Dave ..... Beeeeeeeeautiful tips !!! It works fine... thanks a lot BM
Dave North wrote: > There could be several problems here: > > 1) no root level cert import BEFORE. When you get the test cert from > verisign, they talk about getting the root level certs for tests. You > can download it from here: > http://www.verisign.com/server/trial/faq/index.html > > you MUST import this first into your keystore with the command I > provided: > ./keytool -import -alias verisign -file <FILE THAT CONTAINS THE VERSIGN > ROOT CA CERT> -keystore <PATH TO KEYSTORE> > > 2) I made this mistake several times - make sure you're always importing > to the same keystore. By this I mean I kept forgetting to add the > -keystore parameter to the keytool command line and so it wasn't > applying the new cert to the tomcat alias in the keystore file. > > Dave > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 26, 2002 1:57 PM > To: Dave North > Cc: Tomcat Users List > Subject: Re: tomcat and SSL (keyfile password) > > Hi dave > you're correct !!! it is not becos of jdk1.3.... I found later on that > any > line space in top on the .cer file from verisign is causing this > problem...but if you save that verisign id into .txt file > then it accepts that line space in top !!! So magic !! > > Now It says me that cert is imported and added to the key......but when > i go > and see the cert detail in my browser shows my old finger print (mine) > CA > is also mine.....I loaded the brower piece already as per verissign > instruction.....I am not able to understand the rool level cert and > import... can you please make me understand that concept... > > here is the IP https://63.118.43.23:8443 > > I appreciate your feedback > thanks in advance > BM > > Did you load the verisign trail id > > Dave North wrote: > > > It's because you've not imported their root level cert...you need to > do > > that before you import your cert. You also need their too level cert > in > > your browser. > > > > BTW: I tested all my stuff on JDK 1.3.1 - I have no idea if this will > > work with earlier versions (based on what you've said though my guess > is > > not!) > > > > D > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, April 25, 2002 7:25 PM > > To: Tomcat Users List; Dave North > > Subject: Re: tomcat and SSL (keyfile password) > > > > Hi dave > > > > i resolved this by moving to jdk1.4 > > but now my browser says it is self signed ......verisign info is not > > really > > imported why ?? > > thanks in advance > > bm > > > > [EMAIL PROTECTED] wrote: > > > > > Hi Dave > > > > > > thanks for document. > > > > > > Now I got struck when i try to import the verisign certificate. > > > the error mesg is > > > keytool error: java.lang.Exception: Input not an X.509 certificate > > > > > > I attached my certificate also......can you help me please ? > > > > > > it is trial cert from verisign > > > > > > Reg > > > BM > > > > > > Dave North wrote: > > > > > > > OK, here's what I did (this was using a test versign cert but the > > > > procedure is the same for a "real" production cert): > > > > > > > > STEP A - generate your private key > > > > > > > > Pre-req: JDK must be installed > > > > > > > > 1) cd to $JAVA_HOME/jre/bin > > > > > > > > 2) run ./keytool -genkey -alias tomcat -keyalg RSA -keystore <FULL > > PATH > > > > TO KEYSTORE> > > > > > > > > 3) You will be prompted for a password for the keystore > > > > > > > > 3) at the prompts, enter: > > > > > > > > What is your first and last name? > > > > [Unknown]: <DO NOT USE NAME - ENTER THE NAME OF YOUR MACHINE AS > > IT'S > > > > KNOWN TO VISITORS> > > > > What is the name of your organizational unit? > > > > [Unknown]: <WHATEVER YOU LIKE> > > > > What is the name of your organization? > > > > [Unknown]: <TYPICALLY COMPANY NAME> > > > > What is the name of your City or Locality? > > > > [Unknown]: <YOUR CITY> > > > > What is the name of your State or Province? > > > > [Unknown]: <STATE OR PROV> > > > > What is the two-letter country code for this unit? > > > > [Unknown]: <COUNTRY CODE> > > > > > > > > 4) You will then be prompted for another password - use the same > > (ie. > > > > Press ENTER) > > > > > > > > STEP B - Generate a Certificate Request > > > > > > > > 