There could be several problems here: 1) no root level cert import BEFORE. When you get the test cert from verisign, they talk about getting the root level certs for tests. You can download it from here: http://www.verisign.com/server/trial/faq/index.html
you MUST import this first into your keystore with the command I provided: ./keytool -import -alias verisign -file <FILE THAT CONTAINS THE VERSIGN ROOT CA CERT> -keystore <PATH TO KEYSTORE> 2) I made this mistake several times - make sure you're always importing to the same keystore. By this I mean I kept forgetting to add the -keystore parameter to the keytool command line and so it wasn't applying the new cert to the tomcat alias in the keystore file. Dave -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, April 26, 2002 1:57 PM To: Dave North Cc: Tomcat Users List Subject: Re: tomcat and SSL (keyfile password) Hi dave you're correct !!! it is not becos of jdk1.3.... I found later on that any line space in top on the .cer file from verisign is causing this problem...but if you save that verisign id into .txt file then it accepts that line space in top !!! So magic !! Now It says me that cert is imported and added to the key......but when i go and see the cert detail in my browser shows my old finger print (mine) CA is also mine.....I loaded the brower piece already as per verissign instruction.....I am not able to understand the rool level cert and import... can you please make me understand that concept... here is the IP https://63.118.43.23:8443 I appreciate your feedback thanks in advance BM Did you load the verisign trail id Dave North wrote: > It's because you've not imported their root level cert...you need to do > that before you import your cert. You also need their too level cert in > your browser. > > BTW: I tested all my stuff on JDK 1.3.1 - I have no idea if this will > work with earlier versions (based on what you've said though my guess is > not!) > > D > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 25, 2002 7:25 PM > To: Tomcat Users List; Dave North > Subject: Re: tomcat and SSL (keyfile password) > > Hi dave > > i resolved this by moving to jdk1.4 > but now my browser says it is self signed ......verisign info is not > really > imported why ?? > thanks in advance > bm > > [EMAIL PROTECTED] wrote: > > > Hi Dave > > > > thanks for document. > > > > Now I got struck when i try to import the verisign certificate. > > the error mesg is > > keytool error: java.lang.Exception: Input not an X.509 certificate > > > > I attached my certificate also......can you help me please ? > > > > it is trial cert from verisign > > > > Reg > > BM > > > > Dave North wrote: > > > > > OK, here's what I did (this was using a test versign cert but the > > > procedure is the same for a "real" production cert): > > > > > > STEP A - generate your private key > > > > > > Pre-req: JDK must be installed > > > > > > 1) cd to $JAVA_HOME/jre/bin > > > > > > 2) run ./keytool -genkey -alias tomcat -keyalg RSA -keystore <FULL > PATH > > > TO KEYSTORE> > > > > > > 3) You will be prompted for a password for the keystore > > > > > > 3) at the prompts, enter: > > > > > > What is your first and last name? > > > [Unknown]: <DO NOT USE NAME - ENTER THE NAME OF YOUR MACHINE AS > IT'S > > > KNOWN TO VISITORS> > > > What is the name of your organizational unit? > > > [Unknown]: <WHATEVER YOU LIKE> > > > What is the name of your organization? > > > [Unknown]: <TYPICALLY COMPANY NAME> > > > What is the name of your City or Locality? > > > [Unknown]: <YOUR CITY> > > > What is the name of your State or Province? > > > [Unknown]: <STATE OR PROV> > > > What is the two-letter country code for this unit? > > > [Unknown]: <COUNTRY CODE> > > > > > > 4) You will then be prompted for another password - use the same > (ie. > > > Press ENTER) > > > > > > STEP B - Generate a Certificate