SSL/Verisign Confusion

[Dave Wood <da...@woodtopia.org>]

I'm having a problem getting an SSL certificate from Verisign working
correctly.  I'm going to include everything I can think of that MIGHT be a
problem.  Unfortunately, there are a couple things I can't quite remember
for certain.  Here's the situation:

1. I generated the initial key using an alias other than "tomcat" (we'll
call it "company")
2. I generated the CSR and sent it to verisign.  I still have this file.
3. Verisign changed the company name during the verification process (from
an acronym to the full spelling of the name)
4. I now have the certificate that they sent back after the validation
process.
5. One thing I can't account for is why when I see this:

$ keytool -list

Keystore type: jks
Keystore provider: SUN

Your keystore contains 4 entries: (...others removed...)

company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
Certificate fingerprint (MD5):
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really
0's)

...I think I must have self-signed or something (I was doing a couple of
these things and don't recall exactly), but I'm surprised to see
"trustedCertEntry" here.

The problem I'm having is this:

$ keytool -import -trustcacerts -alias company -file public.crt
Enter keystore password: xxx
keytool error: java.lang.Exception: Certificate not imported, alias
<company> already exists

(but I'm thinking it should be REPLACING this entry, so the fact that it
exists shouldn't be a problem???)

So, I have several questions:

1. Am I hosed completely because I didn't use "tomcat" as the alias?
2. How does the private key get stored exactly?  I assume that if I delete
the current entry for the "company" alias, I'll be losing the private key,
right?
3. Can someone provide steps I should take to get this working given what I
have said above.

Thanks so much in advance.  Sorry to be so long-winded.

-Dave
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

RE: SSL/Verisign Confusion

[Dave Wood <da...@woodtopia.org>]

OK, good...glad I'm not as confused as I thought. :)

Problem is...I don't see any way to extract a private key using keytool.
Perhaps I just need to look at openssl...I haven't used this tool yet.

Thanks, -dave

-----Original Message-----
From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker
Sent: Friday, September 05, 2003 12:18 AM
To: tomcat-user@jakarta.apache.org
Subject: Re: SSL/Verisign Confusion



"Dave Wood" <da...@woodtopia.org> wrote in message
news:EBEBKKMEAECJFOHFOLHLIELNCIAA.dave@woodtopia.org...
> Thanks Bill.  I think this highlights something I'm really not
> understanding...
>
> Didn't I generate an important "private key" somewhere along the line that
I
> can't just regenerate if I blow away my keystore?  I assumed the
certificate
> I got back from verisign would only work if I still had the original
private
> key I generated before sending them my request.  Is that wrong?
>

Of course you need your original private key.  A lapse on my part, since I
always use openssl to generate the CSR for VS :(.  If you used keytool to
generate the PK, then you'll have to extract it first.

> (I'll take a look at the link you sent...at first glance, it looks a
little
> hard to follow, but hopefully not).
>
> Thanks again.
>
> Dave
>
> -----Original Message-----
> From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker
> Sent: Thursday, September 04, 2003 11:06 PM
> To: tomcat-user@jakarta.apache.org
> Subject: Re: SSL/Verisign Confusion
>
>
> Firstly, it looks like you should wipe you keystore and start again.  To
use
> a VS cert with Tomcat, the two options I know are:
> 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm.
> 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and
> use that as your keystore (remember to set 'keystoreType="pkcs12"' on the
> Factory in server.xml).
>
>
> "Dave Wood" <da...@woodtopia.org> wrote in message
> news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org...
> > I'm having a problem getting an SSL certificate from Verisign working
> > correctly.  I'm going to include everything I can think of that MIGHT be
a
> > problem.  Unfortunately, there are a couple things I can't quite
remember
> > for certain.  Here's the situation:
> >
> > 1. I generated the initial key using an alias other than "tomcat" (we'll
> > call it "company")
> > 2. I generated the CSR and sent it to verisign.  I still have this file.
> > 3. Verisign changed the company name during the verification process
(from
> > an acronym to the full spelling of the name)
> > 4. I now have the certificate that they sent back after the validation
> > process.
> > 5. One thing I can't account for is why when I see this:
> >
> > $ keytool -list
> >
> > Keystore type: jks
> > Keystore provider: SUN
> >
> > Your keystore contains 4 entries: (...others removed...)
> >
> > company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
> > Certificate fingerprint (MD5):
> > 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't
really
> > 0's)
> >
> > ...I think I must have self-signed or something (I was doing a couple of
> > these things and don't recall exactly), but I'm surprised to see
> > "trustedCertEntry" here.
> >
> > The problem I'm having is this:
> >
> > $ keytool -import -trustcacerts -alias company -file public.crt
> > Enter keystore password: xxx
> > keytool error: java.lang.Exception: Certificate not imported, alias
> > <company> already exists
> >
> > (but I'm thinking it should be REPLACING this entry, so the fact that it
> > exists shouldn't be a problem???)
> >
> > So, I have several questions:
> >
> > 1. Am I hosed completely because I didn't use "tomcat" as the alias?
> > 2. How does the private key get stored exactly?  I assume that if I
delete
> > the current entry for the "company" alias, I'll be losing the private
key,
> > right?
> > 3. Can someone provide steps I should take to get this working given
what
> I
> > have said above.
> >
> > Thanks so much in advance.  Sorry to be so long-winded.
> >
> > -Dave
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

Re: SSL/Verisign Confusion

[Bill Barker <wb...@wilshire.com>]

"Dave Wood" <da...@woodtopia.org> wrote in message
news:EBEBKKMEAECJFOHFOLHLIELNCIAA.dave@woodtopia.org...
> Thanks Bill.  I think this highlights something I'm really not
> understanding...
>
> Didn't I generate an important "private key" somewhere along the line that
I
> can't just regenerate if I blow away my keystore?  I assumed the
certificate
> I got back from verisign would only work if I still had the original
private
> key I generated before sending them my request.  Is that wrong?
>

Of course you need your original private key.  A lapse on my part, since I
always use openssl to generate the CSR for VS :(.  If you used keytool to
generate the PK, then you'll have to extract it first.

> (I'll take a look at the link you sent...at first glance, it looks a
little
> hard to follow, but hopefully not).
>
> Thanks again.
>
> Dave
>
> -----Original Message-----
> From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker
> Sent: Thursday, September 04, 2003 11:06 PM
> To: tomcat-user@jakarta.apache.org
> Subject: Re: SSL/Verisign Confusion
>
>
> Firstly, it looks like you should wipe you keystore and start again.  To
use
> a VS cert with Tomcat, the two options I know are:
> 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm.
> 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and
> use that as your keystore (remember to set 'keystoreType="pkcs12"' on the
> Factory in server.xml).
>
>
> "Dave Wood" <da...@woodtopia.org> wrote in message
> news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org...
> > I'm having a problem getting an SSL certificate from Verisign working
> > correctly.  I'm going to include everything I can think of that MIGHT be
a
> > problem.  Unfortunately, there are a couple things I can't quite
remember
> > for certain.  Here's the situation:
> >
> > 1. I generated the initial key using an alias other than "tomcat" (we'll
> > call it "company")
> > 2. I generated the CSR and sent it to verisign.  I still have this file.
> > 3. Verisign changed the company name during the verification process
(from
> > an acronym to the full spelling of the name)
> > 4. I now have the certificate that they sent back after the validation
> > process.
> > 5. One thing I can't account for is why when I see this:
> >
> > $ keytool -list
> >
> > Keystore type: jks
> > Keystore provider: SUN
> >
> > Your keystore contains 4 entries: (...others removed...)
> >
> > company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
> > Certificate fingerprint (MD5):
> > 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't
really
> > 0's)
> >
> > ...I think I must have self-signed or something (I was doing a couple of
> > these things and don't recall exactly), but I'm surprised to see
> > "trustedCertEntry" here.
> >
> > The problem I'm having is this:
> >
> > $ keytool -import -trustcacerts -alias company -file public.crt
> > Enter keystore password: xxx
> > keytool error: java.lang.Exception: Certificate not imported, alias
> > <company> already exists
> >
> > (but I'm thinking it should be REPLACING this entry, so the fact that it
> > exists shouldn't be a problem???)
> >
> > So, I have several questions:
> >
> > 1. Am I hosed completely because I didn't use "tomcat" as the alias?
> > 2. How does the private key get stored exactly?  I assume that if I
delete
> > the current entry for the "company" alias, I'll be losing the private
key,
> > right?
> > 3. Can someone provide steps I should take to get this working given
what
> I
> > have said above.
> >
> > Thanks so much in advance.  Sorry to be so long-winded.
> >
> > -Dave
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

Using OpenSSL to set up your own CA

[Christopher Williams <cc...@ntlworld.com>]

Tons of people seem to have wondered whether they can use OpenSSL to set up
their own CA and server certificates.  The answer is most certainly and for
people who've never encountered it before, I'll tell you how.

