Kevin;
Get this; I got it to work by changing the steps
around;
1) Delete your old keyring (/root/.keystore) file completely
unless you can't for whatever reason.
Now build a new keyring file;
2) keytool -delete -alias tomcat -keyalg RSA
Note your keyring password, you'll need it later. This
step seems important for reasons I outline later.
3) openssl req -x509 -in REQ.pem -key KEY.pem -out CERT.pem
4) openssl -import -v -trustcacerts -alias tomcat -file CERT.pem
5) keytool -delete -alias tomcat
This leaves you with an empty, but valid keyring
6) Now do a keytool -genkey -alias tomcat -keyalg RSA
Use the keyring password you used in step 2
7) Add the key to your keyring: keytool import -v -trustcacerts
-alias tomcat -file CERT.pem
I still need to do some testing, but I've found that Tomcat
only seems to work if you have one key on your ring. I hope
I've wrong. But if I am wrong, why is there no alias field
in the info for the ssl connector group in server.xml?
Also-
The deal seems to be, regardless of what the guide says,
Tomcat must use RSA algo keys. OR I myself have only
gotten RSA keys to work, whichever.
This leaves you with a self-signed server of course. The next
fun project for me is to get it to use a Thawte cert, hopefully
the tool on http://www.comu.de/docs/tomcat_ssl.htm will allow
this to happen.
At 07:41 PM 5/14/2001 +0200, you wrote:
>Hi All,
>I need to setup Tomcat standlone with SSL support, I do it according to
>Tomcat's user-guide in the following step using tomcat account:
>I modified the java.security before did these
>
> >keytool -genkey -alias tomcat -keyalg RSA
> >openssl req -new -out REQ.pem -keyout KEY.pem
> >openssl req -x509 -in REQ.pem -key KEY.pem -out CERT.pem
>then verify
> >openssl req -verify -in REQ.pem
> >openssl req -verify -in REQ.pem -key KEY.pem
> >openssl req -text -in REQ.pem
>everything looks well, but
>when I do:
> >keytool -import -v -trustcacerts -alias tomcat -file CERT.pem
>get the error messages,
>Enter keystore password: changeit
>keytool error: java.lang.Exception: Public keys in reply and keystore don't
>match
>
>So tried to delete all files in /home/tomcat: .keystore and *.pem
>So I want to repeat the above steps
> > keytool -genkey -alias tomcat -keyalg RSA get the error messages
>Enter keystore password: changeit
>keytool error: java.lang.Exception: Key pair not generated, alias <tomcat>
>already exists
>
>I never use SSL before and very confused now, are there some documentation
>to do this step by step? any help are highly appreciated!
>
>Kevin
