You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Yi SHU <ys...@ivision.fr> on 2011/11/16 15:23:35 UTC
Certificate issued by GeoTrust Global CA is not appearing at client
browser's side
Hello everyone,
We would like to setup a secured web service on Axis 1.4, Tomcat 6.0.24, JDK 1.6 and CentOS Linux,
because our partner requires HTTPS access to our web service and accepts only publicly trusted certificates (not self-signed ones).
So we are setting up SSL on Tomcat 6.0.24, applying the chapter "Installing a Certificate from a Certificate Authority" of ssl-howto.
At last we can access to our Tomcat welcome page through HTTPS, but the certificate we acquired from GeoTrust Global CA does not appear in my web browser. For example if we display the welcome page in Internet Explorer 8, the address bar will turn red and a message "certificat error" will appear, showing a certificate delivered by ourselves.
These are the steps we have taken:
Create a new keystore containing a private key:
keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore $myKeyStoreFileName -dname $myDistinguishedName
Create a CSR based on our keystore:
keytool -certreq -keyalg RSA -alias tomcat -file $myCSRFileName -keystore $myKeyStoreFileName
Once having received our certificates we imported the root certificate, the chain certificate and our server's certificate:
keytool -import -trustcacerts -alias ROOT -file $myRootCert -keystore $myKeyStoreFileName
keytool -import -trustcacerts -alias INTER -file $myIntermediateCert -keystore $myKeyStoreFileName
keytool -import -trustcacerts -alias $myAlias -file $myServerCert -keystore $myKeyStoreFileName
Could anyone tell me what I missed in my operations? I would also like to translate them into French in order to share it with other developers in my country.
With my best wishes,
Hélène Chèze
Re: Certificate issued by GeoTrust Global CA is not appearing at
client browser's side
Posted by rosiere <sh...@gmail.com>.
Hello,
It works.
Thanks.
markt-2 wrote:
>
> On 17/11/2011 16:48, rosiere wrote:
>>
>> Hello,
>> Thanks for your hint.
>>
>> I made a copy of my keystore. Then I changed alias:
>> my private key now uses the alias "mykey".
>> I changed our certificate's alias to "tomcat", by keytool's -changealias
>> command.
>>
>> Now this is my certificate (the third one that differs from INTER and
>> ROOT)
>> Alias name: tomcat
>>
>> Entry type : trustedCertEntry
>>
>> Owner : CN=$myCN OU=Domain Control Validated - RapidSSL(R), OU=See
>> www.rapidssl.com/resources/cps (c)11, OU=$myOrganizationalUnit,
>> O=$myOrganization, C=FR, SERIALNUMBER=$mySerialNumber
>> Issuer : CN=RapidSSL CA, O="GeoTrust, Inc.", C=US
>>
>>
>> In my server.xml I changed keyAlias from "tomcat" to "mykey" and
>> referenced
>> the new keystore file.
>>
>> However at last I still could not show GeoTrust or RapidSSL as
>> certificate
>> issuer when I browsed to Tomcat welcome page. The certificate returned to
>> my
>> web browser was still a self-signed one.
>>
>> Do I have to rebuild my keystore from scratch and request another
>> certificate from our CA, just because of a mistake in my old alias?
>
> No. Try the following.
>
> 1. Take copies of everything.
>
> 2. Delete everything from the keystore apart from the private key.
>
> 3. Ensure the private key has the alias "tomcat".
>
> 4. Import the CA cert and the intermediate as you did before.
>
> 5. Import your new cert *using the alias "tomcat"*. Yes I know this is
> the same as the private key. No, it isn't a mistake.
>
> 6. Configure your server.xml to use the alias "tomcat".
>
> Mark
>
>>
>>
>> markt-2 wrote:
>>>
>>> On 17/11/2011 15:26, rosiere wrote:
>>>>
>>>
>>>> My colleagues concluded that all the necessary certificates were
>>>> imported,
>>>> but none was actually used by Tomcat.
>>>
>>> Wrong.
>>>
>>> When you imported your new certificate, you should have specified
>>> "tomcat" as the alias rather than "$myAlias".
>>>
>>> I suggest you take some backups of your key stores in case you mess
>>> things up and then try again.
