Sorry about the delay, but I had to go play in Vegas for a few days.
Similar to Richards post, here are the actual steps I went through to get
our Verisign cert installed into Tomcat. The only big caveat here was that
this is based on JSSE for the 1.3 JDK, where JDK1.4 has integrated this.
Sorry about the length, but this is just some quick and dirty documentation.
A. JSSE Stuff:
1. Obtain jsse package from Sun [sorry, no link...]
2. Be sure to place jsse.jar, jcert.jar, jnet.jar in
/%JAVA_HOME%/jre/lib/ext
B. Original Cert:
Note: being my typical retentive self, I wanted the keystore file(s) in the
same
'context' as my app, so I created the keystore in a directory and
specifically
reference it wherever required. I don't remember where the JSSE
default folder is.
1. Created Keystore directory on d:\code\production\conf\Keystore, moved to
that directory
2. keytool -genkey -dname "CN=secure.<mydomain>.com, OU=DataCenter,
O=<Company Name>, L=Tampa, ST=Florida, C=US" -alias production -keypass
<some_password> -storepass <some_password> -keystore
d:\code\staging\conf\keystore\.keystore -keyalg RSA
3. keytool -certreq -file certreq.txt -keystore .keystore -keypass
<some_password> -alias production
4. Submitted certreq.txt to Verisign, accepted and issued cert.cer
5. keytool -import -file cert.cer -alias production -keypass
<some_password> -keyalg RSA -keystore .keystore -trustcacerts
Enter keystore password: <some_password>
Certificate reply was installed in keystore
6. Certificate successfully installed.
C2: Sample from server.xml:
<snip>
<Connector className="org.apache.catalina.connector.http.HttpConnector"
address="<x.x.x.x>"
port="443"
minProcessors="50"
maxProcessors="200"
enableLookups="false"
acceptCount="10"
scheme="https"
secure="true">
<Factory className="org.apache.catalina.net.SSLServerSocketFactory"
keystoreFile="d:\code\production\conf\keystore\.keystore"
keystorePass="<some_password>"
clientAuth="false"
protocol="TLS"/>
</Connector>
D. Renewing the certificate:
1. Copied d:\code\production\conf\keystore\.keystore to .keystore2 for
backup. Will perform new work on .keystore2
2. Generated a Certificate Request as follows:
- keytool -certreq -file certreq_2003.txt -keystore .keystore -keypass
<some_password> -alias production
3. Received certificate (cert_2003.cer) from Verisign
4. keytool -import -file cert_2003.cer -alias production -keypass
ankspassword -keyalg RSA -keystore .keystore2 -trustcacerts
Enter keystore password: <some_password>
Certificate reply was installed in keystore
5. Copied .keystore2 over .keystore:
copy .keystore backup_20030107.keystore
copy .keystore2 .keystore
6. Loaded website, change is not yet viewable, will wait for restart
tonight.
E: Random Notes and troubleshooting:
D:\code\staging\conf\keystore>keytool -genkey -dname
"CN=secure.<mydomain>.com, OU=DataCenter, O=<Company Name>, L=Tampa,
ST=Florida, C=US" -alias staging -keypass <some_password> -storepass
<some_password> -keystore d:\code\staging\conf\keystore\.keystore -keyalg
RSA
D:\code\staging\conf\keystore>keytool -certreq -file certreq.txt -keystore
.keys -keypass <some_password>
- submitted successfully to Verisign, awaiting reply
*Importing certificate:
D:\code\staging\conf\keystore>keytool -keystore .keystore -alias
staging -keypass <some_password> -import -file cert.cer -keyalg RSA
Enter keystore password: <some_password>
keytool error: java.security.cert.CertificateException: Unsupported
encoding
Note: Added a CR/LF to the end of the certificate, get new error:
D:\code\staging\conf\keystore>keytool -import -file
cert.cer -trustcacerts -alias staging -keypass <some_password> -keyalg
RSA -keystore .keystore
Enter keystore password: <some_password>
keytool error: java.lang.Exception: Failed to establish chain from reply
Note: First had to import CA Test Certificate:
D:\code\staging\conf\keystore>keytool -import -file
getcacert.cer -keyalg RSA -keystore .keystore
Enter keystore password: <some_password>
Owner: OU=For VeriSign authorized testing only. No assurances (C)VS1997,
OU=www.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD.,
O="VeriSign, Inc"
Issuer: OU=For VeriSign authorized testing only. No assurances
(C)VS1997, OU=www.verisign.com/repository/TestCPS Incorp. By Ref. Liab.
LTD., O="VeriSign, Inc"
Serial number: 52a9f424da674c9daf4f537852abef6e
Valid from: Sat Jun 06 20:00:00 EDT 1998 until: Tue Jun 06 19:59:59 EDT
2006
Certificate fingerprints:
MD5: 40:06:......
SHA1: 93:71:.....
Trust this certificate? [no]: y
Certificate was added to keystore
Then the certificate could be properly added:
D:\code\staging\conf\keystore>keytool -import -file cert.cer -alias
staging -keypass <some_password> -keyalg RSA -keystore .keystore
Enter keystore password: <some_password>
Certificate reply was installed in keystore
Listing Keystore information:
keytool -list -keystore .keystore2 -alias production -v
[Updated 01/16/2003]:
Alias name: production
Creation date: Mon Apr 29 17:16:33 EDT 2002
Entry type: keyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=secure.<my domain>.com, OU=DataCenter, O=<Company Name>,
L=Tampa, ST=Florida, C=US
Issuer: OU=Secure Server Certification Authority, O="RSA Data
Security, Inc.", C=US
Serial number: 2d53................................
Valid from: Sun Apr 28 20:00:00 EDT 2002 until: Sat Jan 18 18:59:59
EST 2003
Certificate fingerprints:
MD5: E1:F3:...........
SHA1: F8:C6:...........
Certificate[2]:
Owner: OU=Secure Server Certification Authority, O="RSA Data
Security, Inc.", C=US
Issuer: OU=Secure Server Certification Authority, O="RSA Data
Security, Inc.", C=US
Serial number: 2ad6.......................
Valid from: Tue Nov 08 19:00:00 EST 1994 until: Thu Jan 07 18:59:59
EST 2010
Certificate fingerprints:
MD5: 74:7B:...................
SHA1: 44:63:...................
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
