It seems that obtaining and installing SSL certificates from different Certificate Authorities is not consistent. Even within the same CA, the procedure for real and test certificates is not necessarily the same. To make matters worse there appear to be differences in the operation of the Java keystore from 1.3.x to 1.4.2. Finally, documentation in Tomcat and in the CA sites is slightly out of date. These things combined make life difficult.
The following is a summary of procedures that I have found to work with JDK 1.4.2_03 and Tomcat 5.0. For all options: � Use password "changeit" for BOTH the keystore and the keys. � Use the server's fully qualified hostname as "first and last name" as first & last name, i.e.: myserver.mydomain.com � When requesting certificates, you must get an X.509 server certificate. If you get a PKCS#7 certificate you must convert it to an X.509 one before use. Using a self-signed certificate: � cd � keytool -genkey -alias tomcat -keyalg RSA Using Verisign certificate: The official Verisign instructions were incorrect at the time of this writing, but the following procedure will work for "REAL" certificates. For test certificates you theoretically only need and install the test root and test server certificates steps (not successfully tested), which are different from the regular root and server certificates. � cd � keytool -genkey -alias tomcat -keyalg RSA � keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr � Use the .csr to request a certificate � Obtain the Verisign root certificate, intermediate certificate and server certificate � keytool -import -alias verisignroot -trustcacert -file verisignroot.cer � keytool -import -alias root -file intermediate.cer � keytool -import -alias tomcat -file server.cer Using Thawte certificate The Thawte instructions were incorrect at the time of this writing, but the following procedure will work for (at least) test certificates. � cd � keytool -genkey -alias mykey -keyalg RSA � keytool -certreq -keyalg RSA -alias mykey -file certreq.csr � Use the .csr to request an X.509 certificate, you will get a server certificate. � keytool -import -alias tomcat -trustcacerts -file server.cer I hope this helps others to avoid the headaches I experienced. :P Bruno --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
