I can't do step 1 and 2 because the certificate and private key has been
created already with openssl.
The file TestServer_APU.pem contains the private key and certificate in the
PEM format.
Should that work either?
Does the cacerts has to be located in %JAVA_HOME%\jre\lib\security\cacerts
or can I place it anywhere else?
"Mark Thomas"
<[EMAIL PROTECTED] An: "'Tomcat Users List'"
<[EMAIL PROTECTED]>
> Kopie:
Thema: RE: SSL, keystore with ca
hierarchy
24.01.2004 19:18
Bitte antworten
an "Tomcat Users
List"
I have successfully used a server signed cert with tomcat.
The step by step guide is quite lengthy. I'll give you the edited
highlights and
please follow up if you have any more questions.
1. Create key in .keystore with alias tomcat
2. Generate a signing request and sent to CA
3. Receive signed key (cert) and CA cert
4. Import The root cert into cacerts
5. Import CA cert into cacerts (%JAVA_HOME%\jre\lib\security\cacerts)
6. Import tomcat cert into .keystore, with -trustcacerts option and alias
tomcat
>From your post it looks like you have imported the root cert and the CA
cert
into .keystore rather than the cacerts file.
Mark
> -----Original Message-----
> From: Oliver Wulff [mailto:[EMAIL PROTECTED]
> Sent: Saturday, January 24, 2004 2:25 PM
> To: [EMAIL PROTECTED]
> Subject: SSL, keystore with ca hierarchy
>
>
>
>
>
> I've created the following keystore for Tomcat 4.1.18:
> SET KEYSTORE_FILE=.\.keystore
>
> keytool -import -keystore %KEYSTORE_FILE% -storepass icebeer
> -alias root
> -trustcacerts -file CA_Root_APU.pem
> keytool -import -keystore %KEYSTORE_FILE% -storepass icebeer -alias
> server_ca -trustcacerts -file CA_Server_APU.pem
> keytool -import -keystore %KEYSTORE_FILE% -storepass icebeer
> -alias tomcat
> -trustcacerts -file
>
> the root ca is self signed. the tomcat certificate is signed
> by server_ca
> which is issued by the root ca. the password for the keystore and the
> tomcat certificat are identical. Further, I've configured the
> server.xml
> accordingly:
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="9443" minProcessors="5" maxProcessors="75"
> enableLookups="true"
> acceptCount="100" debug="0" scheme="https" secure="true"
> useURIValidationHack="false" disableUploadTimeout="true">
> <Factory
> className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
> clientAuth="false" protocol="TLS"
> keystoreFile="certs/.keystore"
> keystorePass="123456"
> />
> </Connector>
>
> Tomcat starts with no problems:
> 24.01.2004 15:10:41 org.apache.coyote.http11.Http11Protocol start
> INFO: Starting Coyote HTTP/1.1 on port 9080
> 24.01.2004 15:10:41 org.apache.coyote.http11.Http11Protocol start
> INFO: Starting Coyote HTTP/1.1 on port 9443
>
> But I get the error "The Page Cannot Be Displayed" when I try
> to access the
> index.html.
>
> When I create the certificates in the following way it does work:
> keytool -genkey -storepass 123456 -alias tomcat -keyalg RSA -keystore
> .\dummy.keystore
> keytool -rfc -storepass 123456 -export -alias tomcat -keystore
> .\dummy.keystore -file dummy.tomcat.pem
>
> Does Tomcat not support certificates with a ca hierarchy?
>
> -oliver
>
>
>
>
>
>
>
> ******************* BITTE BEACHTEN *******************
> Diese Nachricht (wie auch allf�llige Anh�nge dazu) beinhaltet
> m�glicherweise vertrauliche oder gesetzlich gesch�tzte Daten oder
> Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
> genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
> irrt�mlicherweise erreicht hat, sind Sie h�flich gebeten, diese unter
> Ausschluss jeder Reproduktion zu zerst�ren und die absendende Person
> umgehend zu benachrichtigen. Vielen Dank f�r Ihre Hilfe.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
******************* BITTE BEACHTEN *******************
Diese Nachricht (wie auch allf�llige Anh�nge dazu) beinhaltet
m�glicherweise vertrauliche oder gesetzlich gesch�tzte Daten oder
Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
irrt�mlicherweise erreicht hat, sind Sie h�flich gebeten, diese unter
Ausschluss jeder Reproduktion zu zerst�ren und die absendende Person
umgehend zu benachrichtigen. Vielen Dank f�r Ihre Hilfe.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
