* server.key - your certificate's private key * server.crt - your certificate * inter.crt - the intermediate CA that signed your certificate * root.crt - the root CA that signed the intermediate CA
First, concatenate the CA certs, make sure the intermediate CA goes first:
$ cat inter.crt root.crt > chain.crt
Next, export the pkcs12 file:
$ openssl pkcs12 -export -chain -inkey server.key -in server.crt\ -name "server" -CAfile chain.crt -out server.p12
When prompt for export password, enter something and don't leave it empty.
Now, use keytool to verify:
$ keytool -list -v -storetype pkcs12 -keystore server.p12
Enter the export password for the keystore password. Then you should see a line like this from the output:
.... Certificate chain length: 3 ....
Then you're done!
HTH,
Dennis
On 9/21/2004 4:37 PM, Dennis Dai wrote:
Hi Kallen,
I was able to export a p12 cert with complete chain half a year ago, but I couldn't reproduce it now. However, I found this:
http://sense.bigbrother.net/archives/00000275.html
Maybe you can try it out while I continue playing with openssl ...
Dennis
On 9/21/2004 3:29 PM, [EMAIL PROTECTED] wrote:hi. i'm having difficulty getting tomcat to work with SSL. i'm hoping to succeed with this, and not end up using apache+SSL in front of tomcat, tho i can. also, i have done much googling, and have tried many of the suggestions, to no avail.
i'll limit my problem description to my attempts with using pkcs12, not JKS. the players: linux, tomcat-5.0.27, IBMJava2-141, cert SSL generated with openssl.
i generated the CSR for my site with openssl, and got the server cert from verisign. fwiw, the Issuer line from the cert:
Issuer: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign Interna tional Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD .(c)97 VeriSign
do i need to include the verisign intermediate cert with this? (http://www.verisign.com/support/install/intermediate.html) i'm not sure, but i'm assuming i do.
then i performed the next step "import an existing certificate signed by your own CA into a PKCS12 keystore using OpenSSL":
$ openssl pkcs12 -inkey server.key -in server.crt -certfile \ intermediateCA.crt -export -out certs.p12
i do notice tomcat docs say include the "-chain". when i appended "-chain" to the above openssl command, i got the error "Error unable to get local issuer certificate getting chain." so i chose to go without it and try the subsequently generated certs.p12 file. (could lacking "-chain" be my problem?)
next i put certs.p12 in tomcat's homedir. here is the relavent server.xml snippet:
<Connector port="443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true" clientAuth="false" keystoreFile="/home/tomcat/certs.p12" keystoreType="PKCS12" algorithm="IbmX509" sslProtocol="SSL"/>
when i crank up catalina, i get this error:
SEVERE: Error initializing endpoint java.io.IOException: Unable to verify MAC. at com.ibm.crypto.provider.PKCS12KeyStore.engineLoad(Unknown Source) at java.security.KeyStore.load(KeyStore.java:695) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:278)
any helps out there? fwiw, i've seen tips out there on converting the pkcs12 format into JKS. i'm hoping not to go that route.
thanks in advance, kallen
-- Dennis Dai [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
