Re: Trouble setting up ssl
Your Certificate Authority (The certificate used to sign your other certificates, in this case provided by your Windows CA Server) is not trusted by your clients. Are your clients internal or external to your company? If your clients are internal, you can add the certificate to the trusted roots on each client machine truststore or each user's truststore that Windows keeps in the registry. (I would assume that your Windows 2008 CA Server may have a way to push the certificate into your domain computers, but I have never used the product, so I don't know) If your clients are external, then you cannot expect them trust your certificate authority. You need to obtain a certificate from Verisign, Thawte or any other company providing certificates. On Sat, Feb 26, 2011 at 12:42 AM, Joseph L. Casale jcas...@activenetwerx.com wrote: I have setup a keystore as follows: keytool -genkey -alias tomcat -keyalg RSA -dname CN=server FQDN,OU=Company Name,O= Company Name ,L=city,ST=province,C=CA \ -keystore /path/keystore -keypass phrase -storepass phrase I then generated a CSR: keytool -certreq -keyalg RSA -alias tomcat -file /path/certreq.csr -keystore /path/keystore I signed the certificate on our Windows Server 2008 R2 CA Server: certreq.exe -attrib CertificateTemplate:WebServer c:\data\certreq.csr c:\data\certreq.cer I added the signed sert: keytool -import -alias tomcat2 -keystore /path/keystore -trustcacerts -file /path/certreq.cer Lastly I added the Base 64 encoded X.509 root ca from our active directory ca: keytool -keystore /path/keystore -keyalg RSA -import -trustcacerts -alias cacert -file /path/root-ca.crt This all completed w/o error, so I created the connector in the server.xml yet when domain clients connect to the ssl site, they are prompted with warnings suggesting the root cert is not trusted? Any pointers where I erred? Thanks! jlc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Trouble setting up ssl
On 26.2.2011 6:42, Joseph L. Casale wrote: I have setup a keystore as follows: keytool -genkey -alias tomcat -keyalg RSA -dname CN=server FQDN,OU=Company Name,O= Company Name ,L=city,ST=province,C=CA \ -keystore /path/keystore -keypass phrase -storepass phrase ... I added the signed sert: keytool -import -alias tomcat2 -keystore /path/keystore -trustcacerts -file /path/certreq.cer You must import signed certficate request under same alias you used to generate request. So, instead of -alias tomcat2 use -alias tomcat. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Trouble setting up ssl
You must import signed certficate request under same alias you used to generate request. So, instead of -alias tomcat2 use -alias tomcat. Ognjen, When I ran it that way, it gave an error (blew those notes away) and a search led me to see someone suggesting you couldn't reuse that alias, so I tried with a different alias and the command completed. I now reran the import with the proper alias and it worked and of course the cert is now trusted by all domain members, odd... At any rate, thank a lot for the help guys! jlc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Trouble setting up ssl
I have setup a keystore as follows: keytool -genkey -alias tomcat -keyalg RSA -dname CN=server FQDN,OU=Company Name,O= Company Name ,L=city,ST=province,C=CA \ -keystore /path/keystore -keypass phrase -storepass phrase I then generated a CSR: keytool -certreq -keyalg RSA -alias tomcat -file /path/certreq.csr -keystore /path/keystore I signed the certificate on our Windows Server 2008 R2 CA Server: certreq.exe -attrib CertificateTemplate:WebServer c:\data\certreq.csr c:\data\certreq.cer I added the signed sert: keytool -import -alias tomcat2 -keystore /path/keystore -trustcacerts -file /path/certreq.cer Lastly I added the Base 64 encoded X.509 root ca from our active directory ca: keytool -keystore /path/keystore -keyalg RSA -import -trustcacerts -alias cacert -file /path/root-ca.crt This all completed w/o error, so I created the connector in the server.xml yet when domain clients connect to the ssl site, they are prompted with warnings suggesting the root cert is not trusted? Any pointers where I erred? Thanks! jlc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org