SETTING UP YOUR CA
-----------------------------------

Step 1.  Go to www.openssl.org and download the source code.  Even Windows
users need to build it, so you'll need access to a C compiler.  You may be
able to get hold of prebuilt binaries on the web and you can certainly get
hold of the GNU C compiler or you can use Borland and Microsoft compilers.
There are good build instructions included with the source distribution, so
I won't go into build details.

Step 2.  Create directories to hold your CA keys, your server keys and, if
you want to use SSL client authentication, your client keys.  For the sake
of argument let's assume that these directories are called "ssl/ca",
"ssl/server" and "ssl/client".

Step 3.  Create a private key and certificate request for your own CA:
openssl req -new -newkey rsa:1024 -nodes -out ssl/ca/ca.csr -keyout
ssl/ca/ca.key

Step 4.  Create your CA's self-signed certificate (note lasts one year -
increase the days setting to whatever you want):
openssl x509 -trustout -signkey ssl/ca/ca.key -days 365 -req -in
ssl/ca/ca.csr -out ssl/ca/ca.pem
WINDOWS USERS:If you copy the ca.pem file to ca.crt and edit the file so
that the strings "TRUSTED CERTIFICATE" read "CERTIFICATE", you can import
your CA certificate into your trusted root certificates store.

Step 5.  Import the CA certificate into the JDK certificate authorities
keystore:
keytool -import -keystore $JAVA_JOME/jre/lib/security/cacerts -file
ssl/ca/ca.pem -alias my_ca

Windows users need to replace $JAVA_HOME with %JAVA_HOME%.

Step 6.  Create a file to hold your CA's serial numbers.  This file starts
with the number "2":
echo "02" > ssl/ca/ca.srl

SETTING UP YOUR WEB SERVER
----------------------------------------------------

Step 7.  Create a keystore for your web server.
keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -keystore
ssl/server/server.ks -storetype JKS

Step 8.  Create a certificate request for your web server.
keytool -certreq -keyalg RSA -alias tomcat -file
ssl/server/server.csr -keystore ssl/server/server.ks
You need to edit the certificate request file slightly.  Open it up in a
text editor and amend the text which reads "NEW CERTIFICATE REQUEST" to
"CERTIFICATE REQUEST"

Step 9.  Have your CA sign your certificate request:
openssl x509 -CA ssl/ca/ca.pem -CAkey ssl/ca/ca.key -CAserial
ssl/ca/ca.srl -req -in ssl/server/server.csr -out
ssl/server/server.crt -days 365

Step 10.  Import your signed server certificate into your server keystore:
keytool -import -alias tomcat -keystore
ssl/server/server.ks -trustcacerts -file ssl/server/server.crt
You should see a message "Certificate reply was installed in keystore".

Step 11.  Import your CA certificate into your server keystore:
keytool -import -alias my_ca -keystore
ssl/server/server.ks -trustcacerts -file ssl/ca/ca.pem
This step is only necessary if you wish to use SSL client authentication
with Tomcat.

Step 12. Set up an SSL connector for Tomcat.  I assume that you know, or can
find out, how to do this.  Open up conf/server.xml in a text editor and
search for the text "keystoreFile".  Ensure that the attribute value is the
keystore you've created above.

SETTING UP AN SSL CLIENT
-------------------------------------------

Step 13.  Create a client certificate request:
openssl req -new -newkey rsa:512 -nodes -out ssl/client/client1.req -keyout
ssl/client/client1.key
The common name of the client must match a user in Tomcat's user realm (e.g.
an entry in conf/tomcat-users.xml).

Step 14.  Have your CA sign your client certificate.
openssl x509 -CA ssl/ca/ca.pem -CAkey ssl/ca/ca.key -CAserial
ssl/ca/ca.srl -req -in ssl/client/client1.req -out
ssl/client/client1.pem -days 365

Step 15.  Generate a PKCS12 file containing your server key and server
certificate.
openssl pkcs12 -export -clcerts -in ssl/client/client1.pem -inkey
ssl/client/client1.key -out ssl/client/client1.p12 -name
"my_client_certificate"

Step 16.  Import the PKCS12 file into your web browser to use as your client
certificate and key.

Repeat steps 13-16 as often as required.

Step 17.  Enable client certificate authentication in Tomcat.  Open up
conf/server.xml and search for the text "clientAuth".  Set the value of the
attribute to "true".

I apologize in advance for any typing errors.  Hopefully, it's all correct
and you should all be able to get up to speed with OpenSSL.

Re: SSL/Verisign Confusion

[Bill Barker <wb...@wilshire.com>]

"Dave Wood" <da...@woodtopia.org> wrote in message
news:EBEBKKMEAECJFOHFOLHLEEOPCIAA.dave@woodtopia.org...
> I believe a Verisign certificate alone is $600 for a year.  You can get
> certificates much cheaper, but there are issues with some older broswers
not
> recognizing the CA (so your users would get a message stating that the
> certificate may not be legit).
>
> openssl is not an alternative to VeriSign.  openssl is software, Verisign
is
> a company that provides certificates (though apparently, you can use
openssl
> to create certificates yourself if you don't care at all about them being
> legit (for an intranet, for example?)).  There are (much) cheapers
> alternatives to VeriSign.  Check out freessl.com, for example (not free,
but
> $35.00 isn't bad).

Agreed.  VeriSign can charge what they do because all browsers (including at
least Sun's implementation of JSSE) ship with VeriSign's CA cert as trusted.
I just use my openssl CA for development boxes or small departmental servers
(where I can tell everyone that will ever use it how to trust my CA cert).

