IS IT POSSIBLE TO DESCRIBE IN DETAIL WITH EXAMPLE..... I STILL DON'T GET YOU....
-----Original Message----- From: KUMAR,PANKAJ (HP-Cupertino,ex1) [mailto:[EMAIL PROTECTED]] Sent: Friday, May 24, 2002 1:39 AM To: 'Tomcat Users List' Subject: RE: Openssl You can do this in one of the two ways: A. Use keytool to generate certificate signing request and openssl to sign it. Sub-steps: 1. Generate key-pair using keytool ( -genkey operation ) 2. Generate Certificate Signing Request or CSR ( -certreq ) 3. Sign CSR with openssl ( ca operation in openssl ) 4. Import openssl CA certificate into keystore specified in step 1. Remember to use a different alias than in step 1. 5. Import the signed certificate ( generated by step 3 ) into the keystore. Remember to use the same alias as in step 1. 6. Remove the CA certificate entry from the keystore. Without step 4, step 5 will fail ( as keytool cannot form a certificate chain ). Without step 6, there is a possiblity that tomcat might present the wrong certificate to the client ( as JSSE uses the first certificate it finds in the keystore, using an order determined by a hash function ). B. Create a PKCS8 certificate ( or certificate chain ) and import it in a keystore. -- steps left as an exercise. Note: If you find the steps bit complicated and hard to get right, You are not alone :). I spent many frustrating hours to get it right. But you get an idea. I do have plans to document these but have not been able to find time. Pankaj Kumar Web Services Architect HP Middleware http://www.pankaj-k.net > -----Original Message----- > From: Lee Chin Khiong [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 22, 2002 10:21 PM > To: '[EMAIL PROTECTED]' > Subject: Openssl > > > Does anyone know how to generate cert using openssl an apply to tomcat > instead of keytool ? > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