>>>
>>> Mark
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://old.nabble.com/Certificate-issued-by-GeoTrust-Global-CA-is-not-appearing-at-client-browser%27s-side-tp32855051p32870249.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Certificate issued by GeoTrust Global CA is not appearing at
client browser's side
Posted by Mark Thomas <ma...@apache.org>.
On 17/11/2011 16:48, rosiere wrote:
>
> Hello,
> Thanks for your hint.
>
> I made a copy of my keystore. Then I changed alias:
> my private key now uses the alias "mykey".
> I changed our certificate's alias to "tomcat", by keytool's -changealias
> command.
>
> Now this is my certificate (the third one that differs from INTER and ROOT)
> Alias name: tomcat
>
> Entry type : trustedCertEntry
>
> Owner : CN=$myCN OU=Domain Control Validated - RapidSSL(R), OU=See
> www.rapidssl.com/resources/cps (c)11, OU=$myOrganizationalUnit,
> O=$myOrganization, C=FR, SERIALNUMBER=$mySerialNumber
> Issuer : CN=RapidSSL CA, O="GeoTrust, Inc.", C=US
>
>
> In my server.xml I changed keyAlias from "tomcat" to "mykey" and referenced
> the new keystore file.
>
> However at last I still could not show GeoTrust or RapidSSL as certificate
> issuer when I browsed to Tomcat welcome page. The certificate returned to my
> web browser was still a self-signed one.
>
> Do I have to rebuild my keystore from scratch and request another
> certificate from our CA, just because of a mistake in my old alias?
No. Try the following.
1. Take copies of everything.
2. Delete everything from the keystore apart from the private key.
3. Ensure the private key has the alias "tomcat".
4. Import the CA cert and the intermediate as you did before.
5. Import your new cert *using the alias "tomcat"*. Yes I know this is
the same as the private key. No, it isn't a mistake.
6. Configure your server.xml to use the alias "tomcat".
Mark
>
>
> markt-2 wrote:
>>
>> On 17/11/2011 15:26, rosiere wrote:
>>>
>>
>>> My colleagues concluded that all the necessary certificates were
>>> imported,
>>> but none was actually used by Tomcat.
>>
>> Wrong.
>>
>> When you imported your new certificate, you should have specified
>> "tomcat" as the alias rather than "$myAlias".
>>
>> I suggest you take some backups of your key stores in case you mess
>> things up and then try again.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Certificate issued by GeoTrust Global CA is not appearing at
client browser's side
Posted by rosiere <sh...@gmail.com>.
Hello,
Thanks for your hint.
I made a copy of my keystore. Then I changed alias:
my private key now uses the alias "mykey".
I changed our certificate's alias to "tomcat", by keytool's -changealias
command.
Now this is my certificate (the third one that differs from INTER and ROOT)
Alias name: tomcat
Entry type : trustedCertEntry
Owner : CN=$myCN OU=Domain Control Validated - RapidSSL(R), OU=See
www.rapidssl.com/resources/cps (c)11, OU=$myOrganizationalUnit,
O=$myOrganization, C=FR, SERIALNUMBER=$mySerialNumber
Issuer : CN=RapidSSL CA, O="GeoTrust, Inc.", C=US
In my server.xml I changed keyAlias from "tomcat" to "mykey" and referenced
the new keystore file.
However at last I still could not show GeoTrust or RapidSSL as certificate
issuer when I browsed to Tomcat welcome page. The certificate returned to my
web browser was still a self-signed one.
Do I have to rebuild my keystore from scratch and request another
certificate from our CA, just because of a mistake in my old alias?
markt-2 wrote:
>
> On 17/11/2011 15:26, rosiere wrote:
>>
>
>> My colleagues concluded that all the necessary certificates were
>> imported,
>> but none was actually used by Tomcat.
>
> Wrong.
>
> When you imported your new certificate, you should have specified
> "tomcat" as the alias rather than "$myAlias".
>
> I suggest you take some backups of your key stores in case you mess
> things up and then try again.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://old.nabble.com/Certificate-issued-by-GeoTrust-Global-CA-is-not-appearing-at-client-browser%27s-side-tp32855051p32863281.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Certificate issued by GeoTrust Global CA is not appearing at
client browser's side
Posted by Mark Thomas <ma...@apache.org>.
On 17/11/2011 15:26, rosiere wrote:
>
> Hello,
>
> Thanks for your suggestions.