>
> Also, see http://www.whichssl.org for more good info on the subject.
>
> -dave
>
> -----Original Message-----
> From: Adam Hardy [mailto:ahardy.struts@cyberspaceroad.com]
> Sent: Sunday, September 07, 2003 3:43 AM
> To: Tomcat Users List
> Subject: Re: SSL/Verisign Confusion
>
>
> Hi Dave,
> how much does it cost at Verisign, and how long is it valid for? And is
> this 'openssl' you mentioned a free alternative?
>
> Adam
>
> On 09/06/2003 03:21 PM Dave Wood wrote:
> > FINALLY!
> >
> > I still don't know what I did wrong in the first place, but after
starting
> > over with VeriSign, all is well now.  I thought I'd share the (simple!)
> > steps I took to get SSL running using keytool/tomcat in case anyone else
> > might find this useful:
> >
> > # keytool -genkey -alias tomcat -keyalg RSA
> > [enter a password and all necessary information, then just <enter> at
next
> > password prompt]
> > # cp ~/.keystore ~/.keystore-backup
> > # keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
> > [enter same password]
> > [give contents of certreq.csr to VeriSign and wait for response...]
> > [NOTE: when asked to select my server software, I chose "apache" since
> they
> > didn't have Tomcat in their list...I don't know if this matters, but it
> > worked]
> > # keytool -import -trustcacerts -file intermediate.crt -alias root
> > [enter same password]
> > [NOTE: intermediate.crt is the file found here:
> > http://www.verisign.com/support/install/intermediate.html]
> > # keytool -import trustcacerts -file public.crt -alias tomcat
> > [enter same password]
> > [where public.crt is the certificate sent from VeriSign after they
> complete
> > their approval process]
> > [finally, edit ...tomcat/conf/server.xml and enable the SSL connector
> > section, adding keystorePass="[password]"
> > as an attribute to the Factory tag]
> >
> > Hope this helps.
> >
> > Thanks to all who provided suggestions along the way.
> >
> > Dave
> >
> > -----Original Message-----
> > From: Dave Wood [mailto:dave@woodtopia.org]
> > Sent: Friday, September 05, 2003 11:40 AM
> > To: Tomcat Users List
> > Subject: RE: SSL/Verisign Confusion
> >
> >
> > Well, after all this, I just discovered that VeriSign will basically let
> you
> > start over if it's within 30 days (which it is).  So, for now, I'm going
> > down this path.  Just talked to someone at V/S who said it would take
just
> a
> > couple hours.
> >
> > Oh, and I made a BACKUP of my new keystore file this time that now
> contains
> > a single "keyEntry" with the alias "tomcat".  I try to avoid being
stupid
> in
> > the same way more than once! :)
> >
> > As for the programmatic approach, FWIW, I started down that path as
well,
> > but somehow I had no private key entry in the keystore (best I can
tell).
> > Still not sure how I got in that messed up state.
> >
> > Thanks,
> > Dave
> >
> > -----Original Message-----
> > From: Christopher Williams [mailto:ccwilliams3@ntlworld.com]
> > Sent: Friday, September 05, 2003 9:43 AM
> > To: Tomcat Users List
> > Subject: Re: SSL/Verisign Confusion
> >
> >
> > Have you thought of manipulating the keystore programmatically?  Here's
> what
> > you'd do:
> >
> > 1. Open your existing keystore
> > 2. Find the entry with your private key and (presumably) a temporary
> > self-signed certificate.
> > 3. Open the certificate you got from Versign.
> > 4. Change the certificate in your key entry to your Verisign
certificate.
> > 5. Save and close the keystore.
> >
> > OpenSSL doesn't understand most of the Java keystore formats, although
it
> > can manipulate PKCS#12 files which Keytool can handle.  If you download
> the
> > BouncyCastle crypto provider, then you can use keytool to write PKCS#12
> > files as well.
> >
> > Also, if the person who originally posted the question doesn't feel up
to
> > monkeying around with the Keystore classes, I have some code that I can
> > adapt to stick your Verisign certificate in your keystore.  Get in touch
> > with me personally and I'll see what I can do.
> >
> > ----- Original Message -----
> > From: "Jay Garala" <ja...@electrosoft-inc.com>
> > To: "'Tomcat Users List'" <to...@jakarta.apache.org>
> > Sent: Friday, September 05, 2003 3:36 PM
> > Subject: RE: SSL/Verisign Confusion
> >
> >
> > NOTE: You cannot export private key from keystore.
> >
> > -----Original Message-----
> > From: Dave Wood [mailto:dave@woodtopia.org]
> > Sent: Friday, September 05, 2003 10:32 AM
> > To: Tomcat Users List
> > Subject: RE: SSL/Verisign Confusion
> >
> > Thanks.  With the exception of the openssl doc, I've been over these
quite
> a
> > bit.  The result is the problem I've mentioned where keytool says it
can't
> > import my certificate because the alias already exists.
> >
> > After some help I got last night, I think the question boils down to
this:
> >
> > * once I have extracted my private key from keytool (haven't done this
> yet),
> > how do I take that key, the VeriSign intermediate certificate and my
> public
> > key certificate and get them to play together.  I'm hoping the openssl
> stuff
> > will take care of this, because keytool doesn't really seem to recognize
> > private keys as things that you can work with directly.
> >
> > Thanks again,
> > Dave
> >
> > -----Original Message-----
> > From: Jay Garala [mailto:jay@electrosoft-inc.com]
> > Sent: Friday, September 05, 2003 7:12 AM
> > To: 'Tomcat Users List'
> > Subject: RE: SSL/Verisign Confusion
> >
> >
> > Try the Java keytool help:
> >  http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html
> >
> > Tomcat how-to:
> >  http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html
> >
> > If you have OpenSSL:
> >  http://forum.java.sun.com/thread.jsp?forum=2&thread=4240
> >
> > Jay
> > -----Original Message-----
> > From: Dave Wood [mailto:dave@woodtopia.org]
> > Sent: Friday, September 05, 2003 1:04 AM
> > To: Tomcat Users List
> > Subject: RE: SSL/Verisign Confusion
> >
> > Thanks Bill.  I think this highlights something I'm really not
> > understanding...
> >
> > Didn't I generate an important "private key" somewhere along the line
that
> I
> > can't just regenerate if I blow away my keystore?  I assumed the
> certificate
> > I got back from verisign would only work if I still had the original
> private
> > key I generated before sending them my request.  Is that wrong?
> >
> > (I'll take a look at the link you sent...at first glance, it looks a
> little
> > hard to follow, but hopefully not).
> >
> > Thanks again.
> >
> > Dave
> >
> > -----Original Message-----
> > From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker
> > Sent: Thursday, September 04, 2003 11:06 PM
> > To: tomcat-user@jakarta.apache.org
> > Subject: Re: SSL/Verisign Confusion
> >
> >
> > Firstly, it looks like you should wipe you keystore and start again.  To
> use
> > a VS cert with Tomcat, the two options I know are:
> > 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm.
> > 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file,
and
> > use that as your keystore (remember to set 'keystoreType="pkcs12"' on
the
> > Factory in server.xml).
> >
> >
> > "Dave Wood" <da...@woodtopia.org> wrote in message
> > news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org...
> >
> >>I'm having a problem getting an SSL certificate from Verisign working
> >>correctly.  I'm going to include everything I can think of that MIGHT be
a
> >>problem.  Unfortunately, there are a couple things I can't quite
remember
> >>for certain.  Here's the situation:
> >>
> >>1. I generated the initial key using an alias other than "tomcat" (we'll
> >>call it "company")
> >>2. I generated the CSR and sent it to verisign.  I still have this file.
> >>3. Verisign changed the company name during the verification process
(from
> >>an acronym to the full spelling of the name)
> >>4. I now have the certificate that they sent back after the validation
> >>process.
> >>5. One thing I can't account for is why when I see this:
> >>
> >>$ keytool -list
> >>
> >>Keystore type: jks
> >>Keystore provider: SUN
> >>
> >>Your keystore contains 4 entries: (...others removed...)
> >>
> >>company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
> >>Certificate fingerprint (MD5):
> >>00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't
really
> >>0's)
> >>
> >>...I think I must have self-signed or something (I was doing a couple of
> >>these things and don't recall exactly), but I'm surprised to see
> >>"trustedCertEntry" here.
> >>
> >>The problem I'm having is this:
> >>
> >>$ keytool -import -trustcacerts -alias company -file public.crt
> >>Enter keystore password: xxx
> >>keytool error: java.lang.Exception: Certificate not imported, alias
> >><company> already exists
> >>
> >>(but I'm thinking it should be REPLACING this entry, so the fact that it
> >>exists shouldn't be a problem???)
> >>
> >>So, I have several questions:
> >>
> >>1. Am I hosed completely because I didn't use "tomcat" as the alias?
> >>2. How does the private key get stored exactly?  I assume that if I
delete
> >>the current entry for the "company" alias, I'll be losing the private
key,
> >>right?
> >>3. Can someone provide steps I should take to get this working given
what
> >
> > I
> >
> >>have said above.
> >>
> >>Thanks so much in advance.  Sorry to be so long-winded.
> >>
> >>-Dave
> >>---
> >>Outgoing mail is certified Virus Free.
> >>Checked by AVG anti-virus system (http://www.grisoft.com).
> >>Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
>
> --
> struts 1.1 + tomcat 4.1.27 + java 1.4.2
> Linux 2.4.20 RH9
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.515 / Virus Database: 313 - Release Date: 9/1/2003
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.515 / Virus Database: 313 - Release Date: 9/1/2003

Re: SSL/Verisign Confusion

[Christopher Williams <cc...@ntlworld.com>]

www.openssl.org is the website for OpenSSL.  It's an open source
implementation of SSL / TLS together with a tremendous amount of other stuff
(such as X.509, S/MIME, every cryptographic algorithm you ever heard of).
You can also use it to set up your own CA - it's not the easiest software to
use as it takes a terrific number of command line switches, but it's
probably more convenient than having to wait on Verisign and renew your
certificates every couple of weeks.