Request > > > > > > 1) cd to $JAVA_HOME/jre/bin > > > > > > 2) ./keytool -certreq -alias tomcat -file csr.txt -keystore <FULL > PATH > > > TO SAME KEYSTORE CREATED IN STEP A> > > > > > > STEP C - Get the new cert from Verisign > > > > > > www.versign.com has all the info here > > > > > > STEP D - Install the Verisign ROOT CA cert AND your server cert > > > > > > When you get your cert in step C, they will provide you with the > root > > > cert > > > > > > 1) cd to $JAVA_HOME/jre/bin > > > > > > 2) ./keytool -import -alias verisign -file <FILE THAT CONTAINS THE > > > VERSIGN ROOT CA CERT> -keystore <PATH TO KEYSTORE> > > > > > > 3) ./keytool -import -trustcacerts -alias tomcat -file <FILE THAT > > > CONTAINS YOUR CERT FROM VERISIGN> -keystore <PATH TO KEYSTORE> > > > > > > STEP E - Configure an SSL listener for tomcat > > > > > > 1) edit $JAKARTA_HOME/conf/server.xml and add the following: > > > > > > <!-- Define an SSL HTTP/1.1 Connector on port 443 --> > > > <Connector > className="org.apache.catalina.connector.http.HttpConnector" > > > port="443" minProcessors="5" maxProcessors="75" > > > enableLookups="true" > > > acceptCount="10" debug="10" scheme="https" secure="true"> > > > <Factory > className="org.apache.catalina.net.SSLServerSocketFactory" > > > clientAuth="false" protocol="TLS" > > > keystoreFile="<FULL PATH TO KEYSTORE FILE>" > > > keystorePass="<PASSWORD HERE>"/> > > > </Connector> > > > > > > 2) Stop and start the tomcat server > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, April 25, 2002 2:29 PM > > > To: Tomcat Users List > > > Subject: Re: tomcat and SSL (keyfile password) > > > > > > Hi Dave > > > > > > ohhh...good to know that. > > > > > > I need to set up the tomcat 4.0.3 with verisign. > > > > > > Can you please send those doc to me ? > > > > > > I appreciate your help > > > > > > thanks in advance > > > BM > > > > > > Dave North wrote: > > > > > > > Hello, > > > > After a few hours trying to get this working, I've finally > got > > > > my tomcat server working with a certificate signed by Verisign. > This > > > > all works great. However, to do this, I need to configure the > > > > keyfilePass into the server.xml file. This is bad as our security > > > > policy is "thou shall not have any passwords in plain text". We > also > > > > use SSL on our iPlanet server and it prompts at start time for the > > > > password (they use the term software token but it's the same). > So, > > > the > > > > question is: is it possible to have tomcat prompt for this and/or > how > > > > have others got around keeping this in plain text? > > > > > > > > BTW: if anyone's interested, I have the complete step-by-step of > how I > > > > got the versign cert working...the info is out there but it seems > to > > > be > > > > all over the place. > > > > > > > > Thanks > > > > > > > > Dave > > > > > > > > Dave North > > > > SIGNIANT Inc. > > > > Trusted Data Transfer Services > > > > www.signiant.com > > > > Phone: 613-761-3623 > > > > Mobile: 613-294-3231 > > > > Fax: 613-761-3629 > > > > Email: [EMAIL PROTECTED] > > > > > > > > -- > > > > To unsubscribe: > <mailto:[EMAIL PROTECTED]> > > > > For additional commands: > <mailto:[EMAIL PROTECTED]> > > > > Troubles with the list: > <mailto:[EMAIL PROTECTED]> > > > > > > -- > > > To unsubscribe: > <mailto:[EMAIL PROTECTED]> > > > For additional commands: > <mailto:[EMAIL PROTECTED]> > > > Troubles with the list: > <mailto:[EMAIL PROTECTED]> > > > > > > -- > > > To unsubscribe: > <mailto:[EMAIL PROTECTED]> > > > For additional commands: > <mailto:[EMAIL PROTECTED]> > > > Troubles with the list: > <mailto:[EMAIL PROTECTED]> > > > > > ------------------------------------------------------------------------ > > Name: bm.cer > > bm.cer Type: Security Certificate (application/x-x509-ca-cert) > > Encoding: base64 -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
