Robert, First thing, tomcat looks for the users home folder of whom is running tomcat for .keystore, if this is not available, or you wish to move the keystore, you can state so in the Connector within server.xml
Another thing, the password defaults to 'changeit', if you wish to have an alternative password, you will need to specify again within the connector element. Third, you appear to be using the trustcacerts, is the cert you specify in hostname.crt the CA root cert (local CA) or the signed certificate? >From your description, I assume it is the signed valid cert from Verisign. Off the top of my head, I don't remember the need for the '-trustcacerts' This is a good site that may help as well: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html -----Original Message----- From: Robert Hall [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 6:56 PM To: Tomcat Users List Subject: help needed - keytool import of CA certs I've been floundering for too many hours/days having ventured into the java/keytool/keystore/CAcert realm for the first time to produce a CA signed certificate for JBoss/Tomcat. We have a Verisign/RSA cert, hostname.crt that produces the following when imported using 'keytool': $ keytool -import -trustcacerts -file hostname.crt -keystore hostname.keystore Enter keystore password: secret Owner: CN=hostname.berkeley.edu, OU=MY-ORG-UNIT, O="University of California, Berkeley", L=Berkeley, ST=California, C=US Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US Serial number: 63ba7416f9d061ad65db8b61554bd8c3 Valid from: Wed Aug 13 17:00:00 PDT 2003 until: Fri Aug 13 16:59:59 PDT 2004 Certificate fingerprints: MD5: 05:A7:B1:17:6B:C2:0B:FA:9A:B9:80:22:6A:B0:96:6B SHA1: B9:34:D0:58:C4:9C:01:CD:C1:05:D9:FD:C1:D1:45:43:E3:6C:17:1A Trust this certificate? [no]: yes Certificate was added to keystore And if you're still reading, some questions: 1. Should the "Trust this certificate?" prompt appear if a corresponding CA cert entry exists in $JAVA_HOME/jre/lib/security/cacerts ? 2. Is it necessary to go through the CSR (Certificate Signing Request) process when you already have a server cert file? 3. What else is needed in addition to an existing server cert file if you don't have to go through the CSR process? Thanks, Robert --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]