I've paid homage to the manuals, I've got about 24 hours searching on the web, the last 6 in the tomcat user archives here. If I've missed something already documented I truly apologize.
http://www.verisign.com/support/csr/tomcat/v00.html I've written the following script to automate the process and eliminate human error and my feeble brain cells from the equation. Essentially I've worked the problem into one of two states. State one - I can import a certificate but when hitting the web server I still get the home grown certificate and not the (desired) trail certificate. State two - I can't import the certificate if I follow various posted instructions, as indicated in my research and the manuals. Many hours with Verisign Tech support proved totally useless to date. Here is the script that I'm using to trouble shoot this process: below is the current error that comes up. (I'm in state two at the moment) Intermediate certificate contents obtained from: http://www.verisign.com/support/install/intermediate.html Script start:========================================= NEW_KEYSTORE=.keystore.new.$TIMESTAMP PRIVATE_KEYSTORE=.keystore.private.$TIMESTAMP OFFLINE_KEYSTORE=.keystore.offline.$TIMESTAMP CERTIFICATE_REQUEST=certificate.request.$TIMESTAMP.txt CERTIFICATE_REPLY=certificate.reply.$TIMESTAMP.txt KEYSTORE_PASSWORD=noneofyourbusiness OU=TestCert_$TIMESTAMP DNAME="CN=some.org, OU=$OU, O=Institute of Something or Other, L=SomeCity, S=SomeState, C=US" ALIAS=tomcat INTERMEDIATE_CERTIFICATE=verisign.intermediate.certificate.txt echo $DNAME keytool -genkey -v -alias $ALIAS -keyalg RSA -keystore $NEW_KEYSTORE -dname "$DNAME" -storepass $KEYSTORE_PASSWORD keytool -list -v -keystore $NEW_KEYSTORE -storepass $KEYSTORE_PASSWORD cp $NEW_KEYSTORE $PRIVATE_KEYSTORE keytool -list -v -keystore $PRIVATE_KEYSTORE -storepass $KEYSTORE_PASSWORD keytool -certreq -v -alias $ALIAS -keystore $NEW_KEYSTORE -file $CERTIFICATE_REQUEST -storepass $KEYSTORE_PASSWORD cat $CERTIFICATE_REQUEST read choice wait vi $CERTIFICATE_REPLY keytool -import -v -trustcacerts -file $INTERMEDIATE_CERTIFICATE -alias root -keystore $NEW_KEYSTORE -storepass $KEYSTORE_PASSWORD keytool -import -v -alias $ALIAS -trustcacerts -keystore $NEW_KEYSTORE -file $CERTIFICATE_REPLY -storepass $KEYSTORE_PASSWORD keytool -list -v -keystore $NEW_KEYSTORE -storepass $KEYSTORE_PASSWORD echo $NEW_KEYSTORE Script end:========================================= Error (from line: keytool -import -v -alias $ALIAS -trustcacerts -keystore $NEW_KEYSTORE -file $CERTIFICATE_REPLY -storepass $KEYSTORE_PASSWORD) keytool error: java.lang.Exception: Failed to establish chain from reply =================================================== Am I assuming, incorrectly, that this is in fact the problem. Many times an error message is masking the real problem which lies elsewhere. Some other people appear to have a similar problem (yet no distinct workable (for me) answer found yet): http://www.mail-archive.com/[EMAIL PROTECTED]/msg88747.html http://www.mail-archive.com/[EMAIL PROTECTED]/msg106668.html http://www.mail-archive.com/[EMAIL PROTECTED]/msg86978.html I might be onto something with regards to generating the reply certificate in PKCS#7 format but apparently will have to talk to a human at Verisign in order to obtain this for the test certificate. That can't be done till tomorrow at this point. Confirmation sooner would mean I have a small chance of getting some badly needed rest before then... http://www.mail-archive.com/[EMAIL PROTECTED]/msg87665.html If someone could point me in the direction I need to figure out what I'm missing I would greatly appreciate it. Gary --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