----- Original Message ----- 
From: "Adam Hardy" <ah...@cyberspaceroad.com>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Sunday, September 07, 2003 10:43 AM
Subject: Re: SSL/Verisign Confusion


> Hi Dave,
> how much does it cost at Verisign, and how long is it valid for? And is
> this 'openssl' you mentioned a free alternative?
>
> Adam
>
> On 09/06/2003 03:21 PM Dave Wood wrote:
> > FINALLY!
> >
> > I still don't know what I did wrong in the first place, but after
starting
> > over with VeriSign, all is well now.  I thought I'd share the (simple!)
> > steps I took to get SSL running using keytool/tomcat in case anyone else
> > might find this useful:
> >
> > # keytool -genkey -alias tomcat -keyalg RSA
> > [enter a password and all necessary information, then just <enter> at
next
> > password prompt]
> > # cp ~/.keystore ~/.keystore-backup
> > # keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
> > [enter same password]
> > [give contents of certreq.csr to VeriSign and wait for response...]
> > [NOTE: when asked to select my server software, I chose "apache" since
they
> > didn't have Tomcat in their list...I don't know if this matters, but it
> > worked]
> > # keytool -import -trustcacerts -file intermediate.crt -alias root
> > [enter same password]
> > [NOTE: intermediate.crt is the file found here:
> > http://www.verisign.com/support/install/intermediate.html]
> > # keytool -import trustcacerts -file public.crt -alias tomcat
> > [enter same password]
> > [where public.crt is the certificate sent from VeriSign after they
complete
> > their approval process]
> > [finally, edit ...tomcat/conf/server.xml and enable the SSL connector
> > section, adding keystorePass="[password]"
> > as an attribute to the Factory tag]
> >
> > Hope this helps.
> >
> > Thanks to all who provided suggestions along the way.
> >
> > Dave
> >
> > -----Original Message-----
> > From: Dave Wood [mailto:dave@woodtopia.org]
> > Sent: Friday, September 05, 2003 11:40 AM
> > To: Tomcat Users List
> > Subject: RE: SSL/Verisign Confusion
> >
> >
> > Well, after all this, I just discovered that VeriSign will basically let
you
> > start over if it's within 30 days (which it is).  So, for now, I'm going
> > down this path.  Just talked to someone at V/S who said it would take
just a
> > couple hours.
> >
> > Oh, and I made a BACKUP of my new keystore file this time that now
contains
> > a single "keyEntry" with the alias "tomcat".  I try to avoid being
stupid in
> > the same way more than once! :)
> >
> > As for the programmatic approach, FWIW, I started down that path as
well,
> > but somehow I had no private key entry in the keystore (best I can
tell).
> > Still not sure how I got in that messed up state.
> >
> > Thanks,
> > Dave
> >
> > -----Original Message-----
> > From: Christopher Williams [mailto:ccwilliams3@ntlworld.com]
> > Sent: Friday, September 05, 2003 9:43 AM
> > To: Tomcat Users List
> > Subject: Re: SSL/Verisign Confusion
> >
> >
> > Have you thought of manipulating the keystore programmatically?  Here's
what
> > you'd do:
> >
> > 1. Open your existing keystore
> > 2. Find the entry with your private key and (presumably) a temporary
> > self-signed certificate.
> > 3. Open the certificate you got from Versign.
> > 4. Change the certificate in your key entry to your Verisign
certificate.
> > 5. Save and close the keystore.
> >
> > OpenSSL doesn't understand most of the Java keystore formats, although
it
> > can manipulate PKCS#12 files which Keytool can handle.  If you download
the
> > BouncyCastle crypto provider, then you can use keytool to write PKCS#12
> > files as well.
> >
> > Also, if the person who originally posted the question doesn't feel up
to
> > monkeying around with the Keystore classes, I have some code that I can
> > adapt to stick your Verisign certificate in your keystore.  Get in touch
> > with me personally and I'll see what I can do.
> >
> > ----- Original Message -----
> > From: "Jay Garala" <ja...@electrosoft-inc.com>
> > To: "'Tomcat Users List'" <to...@jakarta.apache.org>
> > Sent: Friday, September 05, 2003 3:36 PM
> > Subject: RE: SSL/Verisign Confusion
> >
> >
> > NOTE: You cannot export private key from keystore.
> >
> > -----Original Message-----
> > From: Dave Wood [mailto:dave@woodtopia.org]
> > Sent: Friday, September 05, 2003 10:32 AM
> > To: Tomcat Users List
> > Subject: RE: SSL/Verisign Confusion
> >
> > Thanks.  With the exception of the openssl doc, I've been over these
quite a
> > bit.  The result is the problem I've mentioned where keytool says it
can't
> > import my certificate because the alias already exists.
> >
> > After some help I got last night, I think the question boils down to
this:
> >
> > * once I have extracted my private key from keytool (haven't done this
yet),
> > how do I take that key, the VeriSign intermediate certificate and my
public
> > key certificate and get them to play together.  I'm hoping the openssl
stuff
> > will take care of this, because keytool doesn't really seem to recognize
> > private keys as things that you can work with directly.
> >
> > Thanks again,
> > Dave
> >
> > -----Original Message-----
> > From: Jay Garala [mailto:jay@electrosoft-inc.com]
> > Sent: Friday, September 05, 2003 7:12 AM
> > To: 'Tomcat Users List'
> > Subject: RE: SSL/Verisign Confusion
> >
> >
> > Try the Java keytool help:
> >  http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html
> >
> > Tomcat how-to:
> >  http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html
> >
> > If you have OpenSSL:
> >  http://forum.java.sun.com/thread.jsp?forum=2&thread=4240
> >
> > Jay
> > -----Original Message-----
> > From: Dave Wood [mailto:dave@woodtopia.org]
> > Sent: Friday, September 05, 2003 1:04 AM
> > To: Tomcat Users List
> > Subject: RE: SSL/Verisign Confusion
> >
> > Thanks Bill.  I think this highlights something I'm really not
> > understanding...
> >
> > Didn't I generate an important "private key" somewhere along the line
that I
> > can't just regenerate if I blow away my keystore?  I assumed the
certificate
> > I got back from verisign would only work if I still had the original
private
> > key I generated before sending them my request.  Is that wrong?
> >
> > (I'll take a look at the link you sent...at first glance, it looks a
little
> > hard to follow, but hopefully not).
> >
> > Thanks again.
> >
> > Dave
> >
> > -----Original Message-----
> > From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker
> > Sent: Thursday, September 04, 2003 11:06 PM
> > To: tomcat-user@jakarta.apache.org
> > Subject: Re: SSL/Verisign Confusion
> >
> >
> > Firstly, it looks like you should wipe you keystore and start again.  To
use
> > a VS cert with Tomcat, the two options I know are:
> > 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm.
> > 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file,
and
> > use that as your keystore (remember to set 'keystoreType="pkcs12"' on
the
> > Factory in server.xml).
> >
> >
> > "Dave Wood" <da...@woodtopia.org> wrote in message
> > news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org...
> >
> >>I'm having a problem getting an SSL certificate from Verisign working
> >>correctly.  I'm going to include everything I can think of that MIGHT be
a
> >>problem.  Unfortunately, there are a couple things I can't quite
remember
> >>for certain.  Here's the situation:
> >>
> >>1. I generated the initial key using an alias other than "tomcat" (we'll
> >>call it "company")
> >>2. I generated the CSR and sent it to verisign.  I still have this file.
> >>3. Verisign changed the company name during the verification process
(from
> >>an acronym to the full spelling of the name)
> >>4. I now have the certificate that they sent back after the validation
> >>process.
> >>5. One thing I can't account for is why when I see this:
> >>
> >>$ keytool -list
> >>
> >>Keystore type: jks
> >>Keystore provider: SUN
> >>
> >>Your keystore contains 4 entries: (...others removed...)
> >>
> >>company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
> >>Certificate fingerprint (MD5):
> >>00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't
really
> >>0's)
> >>
> >>...I think I must have self-signed or something (I was doing a couple of
> >>these things and don't recall exactly), but I'm surprised to see
> >>"trustedCertEntry" here.
> >>
> >>The problem I'm having is this:
> >>
> >>$ keytool -import -trustcacerts -alias company -file public.crt
> >>Enter keystore password: xxx
> >>keytool error: java.lang.Exception: Certificate not imported, alias
> >><company> already exists
> >>
> >>(but I'm thinking it should be REPLACING this entry, so the fact that it
> >>exists shouldn't be a problem???)
> >>
> >>So, I have several questions:
> >>
> >>1. Am I hosed completely because I didn't use "tomcat" as the alias?
> >>2. How does the private key get stored exactly?  I assume that if I
delete
> >>the current entry for the "company" alias, I'll be losing the private
key,
> >>right?
> >>3. Can someone provide steps I should take to get this working given
what
> >
> > I
> >
> >>have said above.
> >>
> >>Thanks so much in advance.  Sorry to be so long-winded.
> >>
> >>-Dave
> >>---
> >>Outgoing mail is certified Virus Free.
> >>Checked by AVG anti-virus system (http://www.grisoft.com).
> >>Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
>
> -- 
> struts 1.1 + tomcat 4.1.27 + java 1.4.2
> Linux 2.4.20 RH9
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>

