSL connector (C:\keystore below) and the CA certificate chain is installed in jre/lib/security/cacerts? any assistance appreciated, /U -Original Message- > From: "/U" [uma...@comcast.net] > Date: 04/10/2010 12:02 AM > To: users@tomcat.apache.org > Subject: Re: Installing certificate chain on Tomat > > Note: Original message sent as attachment > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- -- pidster.com -- View this message in context: http://old.nabble.com/Installing-certificate-chain-on-Tomat-tp28199836p28202227.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
hello Pid, am i right in assuming that the identity certificate+private key is installed in keystoreFile of the SSL connector (C:\keystore below) and the CA certificate chain is installed in jre/lib/security/cacerts? any assistance appreciated, /U -Original Message- > From: "/U" [uma...@comcast.net] > Date: 04/10/2010 12:02 AM > To: users@tomcat.apache.org > Subject: Re: Installing certificate chain on Tomat > > Note: Original message sent as attachment > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- -- pidster.com -- View this message in context: http://old.nabble.com/Installing-certificate-chain-on-Tomat-tp28199836p28202227.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
On 10 April 2010 08:58, nowled.excite wrote: > Maybe you are getting the certificate myhost issued by CA X is not trusted, > because you a fucking virus No need for that. p -Original Message- > From: "/U" [uma...@comcast.net] > Date: 04/10/2010 12:02 AM > To: users@tomcat.apache.org > Subject: Re: Installing certificate chain on Tomat > > Note: Original message sent as attachment > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- -- pidster.com
Re: Installing certificate chain on Tomat
Maybe you are getting the certificate myhost issued by CA X is not trusted, because you a fucking virus -Original Message- From: "/U" [uma...@comcast.net] Date: 04/10/2010 12:02 AM To: users@tomcat.apache.org Subject: Re: Installing certificate chain on Tomat Note: Original message sent as attachment--- Begin Message --- i am installing certificate chain on tomcat 6.x (JRE 1.6). From my CA I have private key (PEM), identity cert (PEM) (CA X trusts myhost) and a cert chain file (PEM file) (entrust trusts CA X) The cert chain is: (entrust) === trusts ==> (CA X) == trusts ==> myhost I have converted the private key and identify cert into DER form and have imported into /etc/keystore (tomcat's keystore). I have imported the certificate chain PEM file into ${JAVA_HOME}/jre/lib/security/cacerts. when I login to tomcat i get warning that certificate myhost isused by CA X is not trrusted. It seems like browser does not get full cert chain (entrust => CA X => myhost). what could I be doing wrong? pl help. Regs, /U -- View this message in context: http://old.nabble.com/Installing-certificate-chain-on-Tomat-tp28199836p28199836.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org ICBieSBhcGF1 --- End Message --- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Installing certificate chain on Tomat
i am installing certificate chain on tomcat 6.x (JRE 1.6). From my CA I have private key (PEM), identity cert (PEM) (CA X trusts myhost) and a cert chain file (PEM file) (entrust trusts CA X) The cert chain is: (entrust) === trusts ==> (CA X) == trusts ==> myhost I have converted the private key and identify cert into DER form and have imported into /etc/keystore (tomcat's keystore). I have imported the certificate chain PEM file into ${JAVA_HOME}/jre/lib/security/cacerts. when I login to tomcat i get warning that certificate myhost isused by CA X is not trrusted. It seems like browser does not get full cert chain (entrust => CA X => myhost). what could I be doing wrong? pl help. Regs, /U -- View this message in context: http://old.nabble.com/Installing-certificate-chain-on-Tomat-tp28199836p28199836.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org