Renew SSL with Keytool for Tomcat 6.0.16

[Alexander Diedler <ad...@tecracer.de>]

Hello,
I have done everything as a do for the initial creating of certificate but it doesn´t works.
First If i try to import the new X.509 cert into the Keystore (with the existing SSL cert for tomcat) there is an error like the public key doesn´t match the keystore.

If i remove all certs from the keystore and import the trustedCA and the new SSL cert the file is to small (all other working .kdb files habe 4 KB, but the new has only 2KB) and if I try to open a SSL site with the new cert, nothing happens (no error, the loading was indicated bottom left in the status bar but no progress for 10 minutes).
Here the new and old Keystore. There is a difference between the type of the first certificate. The original old expired cert is type "PivateKeyEntry" the current re-new and re-import SSL is type "trustedCertEntry" Why? It that the problem? What we are doing wrong? We use the same CSR for the re-new as for the initial import and buying.

Keystore-Typ: JKS
Keystore-Provider: SUN
Ihr Keystore enthõlt 2 Eintrõge.
tomcat, 25.05.2009, trustedCertEntry,
Zertifikatsfingerabdruck (MD5): 41:B4:AC:B3:4F:F2:B2:67:EB:2F:8F:B3:D2:74:A8:F0
geotrustca, 25.05.2009, trustedCertEntry,
Zertifikatsfingerabdruck (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4

D:\Keystore>c:\Programme\Java\jre1.6.0_06\bin\keytool -list -storepass XXXXXX
-keystore D:\Keystore\www_XXXXXXXX_de.kdb
Keystore-Typ: JKS
Keystore-Provider: SUN
Ihr Keystore enthõlt 2 Eintrõge.
tomcat, 11.06.2008, PrivateKeyEntry,
Zertifikatsfingerabdruck (MD5): 52:6E:74:EB:18:FE:13:61:8C:7C:F5:DA:A3:3D:08:DF
geotrustca, 11.06.2008, trustedCertEntry,
Zertifikatsfingerabdruck (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4