RE: SSL/Verisign Confusion

[Dave Wood <da...@woodtopia.org>]

I believe a Verisign certificate alone is $600 for a year.  You can get
certificates much cheaper, but there are issues with some older broswers not
recognizing the CA (so your users would get a message stating that the
certificate may not be legit).

openssl is not an alternative to VeriSign.  openssl is software, Verisign is
a company that provides certificates (though apparently, you can use openssl
to create certificates yourself if you don't care at all about them being
legit (for an intranet, for example?)).  There are (much) cheapers
alternatives to VeriSign.  Check out freessl.com, for example (not free, but
$35.00 isn't bad).

Also, see http://www.whichssl.org for more good info on the subject.

-dave

-----Original Message-----
From: Adam Hardy [mailto:ahardy.struts@cyberspaceroad.com]
Sent: Sunday, September 07, 2003 3:43 AM
To: Tomcat Users List
Subject: Re: SSL/Verisign Confusion


Hi Dave,
how much does it cost at Verisign, and how long is it valid for? And is
this 'openssl' you mentioned a free alternative?

Adam

On 09/06/2003 03:21 PM Dave Wood wrote:
> FINALLY!
>
> I still don't know what I did wrong in the first place, but after starting
> over with VeriSign, all is well now.  I thought I'd share the (simple!)
> steps I took to get SSL running using keytool/tomcat in case anyone else
> might find this useful:
>
> # keytool -genkey -alias tomcat -keyalg RSA
> [enter a password and all necessary information, then just <enter> at next
> password prompt]
> # cp ~/.keystore ~/.keystore-backup
> # keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
> [enter same password]
> [give contents of certreq.csr to VeriSign and wait for response...]
> [NOTE: when asked to select my server software, I chose "apache" since
they
> didn't have Tomcat in their list...I don't know if this matters, but it
> worked]
> # keytool -import -trustcacerts -file intermediate.crt -alias root
> [enter same password]
> [NOTE: intermediate.crt is the file found here:
> http://www.verisign.com/support/install/intermediate.html]
> # keytool -import trustcacerts -file public.crt -alias tomcat
> [enter same password]
> [where public.crt is the certificate sent from VeriSign after they
complete
> their approval process]
> [finally, edit ...tomcat/conf/server.xml and enable the SSL connector
> section, adding keystorePass="[password]"
> as an attribute to the Factory tag]
>
> Hope this helps.
>
> Thanks to all who provided suggestions along the way.
>
> Dave
>
> -----Original Message-----
> From: Dave Wood [mailto:dave@woodtopia.org]
> Sent: Friday, September 05, 2003 11:40 AM
> To: Tomcat Users List
> Subject: RE: SSL/Verisign Confusion
>
>
> Well, after all this, I just discovered that VeriSign will basically let
you
> start over if it's within 30 days (which it is).  So, for now, I'm going
> down this path.  Just talked to someone at V/S who said it would take just
a
> couple hours.
>
> Oh, and I made a BACKUP of my new keystore file this time that now
contains
> a single "keyEntry" with the alias "tomcat".  I try to avoid being stupid
in
> the same way more than once! :)
>
> As for the programmatic approach, FWIW, I started down that path as well,
> but somehow I had no private key entry in the keystore (best I can tell).
> Still not sure how I got in that messed up state.
>
> Thanks,
> Dave
>
> -----Original Message-----
> From: Christopher Williams [mailto:ccwilliams3@ntlworld.com]
> Sent: Friday, September 05, 2003 9:43 AM
> To: Tomcat Users List
> Subject: Re: SSL/Verisign Confusion
>
>
> Have you thought of manipulating the keystore programmatically?  Here's
what
> you'd do:
>
> 1. Open your existing keystore
> 2. Find the entry with your private key and (presumably) a temporary
> self-signed certificate.
> 3. Open the certificate you got from Versign.
> 4. Change the certificate in your key entry to your Verisign certificate.
> 5. Save and close the keystore.
>
> OpenSSL doesn't understand most of the Java keystore formats, although it
> can manipulate PKCS#12 files which Keytool can handle.  If you download
the
> BouncyCastle crypto provider, then you can use keytool to write PKCS#12
> files as well.
>
> Also, if the person who originally posted the question doesn't feel up to
> monkeying around with the Keystore classes, I have some code that I can
> adapt to stick your Verisign certificate in your keystore.  Get in touch
> with me personally and I'll see what I can do.
>
> ----- Original Message -----
> From: "Jay Garala" <ja...@electrosoft-inc.com>
> To: "'Tomcat Users List'" <to...@jakarta.apache.org>
> Sent: Friday, September 05, 2003 3:36 PM
> Subject: RE: SSL/Verisign Confusion
>
>
> NOTE: You cannot export private key from keystore.
>
> -----Original Message-----
> From: Dave Wood [mailto:dave@woodtopia.org]
> Sent: Friday, September 05, 2003 10:32 AM
> To: Tomcat Users List
> Subject: RE: SSL/Verisign Confusion
>
> Thanks.  With the exception of the openssl doc, I've been over these quite
a
> bit.  The result is the problem I've mentioned where keytool says it can't
> import my certificate because the alias already exists.
>
> After some help I got last night, I think the question boils down to this:
>
> * once I have extracted my private key from keytool (haven't done this
yet),
> how do I take that key, the VeriSign intermediate certificate and my
public
> key certificate and get them to play together.  I'm hoping the openssl
stuff
> will take care of this, because keytool doesn't really seem to recognize
> private keys as things that you can work with directly.
>
> Thanks again,
> Dave
>
> -----Original Message-----
> From: Jay Garala [mailto:jay@electrosoft-inc.com]
> Sent: Friday, September 05, 2003 7:12 AM
> To: 'Tomcat Users List'
> Subject: RE: SSL/Verisign Confusion
>
>
> Try the Java keytool help:
>  http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html
>
> Tomcat how-to:
>  http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html
>
> If you have OpenSSL:
>  http://forum.java.sun.com/thread.jsp?forum=2&thread=4240
>
> Jay
> -----Original Message-----
> From: Dave Wood [mailto:dave@woodtopia.org]
> Sent: Friday, September 05, 2003 1:04 AM
> To: Tomcat Users List
> Subject: RE: SSL/Verisign Confusion
>
> Thanks Bill.  I think this highlights something I'm really not
> understanding...
>
> Didn't I generate an important "private key" somewhere along the line that
I
> can't just regenerate if I blow away my keystore?  I assumed the
certificate
> I got back from verisign would only work if I still had the original
private
> key I generated before sending them my request.  Is that wrong?
>
> (I'll take a look at the link you sent...at first glance, it looks a
little
> hard to follow, but hopefully not).
>
> Thanks again.
>
> Dave
>
> -----Original Message-----
> From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker
> Sent: Thursday, September 04, 2003 11:06 PM
> To: tomcat-user@jakarta.apache.org
> Subject: Re: SSL/Verisign Confusion
>
>
> Firstly, it looks like you should wipe you keystore and start again.  To
use
> a VS cert with Tomcat, the two options I know are:
> 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm.
> 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and
> use that as your keystore (remember to set 'keystoreType="pkcs12"' on the
> Factory in server.xml).
>
>
> "Dave Wood" <da...@woodtopia.org> wrote in message
> news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org...
>
>>I'm having a problem getting an SSL certificate from Verisign working
>>correctly.  I'm going to include everything I can think of that MIGHT be a
>>problem.  Unfortunately, there are a couple things I can't quite remember
>>for certain.  Here's the situation:
>>
>>1. I generated the initial key using an alias other than "tomcat" (we'll
>>call it "company")
>>2. I generated the CSR and sent it to verisign.  I still have this file.
>>3. Verisign changed the company name during the verification process (from
>>an acronym to the full spelling of the name)
>>4. I now have the certificate that they sent back after the validation
>>process.
>>5. One thing I can't account for is why when I see this:
>>
>>$ keytool -list
>>
>>Keystore type: jks
>>Keystore provider: SUN
>>
>>Your keystore contains 4 entries: (...others removed...)
>>
>>company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
>>Certificate fingerprint (MD5):
>>00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really
>>0's)
>>
>>...I think I must have self-signed or something (I was doing a couple of
>>these things and don't recall exactly), but I'm surprised to see
>>"trustedCertEntry" here.
>>
>>The problem I'm having is this:
>>
>>$ keytool -import -trustcacerts -alias company -file public.crt
>>Enter keystore password: xxx
>>keytool error: java.lang.Exception: Certificate not imported, alias
>><company> already exists
>>
>>(but I'm thinking it should be REPLACING this entry, so the fact that it
>>exists shouldn't be a problem???)
>>
>>So, I have several questions:
>>
>>1. Am I hosed completely because I didn't use "tomcat" as the alias?
>>2. How does the private key get stored exactly?  I assume that if I delete
>>the current entry for the "company" alias, I'll be losing the private key,
>>right?
>>3. Can someone provide steps I should take to get this working given what
>
> I
>
>>have said above.
>>
>>Thanks so much in advance.  Sorry to be so long-winded.
>>
>>-Dave
>>---
>>Outgoing mail is certified Virus Free.
>>Checked by AVG anti-virus system (http://www.grisoft.com).
>>Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>

