On 1/16/14 1:49 PM, Christopher Schultz wrote:
Why are you self-signing a certificate if you are going to get it
signed by a CA?
A newly-created keypair in a Java keystore is, by definition, a
self-signed certificate. And you can't create a CSR without having a
keypair from which to create it.
One suggestion:
If you haven't done this dozens of times, or don't do it several times a
year, or haven't done it for a particular CA,
MAKE AT LEAST ONE BACKUP COPY OF YOUR KEYSTORE BEFORE YOU SUBMIT YOUR
CSR TO THE CA!
That way (and I've been there a number of times) if you screw up your
keystore while trying to install the signed certificate, you can try again.
You really don't want to pay the fee to the CA, and then find out you've
screwed up something that you have no way of unscrewing.
Also: if by any chance you're running Tomcat on an AS/400, you want to
do this whole process on something else entirely, and then FTP your
keystore into place on the 400. Keytool does NOT work well on AS/400s,
and I haven't the slightest idea why.
--
James H. H. Lampert
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
