and if I would like to store the certificate on a PKCS11 usb token ? I did every steps:
1) generation of keypair on the usb token
"keytool -genkey -alias lapo -keystore NONE -storetype PKCS11 -keyalg "RSA" -validity 365"
2) request a certificate sign, it export a csr file on disk
"keytool -certreq -alias lapo -keystore NONE -storetype PKCS11 -file lapo_certreq.csr"
3) I give the file to the CA, CA signs with openssl, and generates the file lapo_cert.cer
4) then I would like to import the signed certificate on PKCS11 keystore to update it.... but it needs the root CA certificate in the PKCS11 Keystor to rebuild the chain.. in fact it says:
"keytool -import -alias lapo -keystore NONE -storetype PKCS11 -file lapo_cert.cer "
java error "impossibile stabilire la catena dalla risposta"
so first I try to import the CA certificate but it says error again
"keytool -import -alias root -keystore NONE -storetype PKCS11 -file cacert.cer "
"trusted certificates may only be set by token initialization application"
I tried with many different model of usb token... same errors...
why ?!?!?
----- Original Message ----- From: <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[email protected]>
Sent: Thursday, April 28, 2005 8:44 PM
Subject: Re: Tomcat 5 and SSL Configuration
Here is the complete steps to generate a cert for the Tomcat Webserver. I am listing the commands that I used, your keystore directory _will_ vary.
keytool -genkey -keyalg RSA -alias tomcat –keystore </path/to/.keystore>
password is "changeit"
then
keytool -certreq -keyalg RSA -alias tomcat –keystore </path/to/.keystore> -file </path/to/certwhatever.csr>
then once you receive the cert back from VERISIGN...
IF it's the first cert this server has had, you'll need to download a
chaincert from the following locations depending on who you purchase the
cert from: For Verisign.com go to: http://www.verisign.com/support/install/intermediate.html
For Trustcenter.de go to: http://www.trustcenter.de/certservices/cacerts/en/en.htm#server
For Thawte.com go to: http://www.thawte.com/certs/trustmap.html
Import the Chain Certificate into you keystore
keytool -import -alias root -keystore </path/to/.keystore> -trustcacerts -file </path/to/filename_of_the_chain_certificate>
And finally import your new Certificate (It must be in X509 format):
keytool -import -alias tomcat -keystore </path/to/.keystore> -trustcacerts -file </path/to/your_certificate_filename>
Jeff -jrj
Mark Thomas wrote:
Bruce,
Sorry. Don't know. I have only ever got it working using RSA. However, when I did this I got so many things wrong the first 20 or so times I tried it it could have been anything stopping it working.
Mark
Bruce Perryman wrote:
Thanks,
It worked, the only problem is that we failed to specify the RSA algorithm.
Are we screwed for using DSA?
--- Mark Thomas <[EMAIL PROTECTED]> wrote:
The following steps should work (although I have only ever done this using my own CA).
1. Create tomcat key in your own keystore 2. Create CSR 3. Submit CSR 4. Get response 5. Import CA's root cert to cacerts (%JAVA_HOME%\jre\lib\security\cacerts) 6. Import new cert to same keystore as 1 (use same alias & trustcacerts option) 7. Restart Tomcat
HTH
Mark
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
