OK, here's what I did (this was using a test versign cert but the
procedure is the same for a "real" production cert):
STEP A - generate your private key
Pre-req: JDK must be installed
1) cd to $JAVA_HOME/jre/bin
2) run ./keytool -genkey -alias tomcat -keyalg RSA -keystore <FULL PATH
TO KEYSTORE>
3) You will be prompted for a password for the keystore
3) at the prompts, enter:
What is your first and last name?
[Unknown]: <DO NOT USE NAME - ENTER THE NAME OF YOUR MACHINE AS IT'S
KNOWN TO VISITORS>
What is the name of your organizational unit?
[Unknown]: <WHATEVER YOU LIKE>
What is the name of your organization?
[Unknown]: <TYPICALLY COMPANY NAME>
What is the name of your City or Locality?
[Unknown]: <YOUR CITY>
What is the name of your State or Province?
[Unknown]: <STATE OR PROV>
What is the two-letter country code for this unit?
[Unknown]: <COUNTRY CODE>
4) You will then be prompted for another password - use the same (ie.
Press ENTER)
STEP B - Generate a Certificate Request
1) cd to $JAVA_HOME/jre/bin
2) ./keytool -certreq -alias tomcat -file csr.txt -keystore <FULL PATH
TO SAME KEYSTORE CREATED IN STEP A>
STEP C - Get the new cert from Verisign
www.versign.com has all the info here
STEP D - Install the Verisign ROOT CA cert AND your server cert
When you get your cert in step C, they will provide you with the root
cert
1) cd to $JAVA_HOME/jre/bin
2) ./keytool -import -alias verisign -file <FILE THAT CONTAINS THE
VERSIGN ROOT CA CERT> -keystore <PATH TO KEYSTORE>
3) ./keytool -import -trustcacerts -alias tomcat -file <FILE THAT
CONTAINS YOUR CERT FROM VERISIGN> -keystore <PATH TO KEYSTORE>
STEP E - Configure an SSL listener for tomcat
1) edit $JAKARTA_HOME/conf/server.xml and add the following:
<!-- Define an SSL HTTP/1.1 Connector on port 443 -->
<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="10" debug="10" scheme="https" secure="true">
<Factory className="org.apache.catalina.net.SSLServerSocketFactory"
clientAuth="false" protocol="TLS"
keystoreFile="<FULL PATH TO KEYSTORE FILE>"
keystorePass="<PASSWORD HERE>"/>
</Connector>
2) Stop and start the tomcat server
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 25, 2002 2:29 PM
To: Tomcat Users List
Subject: Re: tomcat and SSL (keyfile password)
Hi Dave
ohhh...good to know that.
I need to set up the tomcat 4.0.3 with verisign.
Can you please send those doc to me ?
I appreciate your help
thanks in advance
BM
Dave North wrote:
> Hello,
> After a few hours trying to get this working, I've finally got
> my tomcat server working with a certificate signed by Verisign. This
> all works great. However, to do this, I need to configure the
> keyfilePass into the server.xml file. This is bad as our security
> policy is "thou shall not have any passwords in plain text". We also
> use SSL on our iPlanet server and it prompts at start time for the
> password (they use the term software token but it's the same). So,
the
> question is: is it possible to have tomcat prompt for this and/or how
> have others got around keeping this in plain text?
>
> BTW: if anyone's interested, I have the complete step-by-step of how I
> got the versign cert working...the info is out there but it seems to
be
> all over the place.
>
> Thanks
>
> Dave
>
> Dave North
> SIGNIANT Inc.
> Trusted Data Transfer Services
> www.signiant.com
> Phone: 613-761-3623
> Mobile: 613-294-3231
> Fax: 613-761-3629
> Email: [EMAIL PROTECTED]
>
> --
> To unsubscribe: <mailto:[EMAIL PROTECTED]>
> For additional commands: <mailto:[EMAIL PROTECTED]>
> Troubles with the list: <mailto:[EMAIL PROTECTED]>
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
