I am using 1.4.2_03 without any problems and have successfully imported various certs (versign, self-signed and Windows cert server signed).
I have never tried to import a CA signed cert on top of a self signed cert. To be honest, I would expect it to fail. This may be the cause of your problem. Can you try generating a key, not signing it yourself and sending that to be signed by the CA? Also, can you confirm that you did the format conversion as described below. Mark > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Monday, January 19, 2004 2:49 PM > To: [EMAIL PROTECTED] > Subject: RE: Using CA-issued certificates in Tomcat 5 > > keytool in JDK 1.4.2_03 no longer seems to accept PKCS#7 > certificates by default and I have not found a parameter to > tell it to use them. > > When I do as you suggested (or download a Thawte pkcs#7 > certificate) I get "keytool error: java.lang.Exception: > Input not an X.509 certificate". > > Also, keytool does not not allowing the import for the cert > under the "tomcat" alias if the self-signed cert is already > in the keystore with the alias "tomcat". > > Can it be that Sun royally messed up the keytool > implementation when moving from PKCS#7 to X.509 certificates? > > -----Original Message----- > From: ext Mark Thomas [mailto:[EMAIL PROTECTED] > Sent: Friday, January 16, 2004 5:20 PM > To: 'Tomcat Users List' > Subject: RE: Using CA-issued certificates in Tomcat 5 > > > Try this - don't delete the alias before importing the response. > > What happens is: > > keytool -genkey -alias tomcat -keyalg RSA > Creates your private and public key > > keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr > wraps a copy of your _public_ key in a certficate request > > ... got the certs... > CA uses their private key to sign your public key - this is > essentially your > certificate > > keytool -delete -alias tomcat > This deletes your private key. This is bad. > > keytool -import -alias root -trustcacerts -file rootcert.cer > (root/intermediate/chain cert, as appropriate for the CA) > Adds the public key of your CA to your trusted certs. > > keytool -import -alias tomcat -trustcacerts -file testcert.cer > With your private key still in place, this replaces your > unsigned public key > with a signed public key > > You may find that the format the cert comes back in is not > compatible with > keytool. I normally do the following: > 1. In windows, change extension to .cer > 2. Double click on .cer file. > 3. On "Details" tab click "Copy to file..." > 4. Select the .p7b output format and tick the box to include > all certs in path. > 5. Specify a file name. > 6. Use key tool to import this file. > > Sorry this is a windows solution but if you don't use windows > as along as you > can get access to a windows box you should be able to do this. > > Mark > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, January 16, 2004 11:03 PM > To: [EMAIL PROTECTED] > Subject: Using CA-issued certificates in Tomcat 5 > > I thought I had all my Tomcat issues resolved and was ready > to go from the > self-signed cert to one issued by a CA. So I followed all > the steps, generated > a CSR, got the root cert and test cert, installed them into > the keytool, and > restarted the server. An exception is thrown saying: > > No available certificate corresponds to the SSL cipher > suites which are enabled > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