--
struts 1.1 + tomcat 4.1.27 + java 1.4.2
Linux 2.4.20 RH9


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.515 / Virus Database: 313 - Release Date: 9/1/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.515 / Virus Database: 313 - Release Date: 9/1/2003

Re: SSL/Verisign Confusion

[Adam Hardy <ah...@cyberspaceroad.com>]

Hi Dave,
how much does it cost at Verisign, and how long is it valid for? And is 
this 'openssl' you mentioned a free alternative?

Adam

On 09/06/2003 03:21 PM Dave Wood wrote:
> FINALLY!
> 
> I still don't know what I did wrong in the first place, but after starting
> over with VeriSign, all is well now.  I thought I'd share the (simple!)
> steps I took to get SSL running using keytool/tomcat in case anyone else
> might find this useful:
> 
> # keytool -genkey -alias tomcat -keyalg RSA
> [enter a password and all necessary information, then just <enter> at next
> password prompt]
> # cp ~/.keystore ~/.keystore-backup
> # keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
> [enter same password]
> [give contents of certreq.csr to VeriSign and wait for response...]
> [NOTE: when asked to select my server software, I chose "apache" since they
> didn't have Tomcat in their list...I don't know if this matters, but it
> worked]
> # keytool -import -trustcacerts -file intermediate.crt -alias root
> [enter same password]
> [NOTE: intermediate.crt is the file found here:
> http://www.verisign.com/support/install/intermediate.html]
> # keytool -import trustcacerts -file public.crt -alias tomcat
> [enter same password]
> [where public.crt is the certificate sent from VeriSign after they complete
> their approval process]
> [finally, edit ...tomcat/conf/server.xml and enable the SSL connector
> section, adding keystorePass="[password]"
> as an attribute to the Factory tag]
> 
> Hope this helps.
> 
> Thanks to all who provided suggestions along the way.
> 
> Dave
> 
> -----Original Message-----
> From: Dave Wood [mailto:dave@woodtopia.org]
> Sent: Friday, September 05, 2003 11:40 AM
> To: Tomcat Users List
> Subject: RE: SSL/Verisign Confusion
> 
> 
> Well, after all this, I just discovered that VeriSign will basically let you
> start over if it's within 30 days (which it is).  So, for now, I'm going
> down this path.  Just talked to someone at V/S who said it would take just a
> couple hours.
> 
> Oh, and I made a BACKUP of my new keystore file this time that now contains
> a single "keyEntry" with the alias "tomcat".  I try to avoid being stupid in
> the same way more than once! :)
> 
> As for the programmatic approach, FWIW, I started down that path as well,
> but somehow I had no private key entry in the keystore (best I can tell).
> Still not sure how I got in that messed up state.
> 
> Thanks,
> Dave
> 
> -----Original Message-----
> From: Christopher Williams [mailto:ccwilliams3@ntlworld.com]
> Sent: Friday, September 05, 2003 9:43 AM
> To: Tomcat Users List
> Subject: Re: SSL/Verisign Confusion
> 
> 
> Have you thought of manipulating the keystore programmatically?  Here's what
> you'd do:
> 
> 1. Open your existing keystore
> 2. Find the entry with your private key and (presumably) a temporary
> self-signed certificate.
> 3. Open the certificate you got from Versign.
> 4. Change the certificate in your key entry to your Verisign certificate.
> 5. Save and close the keystore.
> 
> OpenSSL doesn't understand most of the Java keystore formats, although it
> can manipulate PKCS#12 files which Keytool can handle.  If you download the
> BouncyCastle crypto provider, then you can use keytool to write PKCS#12
> files as well.
> 
> Also, if the person who originally posted the question doesn't feel up to
> monkeying around with the Keystore classes, I have some code that I can
> adapt to stick your Verisign certificate in your keystore.  Get in touch
> with me personally and I'll see what I can do.
> 
> ----- Original Message -----
> From: "Jay Garala" <ja...@electrosoft-inc.com>
> To: "'Tomcat Users List'" <to...@jakarta.apache.org>
> Sent: Friday, September 05, 2003 3:36 PM
> Subject: RE: SSL/Verisign Confusion
> 
> 
> NOTE: You cannot export private key from keystore.
> 
> -----Original Message-----
> From: Dave Wood [mailto:dave@woodtopia.org]
> Sent: Friday, September 05, 2003 10:32 AM
> To: Tomcat Users List
> Subject: RE: SSL/Verisign Confusion
> 
> Thanks.  With the exception of the openssl doc, I've been over these quite a
> bit.  The result is the problem I've mentioned where keytool says it can't
> import my certificate because the alias already exists.
> 
> After some help I got last night, I think the question boils down to this:
> 
> * once I have extracted my private key from keytool (haven't done this yet),
> how do I take that key, the VeriSign intermediate certificate and my public
> key certificate and get them to play together.  I'm hoping the openssl stuff
> will take care of this, because keytool doesn't really seem to recognize
> private keys as things that you can work with directly.
> 
> Thanks again,
> Dave
> 
> -----Original Message-----
> From: Jay Garala [mailto:jay@electrosoft-inc.com]
> Sent: Friday, September 05, 2003 7:12 AM
> To: 'Tomcat Users List'
> Subject: RE: SSL/Verisign Confusion
> 
> 
> Try the Java keytool help:
>  http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html
> 
> Tomcat how-to:
>  http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html
> 
> If you have OpenSSL:
>  http://forum.java.sun.com/thread.jsp?forum=2&thread=4240
> 
> Jay
> -----Original Message-----
> From: Dave Wood [mailto:dave@woodtopia.org]
> Sent: Friday, September 05, 2003 1:04 AM
> To: Tomcat Users List
> Subject: RE: SSL/Verisign Confusion
> 
> Thanks Bill.  I think this highlights something I'm really not
> understanding...
> 
> Didn't I generate an important "private key" somewhere along the line that I
> can't just regenerate if I blow away my keystore?  I assumed the certificate
> I got back from verisign would only work if I still had the original private
> key I generated before sending them my request.  Is that wrong?
> 
> (I'll take a look at the link you sent...at first glance, it looks a little
> hard to follow, but hopefully not).
> 
> Thanks again.
> 
> Dave
> 
> -----Original Message-----
> From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker
> Sent: Thursday, September 04, 2003 11:06 PM
> To: tomcat-user@jakarta.apache.org
> Subject: Re: SSL/Verisign Confusion
> 
> 
> Firstly, it looks like you should wipe you keystore and start again.  To use
> a VS cert with Tomcat, the two options I know are:
> 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm.
> 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and
> use that as your keystore (remember to set 'keystoreType="pkcs12"' on the
> Factory in server.xml).
> 
> 
> "Dave Wood" <da...@woodtopia.org> wrote in message
> news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org...
> 
>>I'm having a problem getting an SSL certificate from Verisign working
>>correctly.  I'm going to include everything I can think of that MIGHT be a
>>problem.  Unfortunately, there are a couple things I can't quite remember
>>for certain.  Here's the situation:
>>
>>1. I generated the initial key using an alias other than "tomcat" (we'll
>>call it "company")
>>2. I generated the CSR and sent it to verisign.  I still have this file.
>>3. Verisign changed the company name during the verification process (from
>>an acronym to the full spelling of the name)
>>4. I now have the certificate that they sent back after the validation
>>process.
>>5. One thing I can't account for is why when I see this:
>>
>>$ keytool -list
>>
>>Keystore type: jks
>>Keystore provider: SUN
>>
>>Your keystore contains 4 entries: (...others removed...)
>>
>>company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
>>Certificate fingerprint (MD5):
>>00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really
>>0's)
>>
>>...I think I must have self-signed or something (I was doing a couple of
>>these things and don't recall exactly), but I'm surprised to see
>>"trustedCertEntry" here.
>>
>>The problem I'm having is this:
>>
>>$ keytool -import -trustcacerts -alias company -file public.crt
>>Enter keystore password: xxx
>>keytool error: java.lang.Exception: Certificate not imported, alias
>><company> already exists
>>
>>(but I'm thinking it should be REPLACING this entry, so the fact that it
>>exists shouldn't be a problem???)
>>
>>So, I have several questions:
>>
>>1. Am I hosed completely because I didn't use "tomcat" as the alias?
>>2. How does the private key get stored exactly?  I assume that if I delete
>>the current entry for the "company" alias, I'll be losing the private key,
>>right?
>>3. Can someone provide steps I should take to get this working given what
> 
> I
> 
>>have said above.
>>
>>Thanks so much in advance.  Sorry to be so long-winded.
>>
>>-Dave
>>---
>>Outgoing mail is certified Virus Free.
>>Checked by AVG anti-virus system (http://www.grisoft.com).
>>Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 

