Mhhh, there is an updated version of the ssl-howto in the CVS for MONTHS now, that describes the installation of official certs (like Verisign, Thawte, Trustcenter...) step by step. But it is *NOT* in TC 4.03 and it is not on the jakarta-webpage.
I simply wonder why? People are dealing with this topic again and again... And I know how frustrating this can get... :-( Peter > -----Original Message----- > From: Dave North [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 25, 2002 8:33 PM > To: Tomcat Users List > Subject: RE: tomcat and SSL (keyfile password) > > > OK, here's what I did (this was using a test versign cert but the > procedure is the same for a "real" production cert): > > STEP A - generate your private key > > Pre-req: JDK must be installed > > 1) cd to $JAVA_HOME/jre/bin > > 2) run ./keytool -genkey -alias tomcat -keyalg RSA -keystore <FULL PATH > TO KEYSTORE> > > 3) You will be prompted for a password for the keystore > > 3) at the prompts, enter: > > What is your first and last name? > [Unknown]: <DO NOT USE NAME - ENTER THE NAME OF YOUR MACHINE AS IT'S > KNOWN TO VISITORS> > What is the name of your organizational unit? > [Unknown]: <WHATEVER YOU LIKE> > What is the name of your organization? > [Unknown]: <TYPICALLY COMPANY NAME> > What is the name of your City or Locality? > [Unknown]: <YOUR CITY> > What is the name of your State or Province? > [Unknown]: <STATE OR PROV> > What is the two-letter country code for this unit? > [Unknown]: <COUNTRY CODE> > > 4) You will then be prompted for another password - use the same (ie. > Press ENTER) > > STEP B - Generate a Certificate Request > > 1) cd to $JAVA_HOME/jre/bin > > 2) ./keytool -certreq -alias tomcat -file csr.txt -keystore <FULL PATH > TO SAME KEYSTORE CREATED IN STEP A> > > STEP C - Get the new cert from Verisign > > www.versign.com has all the info here > > STEP D - Install the Verisign ROOT CA cert AND your server cert > > When you get your cert in step C, they will provide you with the root > cert > > 1) cd to $JAVA_HOME/jre/bin > > 2) ./keytool -import -alias verisign -file <FILE THAT CONTAINS THE > VERSIGN ROOT CA CERT> -keystore <PATH TO KEYSTORE> > > 3) ./keytool -import -trustcacerts -alias tomcat -file <FILE THAT > CONTAINS YOUR CERT FROM VERISIGN> -keystore <PATH TO KEYSTORE> > > > STEP E - Configure an SSL listener for tomcat > > 1) edit $JAKARTA_HOME/conf/server.xml and add the following: > > <!-- Define an SSL HTTP/1.1 Connector on port 443 --> > <Connector className="org.apache.catalina.connector.http.HttpConnector" > port="443" minProcessors="5" maxProcessors="75" > enableLookups="true" > acceptCount="10" debug="10" scheme="https" secure="true"> > <Factory className="org.apache.catalina.net.SSLServerSocketFactory" > clientAuth="false" protocol="TLS" > keystoreFile="<FULL PATH TO KEYSTORE FILE>" > keystorePass="<PASSWORD HERE>"/> > </Connector> > > 2) Stop and start the tomcat server > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 25, 2002 2:29 PM > To: Tomcat Users List > Subject: Re: tomcat and SSL (keyfile password) > > > Hi Dave > > ohhh...good to know that. > > I need to set up the tomcat 4.0.3 with verisign. > > Can you please send those doc to me ? > > I appreciate your help > > thanks in advance > BM > > Dave North wrote: > > > Hello, > > After a few hours trying to get this working, I've finally got > > my tomcat server working with a certificate signed by Verisign. This > > all works great. However, to do this, I need to configure the > > keyfilePass into the server.xml file. This is bad as our security > > policy is "thou shall not have any passwords in plain text". We also > > use SSL on our iPlanet server and it prompts at start time for the > > password (they use the term software token but it's the same). So, > the > > question is: is it possible to have tomcat prompt for this and/or how > > have others got around keeping this in plain text? > > > > BTW: if anyone's interested, I have the complete step-by-step of how I > > got the versign cert working...the info is out there but it seems to > be > > all over the place. > > > > Thanks > > > > Dave > > > > Dave North > > SIGNIANT Inc. > > Trusted Data Transfer Services > > www.signiant.com > > Phone: 613-761-3623 > > Mobile: 613-294-3231 > > Fax: 613-761-3629 > > Email: [EMAIL PROTECTED] > > > > -- > > To unsubscribe: <mailto:[EMAIL PROTECTED]> > > For additional commands: <mailto:[EMAIL PROTECTED]> > > Troubles with the list: <mailto:[EMAIL PROTECTED]> > > > -- > To unsubscribe: <mailto:[EMAIL PROTECTED]> > For additional commands: <mailto:[EMAIL PROTECTED]> > Troubles with the list: <mailto:[EMAIL PROTECTED]> > > > -- > To unsubscribe: <mailto:[EMAIL PROTECTED]> > For additional commands: <mailto:[EMAIL PROTECTED]> > Troubles with the list: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