> I displayd my keystore file with keytool:
> keytool -list -v -keystore $myKeystoreFile > keystoreManifest.txt
>
>
> There are 4 entries in my keystore file.
> But only one entry contains a field named "Certificate chain length".
>
> The other 3 entries, as certificates from our CA, contain a field
> "Certificate fingerprint"
> (or "Empreinte du certificat" in French because my Linux distribution that
> supports my JDK and Tomcat was installed in French)
>
> # intermediate certificate
> alias: inter
> entry type: trustedCertEntry
> issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
>
> # root certificate
> alias: root
> entry type: trustedCertEntr
> issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
>
>
> # our private key
> alias : tomcat
> entry type: {0} //this is exactly what I see on the prompt, not a variable
> of my own writing.
> certificate chain length: 1
> issuer: $ourDN
>
>
> alias : $myAlias
> entry type: trustedCertEntry
> issuer: CN=RapidSSL CA, O="GeoTrust, Inc.", C=US
>
>
> My colleagues concluded that all the necessary certificates were imported,
> but none was actually used by Tomcat.
Wrong.
When you imported your new certificate, you should have specified
"tomcat" as the alias rather than "$myAlias".
I suggest you take some backups of your key stores in case you mess
things up and then try again.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Certificate issued by GeoTrust Global CA is not appearing at
client browser's side
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rosiere,
On 11/17/11 10:26 AM, rosiere wrote:
> (or "Empreinte du certificat" in French because my Linux
> distribution that supports my JDK and Tomcat was installed in
> French)
If you want to switch to English, just set the LANG environment
variable and decent programs (including Java) should adjust
accordingly. Or, stick with French if you like it :)
> # our private key alias : tomcat
Oops. See Mark's message.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7FbUsACgkQ9CaO5/Lv0PAeJQCglZGEAC70E2+q86wpo+QVhsMK
1PcAoJ/NyhhwH3F9B3jux1GnM3110ASH
=xOoX
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Certificate issued by GeoTrust Global CA is not appearing at
client browser's side
Posted by rosiere <sh...@gmail.com>.
Hello,
Thanks for your suggestions.
I displayd my keystore file with keytool:
keytool -list -v -keystore $myKeystoreFile > keystoreManifest.txt
There are 4 entries in my keystore file.
But only one entry contains a field named "Certificate chain length".
The other 3 entries, as certificates from our CA, contain a field
"Certificate fingerprint"
(or "Empreinte du certificat" in French because my Linux distribution that
supports my JDK and Tomcat was installed in French)
# intermediate certificate
alias: inter
entry type: trustedCertEntry
issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
# root certificate
alias: root
entry type: trustedCertEntr
issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
# our private key
alias : tomcat
entry type: {0} //this is exactly what I see on the prompt, not a variable
of my own writing.
certificate chain length: 1
issuer: $ourDN
alias : $myAlias
entry type: trustedCertEntry
issuer: CN=RapidSSL CA, O="GeoTrust, Inc.", C=US
My colleagues concluded that all the necessary certificates were imported,
but none was actually used by Tomcat.
Daniel Mikusa-2 wrote:
>
>
> On Thu, 2011-11-17 at 05:02 -0800, rosiere wrote:
>> Hello,
>>
>> Of course I restarted my Tomcat.
>
> No offense meant, had to ask. Can't assume anything.
>
>>
>> This is the SSL portion of my server.xml and it has noting wrong.
>>
>>
>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>> maxThreads="150" scheme="https" secure="true"
>> keystoreFile="$pathToMyKeystoreFile"
>> keyAlias="tomcat"
>> keystorePass="tomcat"
>> clientAuth="false" sslProtocol="TLS" />
>>
>
> Yes, agreed. Looks fine assuming that "$pathToMyKeystoreFile" points to
> the correct keystore file.
>
>
> What do you see in the output of "keytool -list -v -keystore
> $pathToMyKeystoreFile"? In particular, what is listed for "Alias
> name:", "Entry type:" and "Certificate chain length" for each entry?
