I won't call it "stupid", but you are still doing something wrong. In a
little greater detail, here are instructions I wrote for the procedure I
use (with Tomcat 3.2.1 and IBM JDK 1.3 currently):
In response to a Certificate Signing Request, EquifaxSecure sends a mail
message containing two "certificates". The first asserts the key binding
requested, and is signed by EquifaxSecure. The second is actually a chain
of two certificates: one asserts EquifaxSecure's key and is signed by
Thawte, and the other is a self-signed certificate of Thawte's.
I first tried `keytool -import` on the web server's certificate. This
lead to a complaint about keytool not being able to establish trust in the
certificate. I fixed this by: (1) using `keytool` to load, as a "new
trusted certificate", the certificate-that's-actually-a-chain into
$JAVA_HOME/jre/lib/security/cacerts on the web server machine, and (2)
adding the "-trustcacerts" flag to the `keytool -import` of the web
server's certificate. After that, `keytool -list` shows a chain of three
certificates associated with the "tomcat" alias. Upon restarting Tomcat,
I find that Netscape 4.75 and IE 5 on my Win 2K laptop both recognize the
web site as secure without pestering the user --- provided there is only
one key entry in the keystore used by Tomcat (when there is more than one
key entry, Tomcat seems to pick one at random to use as the server's
SSL/TLS identity).
I hope this helps.
Mike
