Chris, How do I know for certain that I didn't import into the Java installation's system-wide Keystore? I used the keytool command below to import the cert. I don't believe I imported my cert into the system-wide keystore but I am not 100% certain.
keytool -import -alias tomcat -trustcacerts -file mythawtecert.txt -keystore [keystorename] Thanks!! Will -----Original Message----- From: Christopher Schultz [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 20, 2007 9:27 AM To: Tomcat Users List Cc: 'Martin Gainty' Subject: Re: Importing an existing SSL cert into a newer JDK version -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Will, Will Holmes wrote: > I would be going from JDK version 1.4 to 1.5 or later. So it sounds like > I will have to generate a CSR for the new JDK version and I will have to > involve my CA by reissueing the cert. I am thinking correctly? So there is > no way to reuse the keystore with the new JDK version? The mathematics of encryption have not changed between JDK versions, so you should be fine. As long as you are using the key format used by the JDK (which is relatively standard), you should not have any problems. I believe that Martin was suggesting that if you were switching providers (say, from BouncyCastle to the Sun-provided implementation) that you might want to re-do everything from the beginning. While that may seem easier, there shouldn't be any reason that SSL certs obtained from one provider would not be usable by another. SSL certs are pretty standard. About the only think you have to do is make sure that your keys are in a java-readable keystore (which might not be the case if you had used another provider, and you'd have to convert). Since you are going from SSL-enabled-JDK to another SSL-enabled-JDK, the whole argument is academic: you should not have to do anything, unless you imported your keys into the your Java installation's system-wide keystore. In that case, you'll have to either replace the system-wide keystore that came with your new JDK (which I don't recommend, since it probably contains updated keys, CAs, etc.), or you'll have to re-import all your keys into the new system-wide keystore. Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF/+El9CaO5/Lv0PARAv89AJ908L3ad1ikX/Xi9+y2aLQO+5N00QCeInEg rL4+XxmyS6W8XHOaQj2ffyI= =ItPz -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
