To answer my own question and perhaps help someone searching archives on similar problems, the page at http://www.cs.indiana.edu/~chiuk/security/ssl/jsse/certificates/ tells me "Though sufficient for some tasks, a major deficiency of the keytool utility is its inability to import a private key." Great. Looks like we will be going through apache then.
ChrisC > -----Original Message----- > From: Chris Campbell > Sent: Monday, February 25, 2002 12:38 PM > To: '[EMAIL PROTECTED]' > Subject: Tomcat4 standalone keystore - existing private key problem > > > > Hi > > I am trying to setup Tomcat 4.0.1 standalone to serve ssl > pages certified by > Verisign. I can use (self signed) certificates generated by > keytool with no > problem, but I can't set up the keystore to work with Verisign's. > To explain a little more, the private key I have was > generated by openssl > (openssl genrsa -rand rand.dat -des 1024 > key.pem) and is of > the type: > > -----BEGIN RSA PRIVATE KEY----- > Proc-Type: 4,ENCRYPTED > DEK-Info: DES-CBC,91B2224E3C5D1BA5 > > If I try to import this into my keystore like > > keytool -import -file /root/key.pem > > I get the error 'Input not an X.509 certificate'. Importing > the certificate > reply from Verisign in the same way works no problem, but I know from > setting up Apache that the private key is also necessary > right? And for > tomcat, it seems that it must be in the keystore (no other > configuration > options as far as I know). I think everything would work if I > could just get > that private key into a form that keytool understands, then into the > keystore... is this possible? > > Thanks, > > ChrisC > > -- > To unsubscribe: <mailto:[EMAIL PROTECTED]> > For additional commands: <mailto:[EMAIL PROTECTED]> > Troubles with the list: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