>
>
> Dan
>
>
--
View this message in context: http://old.nabble.com/Certificate-issued-by-GeoTrust-Global-CA-is-not-appearing-at-client-browser%27s-side-tp32855051p32862748.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Certificate issued by GeoTrust Global CA is not appearing at
client browser's side
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ashish,
On 11/17/11 10:08 AM, Ashish Kulkarni wrote:
> I had to deal with this issue in Websphere, got Thwate certificate
> and no matter what i was not able to get the primary and secondary
> certificate to work in IE browser, only in Firefox and chrome,
> finally i got a certificate from Verisign and it works well in IE
> and chrome but not in firefox, this certificate business is very
> murky with these companies making deals with browser companies and
> making our life difficult, I bet If you add the primary and
> intermediate certificate to IE browser it will work fine, if there
> is another web service who needs to call this then that web service
> must know all the 3 certificates to authenticate your certificate
Nobody's really making deals with anyone. The difference is in exactly
which root certificates ship with each web browser. Over the last few
years, many CAs have started offering different flavors of cert such
as EV, etc. and they have introduced new top-level certs for their new
flavors.
Since they are new top-level certs, they should be trusted by every
web browser, but not everyone updates their certificate stores, etc.
So, they signed their new top-level certificates with their old
top-level certs so that older browsers wouldn't puke.
In order to make everything work, you have to have the full
certificate chain. Evidently, you are missing a piece that MSIE
requires in one case, and another piece that ff/chrome require in the
other.
Basically, if you have all the certificates you need (sometimes you
may need more than one intermediate certificate), then everything will
work.
I've never done much with Java's keystores, but working with httpd has
been easy: just concatenate all the certs together into one large file
and you're done. I'm sure a similar thing can be done with a keystore.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7FbKkACgkQ9CaO5/Lv0PBjPACgwFeo9gsLaVVBM7ZwitrpPpdo
us4An06M9ly4tPUA7STJ+xRPqQpL/oZ2
=ZyAE
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Certificate issued by GeoTrust Global CA is not appearing at
client browser's side
Posted by Ashish Kulkarni <as...@gmail.com>.
I had to deal with this issue in Websphere, got Thwate certificate and no
matter what i was not able to get the primary and secondary certificate to
work in IE browser, only in Firefox and chrome, finally i got a certificate
from Verisign and it works well in IE and chrome but not in firefox, this
certificate business is very murky with these companies making deals with
browser companies and making our life difficult,
I bet If you add the primary and intermediate certificate to IE browser it
will work fine, if there is another web service who needs to call this then
that web service must know all the 3 certificates to authenticate your
certificate
On Thu, Nov 17, 2011 at 9:26 AM, Daniel Mikusa <dm...@vmware.com> wrote:
>
> On Thu, 2011-11-17 at 05:02 -0800, rosiere wrote:
> > Hello,
> >
> > Of course I restarted my Tomcat.
>
> No offense meant, had to ask. Can't assume anything.
>
> >
> > This is the SSL portion of my server.xml and it has noting wrong.
> >
> >
> > <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> > maxThreads="150" scheme="https" secure="true"
> > keystoreFile="$pathToMyKeystoreFile"
> > keyAlias="tomcat"
> > keystorePass="tomcat"
> > clientAuth="false" sslProtocol="TLS" />
> >
>
> Yes, agreed. Looks fine assuming that "$pathToMyKeystoreFile" points to
> the correct keystore file.
>
>
> What do you see in the output of "keytool -list -v -keystore
> $pathToMyKeystoreFile"? In particular, what is listed for "Alias
> name:", "Entry type:" and "Certificate chain length" for each entry?
>
>
> Dan
>
--
Ashish
www.ayurwellness.com
www.mysoftwareneeds.com
Re: Certificate issued by GeoTrust Global CA is not appearing at
client browser's side
Posted by Daniel Mikusa <dm...@vmware.com>.
On Thu, 2011-11-17 at 05:02 -0800, rosiere wrote:
> Hello,
>
> Of course I restarted my Tomcat.
No offense meant, had to ask. Can't assume anything.
>
> This is the SSL portion of my server.xml and it has noting wrong.
>
>
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> keystoreFile="$pathToMyKeystoreFile"
> keyAlias="tomcat"
> keystorePass="tomcat"
> clientAuth="false" sslProtocol="TLS" />
>
Yes, agreed. Looks fine assuming that "$pathToMyKeystoreFile" points to
the correct keystore file.
What do you see in the output of "keytool -list -v -keystore
$pathToMyKeystoreFile"? In particular, what is listed for "Alias
name:", "Entry type:" and "Certificate chain length" for each entry?