-- 
struts 1.1 + tomcat 4.1.27 + java 1.4.2
Linux 2.4.20 RH9

RE: SSL/Verisign Confusion

[Dave Wood <da...@woodtopia.org>]

FINALLY!

I still don't know what I did wrong in the first place, but after starting
over with VeriSign, all is well now.  I thought I'd share the (simple!)
steps I took to get SSL running using keytool/tomcat in case anyone else
might find this useful:

# keytool -genkey -alias tomcat -keyalg RSA
[enter a password and all necessary information, then just <enter> at next
password prompt]
# cp ~/.keystore ~/.keystore-backup
# keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
[enter same password]
[give contents of certreq.csr to VeriSign and wait for response...]
[NOTE: when asked to select my server software, I chose "apache" since they
didn't have Tomcat in their list...I don't know if this matters, but it
worked]
# keytool -import -trustcacerts -file intermediate.crt -alias root
[enter same password]
[NOTE: intermediate.crt is the file found here:
http://www.verisign.com/support/install/intermediate.html]
# keytool -import trustcacerts -file public.crt -alias tomcat
[enter same password]
[where public.crt is the certificate sent from VeriSign after they complete
their approval process]
[finally, edit ...tomcat/conf/server.xml and enable the SSL connector
section, adding keystorePass="[password]"
as an attribute to the Factory tag]

Hope this helps.

Thanks to all who provided suggestions along the way.

Dave

-----Original Message-----
From: Dave Wood [mailto:dave@woodtopia.org]
Sent: Friday, September 05, 2003 11:40 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion


Well, after all this, I just discovered that VeriSign will basically let you
start over if it's within 30 days (which it is).  So, for now, I'm going
down this path.  Just talked to someone at V/S who said it would take just a
couple hours.

Oh, and I made a BACKUP of my new keystore file this time that now contains
a single "keyEntry" with the alias "tomcat".  I try to avoid being stupid in
the same way more than once! :)

As for the programmatic approach, FWIW, I started down that path as well,
but somehow I had no private key entry in the keystore (best I can tell).
Still not sure how I got in that messed up state.

Thanks,
Dave

-----Original Message-----
From: Christopher Williams [mailto:ccwilliams3@ntlworld.com]
Sent: Friday, September 05, 2003 9:43 AM
To: Tomcat Users List
Subject: Re: SSL/Verisign Confusion


Have you thought of manipulating the keystore programmatically?  Here's what
you'd do:

1. Open your existing keystore
2. Find the entry with your private key and (presumably) a temporary
self-signed certificate.
3. Open the certificate you got from Versign.
4. Change the certificate in your key entry to your Verisign certificate.
5. Save and close the keystore.

OpenSSL doesn't understand most of the Java keystore formats, although it
can manipulate PKCS#12 files which Keytool can handle.  If you download the
BouncyCastle crypto provider, then you can use keytool to write PKCS#12
files as well.

Also, if the person who originally posted the question doesn't feel up to
monkeying around with the Keystore classes, I have some code that I can
adapt to stick your Verisign certificate in your keystore.  Get in touch
with me personally and I'll see what I can do.

----- Original Message -----
From: "Jay Garala" <ja...@electrosoft-inc.com>
To: "'Tomcat Users List'" <to...@jakarta.apache.org>
Sent: Friday, September 05, 2003 3:36 PM
Subject: RE: SSL/Verisign Confusion


NOTE: You cannot export private key from keystore.

-----Original Message-----
From: Dave Wood [mailto:dave@woodtopia.org]
Sent: Friday, September 05, 2003 10:32 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

Thanks.  With the exception of the openssl doc, I've been over these quite a
bit.  The result is the problem I've mentioned where keytool says it can't
import my certificate because the alias already exists.

After some help I got last night, I think the question boils down to this:

* once I have extracted my private key from keytool (haven't done this yet),
how do I take that key, the VeriSign intermediate certificate and my public
key certificate and get them to play together.  I'm hoping the openssl stuff
will take care of this, because keytool doesn't really seem to recognize
private keys as things that you can work with directly.

Thanks again,
Dave

-----Original Message-----
From: Jay Garala [mailto:jay@electrosoft-inc.com]
Sent: Friday, September 05, 2003 7:12 AM
To: 'Tomcat Users List'
Subject: RE: SSL/Verisign Confusion


Try the Java keytool help:
 http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html

Tomcat how-to:
 http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html

If you have OpenSSL:
 http://forum.java.sun.com/thread.jsp?forum=2&thread=4240

Jay
-----Original Message-----
From: Dave Wood [mailto:dave@woodtopia.org]
Sent: Friday, September 05, 2003 1:04 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

Thanks Bill.  I think this highlights something I'm really not
understanding...

Didn't I generate an important "private key" somewhere along the line that I
can't just regenerate if I blow away my keystore?  I assumed the certificate
I got back from verisign would only work if I still had the original private
key I generated before sending them my request.  Is that wrong?

(I'll take a look at the link you sent...at first glance, it looks a little
hard to follow, but hopefully not).

Thanks again.

Dave

-----Original Message-----
From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker
Sent: Thursday, September 04, 2003 11:06 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: SSL/Verisign Confusion


Firstly, it looks like you should wipe you keystore and start again.  To use
a VS cert with Tomcat, the two options I know are:
1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm.
2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and
use that as your keystore (remember to set 'keystoreType="pkcs12"' on the
Factory in server.xml).


