SSL, keystore with ca hierarchy

Sat, 24 Jan 2004 07:26:19 -0800 



I've created the following keystore for Tomcat 4.1.18:
SET KEYSTORE_FILE=.\.keystore

keytool -import -keystore %KEYSTORE_FILE% -storepass icebeer -alias root
-trustcacerts -file CA_Root_APU.pem
keytool -import -keystore %KEYSTORE_FILE% -storepass icebeer -alias
server_ca -trustcacerts -file CA_Server_APU.pem
keytool -import -keystore %KEYSTORE_FILE% -storepass icebeer -alias tomcat
-trustcacerts -file TestServer_APU.pem

the root ca is self signed. the tomcat certificate is signed by server_ca
which is issued by the root ca. the password for the keystore and the
tomcat certificat are identical. Further, I've configured the server.xml
accordingly:
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
           port="9443" minProcessors="5" maxProcessors="75"
           enableLookups="true"
       acceptCount="100" debug="0" scheme="https" secure="true"
           useURIValidationHack="false" disableUploadTimeout="true">
  <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
           clientAuth="false" protocol="TLS"
           keystoreFile="certs/.keystore"
           keystorePass="123456"
           />
</Connector>

Tomcat starts with no problems:
24.01.2004 15:10:41 org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on port 9080
24.01.2004 15:10:41 org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on port 9443

But I get the error "The Page Cannot Be Displayed" when I try to access the
index.html.

When I create the certificates in the following way it does work:
keytool -genkey -storepass 123456 -alias tomcat -keyalg RSA -keystore
.\dummy.keystore
keytool -rfc -storepass 123456 -export -alias tomcat -keystore
.\dummy.keystore -file dummy.tomcat.pem

Does Tomcat not support certificates with a ca hierarchy?

-oliver







******************* BITTE BEACHTEN *******************
Diese Nachricht (wie auch allf�llige Anh�nge dazu) beinhaltet
m�glicherweise vertrauliche oder gesetzlich gesch�tzte Daten oder
Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
irrt�mlicherweise erreicht hat, sind Sie h�flich gebeten, diese unter
Ausschluss jeder Reproduktion zu zerst�ren und die absendende Person
umgehend zu benachrichtigen. Vielen Dank f�r Ihre Hilfe.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to