Dan
Re: Certificate issued by GeoTrust Global CA is not appearing at
client browser's side
Posted by rosiere <sh...@gmail.com>.
Hello,
Of course I restarted my Tomcat.
This is the SSL portion of my server.xml and it has noting wrong.
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="$pathToMyKeystoreFile"
keyAlias="tomcat"
keystorePass="tomcat"
clientAuth="false" sslProtocol="TLS" />
Daniel Mikusa-2 wrote:
>
>
> On Wed, 2011-11-16 at 06:23 -0800, Yi SHU wrote:
>
>> At last we can access to our Tomcat welcome page through HTTPS, but the
>> certificate we acquired from GeoTrust Global CA does not appear in my web
>> browser. For example if we display the welcome page in Internet
>> Explorer 8, the address bar will turn red and a message
>> "certificat error" will appear, showing a certificate delivered by
>> ourselves.
>
> If I understand this correctly, you are still seeing the self signed
> certificate being used by Tomcat.
>
> 1.) Have you restarted Tomcat since importing the certificate?
>
> 2.) Please include your server.xml so that we can see your
> configuration.
>
> Dan
>
>
>
>
>
--
View this message in context: http://old.nabble.com/Certificate-issued-by-GeoTrust-Global-CA-is-not-appearing-at-client-browser%27s-side-tp32855051p32861738.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Certificate issued by GeoTrust Global CA is not appearing at
client browser's side
Posted by rosiere <sh...@gmail.com>.
Hello,
In fact I read this command from my certificate provider's installation
guideline.
It gives us these 3 commands:
keytool -import -trustcacerts -alias ROOT -file root.crt -keystore
NEWkeystore
keytool -import -trustcacerts -alias INTER -file inter.crt -keystore
NEWkeystore
keytool -import -trustcacerts -alias your_alias_name -file sslcert.crt
-keystore NEWkeystore
$myServerCert is the certificate that we received from our CA.
We created no self-signed certificate issued by ourselves, but only a
private key in the beginning.
Tapio Niemi wrote:
>
> Hi,
>
> Taking a quick look at this, i believe this is the part that goes wrong
>
>> keytool -import -trustcacerts -alias $myAlias -file $myServerCert
>> -keystore $myKeyStoreFileName
>
> It looks to me that you are importing a certificate that is supposed to
> be your server certificate as if it were a certificate authority
> certificate. Plus perhaps using a wrong alias, as the alias used needs
> to be the same which was used for generating the key and csr.
>
> What in your case would most propably work, is
>
> keytool -import -alias tomcat -keystore $myKeyStoreFileName -file
> $myServerCert
>
> Feel free to translate this to any language of your choosing :)
>
> Cheers,
>
> -Tapio
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://old.nabble.com/Certificate-issued-by-GeoTrust-Global-CA-is-not-appearing-at-client-browser%27s-side-tp32855051p32862604.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Certificate issued by GeoTrust Global CA is not appearing at
client browser's side
Posted by Daniel Mikusa <dm...@vmware.com>.
On Wed, 2011-11-16 at 06:23 -0800, Yi SHU wrote:
> At last we can access to our Tomcat welcome page through HTTPS, but the
> certificate we acquired from GeoTrust Global CA does not appear in my web
> browser. For example if we display the welcome page in Internet
> Explorer 8, the address bar will turn red and a message
> "certificat error" will appear, showing a certificate delivered by ourselves.
If I understand this correctly, you are still seeing the self signed
certificate being used by Tomcat.
1.) Have you restarted Tomcat since importing the certificate?
2.) Please include your server.xml so that we can see your
configuration.
Dan
Re: Certificate issued by GeoTrust Global CA is not appearing at
client browser's side
Posted by Tapio Niemi <ta...@necora.fi>.
Hi,
Taking a quick look at this, i believe this is the part that goes wrong
> keytool -import -trustcacerts -alias $myAlias -file $myServerCert -keystore $myKeyStoreFileName
It looks to me that you are importing a certificate that is supposed to
be your server certificate as if it were a certificate authority
certificate. Plus perhaps using a wrong alias, as the alias used needs
to be the same which was used for generating the key and csr.
What in your case would most propably work, is
keytool -import -alias tomcat -keystore $myKeyStoreFileName -file
$myServerCert
Feel free to translate this to any language of your choosing :)
Cheers,
-Tapio
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org