1) cd to $JAVA_HOME/jre/bin > > > > > > > > 2) ./keytool -certreq -alias tomcat -file csr.txt -keystore <FULL > > PATH > > > > TO SAME KEYSTORE CREATED IN STEP A> > > > > > > > > STEP C - Get the new cert from Verisign > > > > > > > > www.versign.com has all the info here > > > > > > > > STEP D - Install the Verisign ROOT CA cert AND your server cert > > > > > > > > When you get your cert in step C, they will provide you with the > > root > > > > cert > > > > > > > > 1) cd to $JAVA_HOME/jre/bin > > > > > > > > 2) ./keytool -import -alias verisign -file <FILE THAT CONTAINS THE > > > > VERSIGN ROOT CA CERT> -keystore <PATH TO KEYSTORE> > > > > > > > > 3) ./keytool -import -trustcacerts -alias tomcat -file <FILE THAT > > > > CONTAINS YOUR CERT FROM VERISIGN> -keystore <PATH TO KEYSTORE> > > > > > > > > STEP E - Configure an SSL listener for tomcat > > > > > > > > 1) edit $JAKARTA_HOME/conf/server.xml and add the following: > > > > > > > > <!-- Define an SSL HTTP/1.1 Connector on port 443 --> > > > > <Connector > > className="org.apache.catalina.connector.http.HttpConnector" > > > > port="443" minProcessors="5" maxProcessors="75" > > > > enableLookups="true" > > > > acceptCount="10" debug="10" scheme="https" > secure="true"> > > > > <Factory > > className="org.apache.catalina.net.SSLServerSocketFactory" > > > > clientAuth="false" protocol="TLS" > > > > keystoreFile="<FULL PATH TO KEYSTORE FILE>" > > > > keystorePass="<PASSWORD HERE>"/> > > > > </Connector> > > > > > > > > 2) Stop and start the tomcat server > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > > > Sent: Thursday, April 25, 2002 2:29 PM > > > > To: Tomcat Users List > > > > Subject: Re: tomcat and SSL (keyfile password) > > > > > > > > Hi Dave > > > > > > > > ohhh...good to know that. > > > > > > > > I need to set up the tomcat 4.0.3 with verisign. > > > > > > > > Can you please send those doc to me ? > > > > > > > > I appreciate your help > > > > > > > > thanks in advance > > > > BM > > > > > > > > Dave North wrote: > > > > > > > > > Hello, > > > > > After a few hours trying to get this working, I've > finally > > got > > > > > my tomcat server working with a certificate signed by Verisign. > > This > > > > > all works great. However, to do this, I need to configure the > > > > > keyfilePass into the server.xml file. This is bad as our > security > > > > > policy is "thou shall not have any passwords in plain text". We > > also > > > > > use SSL on our iPlanet server and it prompts at start time for > the > > > > > password (they use the term software token but it's the same). > > So, > > > > the > > > > > question is: is it possible to have tomcat prompt for this > and/or > > how > > > > > have others got around keeping this in plain text? > > > > > > > > > > BTW: if anyone's interested, I have the complete step-by-step of > > how I > > > > > got the versign cert working...the info is out there but it > seems > > to > > > > be > > > > > all over the place. > > > > > > > > > > Thanks > > > > > > > > > > Dave > > > > > > > > > > Dave North > > > > > SIGNIANT Inc. > > > > > Trusted Data Transfer Services > > > > > www.signiant.com > > > > > Phone: 613-761-3623 > > > > > Mobile: 613-294-3231 > > > > > Fax: 613-761-3629 > > > > > Email: [EMAIL PROTECTED] > > > > > > > > > > -- > > > > > To unsubscribe: > > <mailto:[EMAIL PROTECTED]> > > > > > For additional commands: > > <mailto:[EMAIL PROTECTED]> > > > > > Troubles with the list: > > <mailto:[EMAIL PROTECTED]> > > > > > > > > -- > > > > To unsubscribe: > > <mailto:[EMAIL PROTECTED]> > > > > For additional commands: > > <mailto:[EMAIL PROTECTED]> > > > > Troubles with the list: > > <mailto:[EMAIL PROTECTED]> > > > > > > > > -- > > > > To unsubscribe: > > <mailto:[EMAIL PROTECTED]> > > > > For additional commands: > > <mailto:[EMAIL PROTECTED]> > > > > Troubles with the list: > > <mailto:[EMAIL PROTECTED]> > > > > > > > > > ------------------------------------------------------------------------ > > > Name: bm.cer > > > bm.cer Type: Security Certificate (application/x-x509-ca-cert) > > > Encoding: base64 > > -- > To unsubscribe: <mailto:[EMAIL PROTECTED]> > For additional commands: <mailto:[EMAIL PROTECTED]> > Troubles with the list: <mailto:[EMAIL PROTECTED]>
