You can do this in one of the two ways:
A. Use keytool to generate certificate signing request and openssl to sign
it.
Sub-steps:
1. Generate key-pair using keytool ( -genkey operation )
2. Generate Certificate Signing Request or CSR ( -certreq )
3. Sign CSR with openssl ( ca operation in openssl )
4. Import openssl CA certificate into keystore specified in step 1.
Remember
to use a different alias than in step 1.
5. Import the signed certificate ( generated by step 3 ) into the
keystore.
Remember to use the same alias as in step 1.
6. Remove the CA certificate entry from the keystore.
Without step 4, step 5 will fail ( as keytool cannot form a certificate
chain ). Without step 6, there is a possiblity that tomcat might present the
wrong certificate to the client ( as JSSE uses the first certificate it
finds in the keystore, using an order determined by a hash function ).
B. Create a PKCS8 certificate ( or certificate chain ) and import it in a
keystore.
-- steps left as an exercise.
Note: If you find the steps bit complicated and hard to get right, You are
not alone :). I spent many frustrating hours to get it right. But you get an
idea.
I do have plans to document these but have not been able to find time.
Pankaj Kumar
Web Services Architect
HP Middleware
http://www.pankaj-k.net
> -----Original Message-----
> From: Lee Chin Khiong [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, May 22, 2002 10:21 PM
> To: '[EMAIL PROTECTED]'
> Subject: Openssl
>
>
> Does anyone know how to generate cert using openssl an apply to tomcat
> instead of keytool ?
>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
