You send the CA your public key and some other information.
The CA creates a certificate.
Any certificate has :
1. The public key
2. expiration date
3 algorithm
4. etc.
The certificate information is hashed and the hash of that is signed by the private key of the Certificate Issuing Authority (CA) .. like Verisign, or in your case your "little java app".
When you get back this certificate from the CA ... in your case you are using keytool to import it into your keystore. Your keystore does not have your private key yet.
SSL handshake requires you to have your private key in the keystore as well. I think that is what your problem is .. get your private key into keystore too.
thanks.
On Saturday, March 15, 2003, at 02:40 AM, Mark Liu wrote:
I think I got a little idea after I re-read the keytool doc.
You see, when we generate the cert using keytool, both the private key and the public key are stored in the keystore. And when we import the cert reply from the CA, keystore will associate the private key with the cert that wraps up the corresponding public key, right?
However, in my project, I have the browser IE generate the pkcs10 request and submit the request to the CA. Apparently IE does not use the SUN keystore facility.
Thus, when I get the cert reply from the CA and import it into the SUN keystore, the SUN keystore has no way of matching the cert with a private key because the the private key does not exist in the SUN keystore, it is stored in the keystore that IE maintains, although the SUN keystore still imports the cert.
Does my conjecture sound reasonable?
Thank you for your continued education.
Mark
--- Mufaddal Khumri <[EMAIL PROTECTED]> wrote:---------------------------------------------------------------------I suggest that you try using your certificate with other applications for instance send yourself a digitally signed email using your certificate. If your certificate works with another app then probably there is something wrong with the way tomcat is handling certificates. If not (which is most probably the case) then there is something missing from the certificate. So I would strongly recommend you to try using your "little java application" generated certificate with some other app other than tomcat and see how it works.
Thanks.
On Saturday, March 15, 2003, at 12:39 AM, Mark Liu wrote:
Well, I've never tried any other application. Ionlyinknow that I can import it into the keystore, I can also import it into the browser (IE).
--- Mufaddal Khumri <[EMAIL PROTECTED]> wrote:Do your certificates work with other applicationsLiuother scenarios ?
On Saturday, March 15, 2003, at 12:28 AM, Markwrote:wrote:
I am not sure if they are of the same format. Ionlyknow that I am able to import the certificate generated by my "little Java program" into the keystore as alias tomcat.
Anywhere I can check the format of the keytool-generated certificate?
--- Mufaddal Khumri <[EMAIL PROTECTED]>?Is your certificate format generated by your "little java program" exactly like the keytool generated certificateLiuyouHave you tested your certificates with other applications to see ifare producing them correctly ?
thanks. On Friday, March 14, 2003, at 09:21 AM, Markallwrote:
I know you guys have your great strategies in balancing Apache and Tomcat.
But, my project isn't really so picky about efficiency, so I simply run Tomcat with SSLSSLthetime. It simplifies my project a little bit.
But then I do need to be able to run Tomcatapache.withthe certificated generated by my little Javaprogram.
--- mike jackson <[EMAIL PROTECTED]> wrote:I've always run tomcat as a backend tolevel.Apache may or may not implement ssl. That said, every time I've implemented ssl I've done it at the apache level, never at the tomcatapache(usuallyInfact the few times that I've wanted ssl at the tomcat levelbecause I'm not running apache) I've ended up setting uplittletorun as the front end.
But that's just me.
--mikej -=----- mike jackson [EMAIL PROTECTED]
-----Original Message----- From: Mark Liu [mailto:[EMAIL PROTECTED] Sent: Thursday, March 13, 2003 6:44 PM To: Tomcat Users List Subject: Do you run Tomcat with SSL?
I am able to run Tomcat SSL with the keytool-generated certificate, but not the certificate myit.Javathisprogram generates.
I've been asking this question for a while inlist. But it seems nobody has an answer toyouSoyou guys never run Tomcat in SSL mode? Or__________________________________________________forguysalways use the keytool-generated certificatetheSSL?
onlineDo you Yahoo!? Yahoo! Web Hosting - establish your businesshttp://webhosting.yahoo.com
---------------------------------------------------------------------To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------__________________________________________________To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
onlineDo you Yahoo!? Yahoo! Web Hosting - establish your businesshttp://webhosting.yahoo.com
---------------------------------------------------------------------To unsubscribe, e-mail:[EMAIL PROTECTED]For additional commands, e-mail:[EMAIL PROTECTED]
=== message truncated ===__________________________________________________To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
__________________________________________________ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
