Thank you very much, but I have some problems to do as your steps, could you
explain it for me again?
My error message showed below. Sorry for bother again.
Best Regards,
Kevin
----- Original Message -----
From: "Tim O'Neil" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, May 15, 2001 8:25 PM
Subject: nutty steps for setting up tomcat standalone ssl
> 1) Delete your old keyring (/root/.keystore) file completely
> unless you can't for whatever reason.
>
> Now build a new keyring file;
>
> 2) keytool -genkey -alias tomcat -keyalg RSA
>
> Note your keyring password, you'll need it later. This
> step seems important for reasons I outline later.
>
> 3) openssl req -x509 -in REQ.pem -key KEY.pem -out CERT.pem
>
Before 3, I think there is one step: openssl req -new -out REQ.pem -keyout
KEY.pem according to the user-guide.
I added it here
> 4) openssl -import -v -trustcacerts -alias tomcat -file CERT.pem
I'm confused here, my openssl(0.9.5.a) on RH7 don't understand "-import" or
"import", is because the version? or "openssl" should be "keytool" here? if
so, the above procedures is the same with the user-guide, I'll get the
"unmatched public error message" here.
>
> 5) keytool -delete -alias tomcat
>
> This leaves you with an empty, but valid keyring
>
> 6) Now do a keytool -genkey -alias tomcat -keyalg RSA
>
> Use the keyring password you used in step 2
>
> 7) Add the key to your keyring: keytool import -v -trustcacerts
> -alias tomcat -file CERT.pem
>
> I still need to do some testing, but I've found that Tomcat
> only seems to work if you have one key on your ring. I hope
> I've wrong. But if I am wrong, why is there no alias field
> in the info for the ssl connector group in server.xml?
>
> Also-
>
> The deal seems to be, regardless of what the guide says,
> Tomcat must use RSA algo keys. OR I myself have only
> gotten RSA keys to work, whichever.
>
> This leaves you with a self-signed server of course. The next
> fun project for me is to get it to use a Thawte cert, hopefully
> the tool on http://www.comu.de/docs/tomcat_ssl.htm will allow
> this to happen.
>
>
