1) Delete your old keyring (/root/.keystore) file completely
unless you can't for whatever reason.
Now build a new keyring file;
2) keytool -genkey -alias tomcat -keyalg RSA
Note your keyring password, you'll need it later. This
step seems important for reasons I outline later.
3) openssl req -x509 -in REQ.pem -key KEY.pem -out CERT.pem
4) openssl -import -v -trustcacerts -alias tomcat -file CERT.pem
5) keytool -delete -alias tomcat
This leaves you with an empty, but valid keyring
6) Now do a keytool -genkey -alias tomcat -keyalg RSA
Use the keyring password you used in step 2
7) Add the key to your keyring: keytool import -v -trustcacerts
-alias tomcat -file CERT.pem
I still need to do some testing, but I've found that Tomcat
only seems to work if you have one key on your ring. I hope
I've wrong. But if I am wrong, why is there no alias field
in the info for the ssl connector group in server.xml?
Also-
The deal seems to be, regardless of what the guide says,
Tomcat must use RSA algo keys. OR I myself have only
gotten RSA keys to work, whichever.
This leaves you with a self-signed server of course. The next
fun project for me is to get it to use a Thawte cert, hopefully
the tool on http://www.comu.de/docs/tomcat_ssl.htm will allow
this to happen.
