Hi Kallen,
I was able to export a p12 cert with complete chain half a year ago, but I couldn't reproduce it now. However, I found this:
http://sense.bigbrother.net/archives/00000275.html
Maybe you can try it out while I continue playing with openssl ...
Dennis
On 9/21/2004 3:29 PM, [EMAIL PROTECTED] wrote:
hi. i'm having difficulty getting tomcat to work with SSL. i'm hoping to succeed with this, and not end up using apache+SSL in front of tomcat, tho i can. also, i have done much googling, and have tried many of the suggestions, to no avail.
i'll limit my problem description to my attempts with using pkcs12, not JKS. the players: linux, tomcat-5.0.27, IBMJava2-141, cert SSL generated with openssl.
i generated the CSR for my site with openssl, and got the server cert from verisign. fwiw, the Issuer line from the cert:
Issuer: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign Interna tional Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD .(c)97 VeriSign
do i need to include the verisign intermediate cert with this? (http://www.verisign.com/support/install/intermediate.html) i'm not sure, but i'm assuming i do.
then i performed the next step "import an existing certificate signed by your own CA into a PKCS12 keystore using OpenSSL":
$ openssl pkcs12 -inkey server.key -in server.crt -certfile \ intermediateCA.crt -export -out certs.p12
i do notice tomcat docs say include the "-chain". when i appended "-chain" to the above openssl command, i got the error "Error unable to get local issuer certificate getting chain." so i chose to go without it and try the subsequently generated certs.p12 file. (could lacking "-chain" be my problem?)
next i put certs.p12 in tomcat's homedir. here is the relavent server.xml snippet:
<Connector port="443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true" clientAuth="false" keystoreFile="/home/tomcat/certs.p12" keystoreType="PKCS12" algorithm="IbmX509" sslProtocol="SSL"/>
when i crank up catalina, i get this error:
SEVERE: Error initializing endpoint java.io.IOException: Unable to verify MAC. at com.ibm.crypto.provider.PKCS12KeyStore.engineLoad(Unknown Source) at java.security.KeyStore.load(KeyStore.java:695) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:278)
any helps out there? fwiw, i've seen tips out there on converting the pkcs12 format into JKS. i'm hoping not to go that route.
thanks in advance, kallen
-- Dennis Dai [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