"Dave Wood" <da...@woodtopia.org> wrote in message
news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org...
> I'm having a problem getting an SSL certificate from Verisign working
> correctly.  I'm going to include everything I can think of that MIGHT be a
> problem.  Unfortunately, there are a couple things I can't quite remember
> for certain.  Here's the situation:
>
> 1. I generated the initial key using an alias other than "tomcat" (we'll
> call it "company")
> 2. I generated the CSR and sent it to verisign.  I still have this file.
> 3. Verisign changed the company name during the verification process (from
> an acronym to the full spelling of the name)
> 4. I now have the certificate that they sent back after the validation
> process.
> 5. One thing I can't account for is why when I see this:
>
> $ keytool -list
>
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 4 entries: (...others removed...)
>
> company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
> Certificate fingerprint (MD5):
> 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really
> 0's)
>
> ...I think I must have self-signed or something (I was doing a couple of
> these things and don't recall exactly), but I'm surprised to see
> "trustedCertEntry" here.
>
> The problem I'm having is this:
>
> $ keytool -import -trustcacerts -alias company -file public.crt
> Enter keystore password: xxx
> keytool error: java.lang.Exception: Certificate not imported, alias
> <company> already exists
>
> (but I'm thinking it should be REPLACING this entry, so the fact that it
> exists shouldn't be a problem???)
>
> So, I have several questions:
>
> 1. Am I hosed completely because I didn't use "tomcat" as the alias?
> 2. How does the private key get stored exactly?  I assume that if I delete
> the current entry for the "company" alias, I'll be losing the private key,
> right?
> 3. Can someone provide steps I should take to get this working given what
I
> have said above.
>
> Thanks so much in advance.  Sorry to be so long-winded.
>
> -Dave
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

RE: SSL/Verisign Confusion

[Dave Wood <da...@woodtopia.org>]

Well, after all this, I just discovered that VeriSign will basically let you
start over if it's within 30 days (which it is).  So, for now, I'm going
down this path.  Just talked to someone at V/S who said it would take just a
couple hours.

Oh, and I made a BACKUP of my new keystore file this time that now contains
a single "keyEntry" with the alias "tomcat".  I try to avoid being stupid in
the same way more than once! :)

As for the programmatic approach, FWIW, I started down that path as well,
but somehow I had no private key entry in the keystore (best I can tell).
Still not sure how I got in that messed up state.

Thanks,
Dave

-----Original Message-----
From: Christopher Williams [mailto:ccwilliams3@ntlworld.com]
Sent: Friday, September 05, 2003 9:43 AM
To: Tomcat Users List
Subject: Re: SSL/Verisign Confusion


Have you thought of manipulating the keystore programmatically?  Here's what
you'd do:

1. Open your existing keystore
2. Find the entry with your private key and (presumably) a temporary
self-signed certificate.
3. Open the certificate you got from Versign.
4. Change the certificate in your key entry to your Verisign certificate.
5. Save and close the keystore.

OpenSSL doesn't understand most of the Java keystore formats, although it
can manipulate PKCS#12 files which Keytool can handle.  If you download the
BouncyCastle crypto provider, then you can use keytool to write PKCS#12
files as well.

Also, if the person who originally posted the question doesn't feel up to
monkeying around with the Keystore classes, I have some code that I can
adapt to stick your Verisign certificate in your keystore.  Get in touch
with me personally and I'll see what I can do.

----- Original Message -----
From: "Jay Garala" <ja...@electrosoft-inc.com>
To: "'Tomcat Users List'" <to...@jakarta.apache.org>
Sent: Friday, September 05, 2003 3:36 PM
Subject: RE: SSL/Verisign Confusion


NOTE: You cannot export private key from keystore.

-----Original Message-----
From: Dave Wood [mailto:dave@woodtopia.org]
Sent: Friday, September 05, 2003 10:32 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

Thanks.  With the exception of the openssl doc, I've been over these quite a
bit.  The result is the problem I've mentioned where keytool says it can't
import my certificate because the alias already exists.

After some help I got last night, I think the question boils down to this:

* once I have extracted my private key from keytool (haven't done this yet),
how do I take that key, the VeriSign intermediate certificate and my public
key certificate and get them to play together.  I'm hoping the openssl stuff
will take care of this, because keytool doesn't really seem to recognize
private keys as things that you can work with directly.

Thanks again,
Dave

-----Original Message-----
From: Jay Garala [mailto:jay@electrosoft-inc.com]
Sent: Friday, September 05, 2003 7:12 AM
To: 'Tomcat Users List'
Subject: RE: SSL/Verisign Confusion


Try the Java keytool help:
 http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html

Tomcat how-to:
 http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html

If you have OpenSSL:
 http://forum.java.sun.com/thread.jsp?forum=2&thread=4240

Jay
-----Original Message-----
From: Dave Wood [mailto:dave@woodtopia.org]
Sent: Friday, September 05, 2003 1:04 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

Thanks Bill.  I think this highlights something I'm really not
understanding...

Didn't I generate an important "private key" somewhere along the line that I
can't just regenerate if I blow away my keystore?  I assumed the certificate
I got back from verisign would only work if I still had the original private
key I generated before sending them my request.  Is that wrong?

(I'll take a look at the link you sent...at first glance, it looks a little
hard to follow, but hopefully not).

Thanks again.

Dave

-----Original Message-----
From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker
Sent: Thursday, September 04, 2003 11:06 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: SSL/Verisign Confusion


Firstly, it looks like you should wipe you keystore and start again.  To use
a VS cert with Tomcat, the two options I know are:
1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm.
2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and
use that as your keystore (remember to set 'keystoreType="pkcs12"' on the
Factory in server.xml).


"Dave Wood" <da...@woodtopia.org> wrote in message
news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org...
> I'm having a problem getting an SSL certificate from Verisign working
> correctly.  I'm going to include everything I can think of that MIGHT be a
> problem.  Unfortunately, there are a couple things I can't quite remember
> for certain.  Here's the situation:
>
> 1. I generated the initial key using an alias other than "tomcat" (we'll
> call it "company")
> 2. I generated the CSR and sent it to verisign.  I still have this file.
> 3. Verisign changed the company name during the verification process (from
> an acronym to the full spelling of the name)
> 4. I now have the certificate that they sent back after the validation
> process.
> 5. One thing I can't account for is why when I see this:
>
> $ keytool -list
>
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 4 entries: (...others removed...)
>
> company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
> Certificate fingerprint (MD5):
> 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really
> 0's)
>
> ...I think I must have self-signed or something (I was doing a couple of
> these things and don't recall exactly), but I'm surprised to see
> "trustedCertEntry" here.
>
> The problem I'm having is this:
>
> $ keytool -import -trustcacerts -alias company -file public.crt
> Enter keystore password: xxx
> keytool error: java.lang.Exception: Certificate not imported, alias
> <company> already exists
>
> (but I'm thinking it should be REPLACING this entry, so the fact that it
> exists shouldn't be a problem???)
>
> So, I have several questions:
>
> 1. Am I hosed completely because I didn't use "tomcat" as the alias?
> 2. How does the private key get stored exactly?  I assume that if I delete
> the current entry for the "company" alias, I'll be losing the private key,
> right?
> 3. Can someone provide steps I should take to get this working given what
I
> have said above.
>
> Thanks so much in advance.  Sorry to be so long-winded.
>
> -Dave
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

Re: SSL/Verisign Confusion

[Christopher Williams <cc...@ntlworld.com>]

Have you thought of manipulating the keystore programmatically?  Here's what
you'd do:

1. Open your existing keystore
2. Find the entry with your private key and (presumably) a temporary
self-signed certificate.
3. Open the certificate you got from Versign.
4. Change the certificate in your key entry to your Verisign certificate.
5. Save and close the keystore.

OpenSSL doesn't understand most of the Java keystore formats, although it
can manipulate PKCS#12 files which Keytool can handle.  If you download the
BouncyCastle crypto provider, then you can use keytool to write PKCS#12
files as well.

Also, if the person who originally posted the question doesn't feel up to
monkeying around with the Keystore classes, I have some code that I can
adapt to stick your Verisign certificate in your keystore.  Get in touch
with me personally and I'll see what I can do.

----- Original Message ----- 
From: "Jay Garala" <ja...@electrosoft-inc.com>
To: "'Tomcat Users List'" <to...@jakarta.apache.org>
Sent: Friday, September 05, 2003 3:36 PM
Subject: RE: SSL/Verisign Confusion


NOTE: You cannot export private key from keystore.

-----Original Message-----
From: Dave Wood [mailto:dave@woodtopia.org]
Sent: Friday, September 05, 2003 10:32 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

Thanks.  With the exception of the openssl doc, I've been over these quite a
bit.  The result is the problem I've mentioned where keytool says it can't
import my certificate because the alias already exists.

After some help I got last night, I think the question boils down to this:

* once I have extracted my private key from keytool (haven't done this yet),
how do I take that key, the VeriSign intermediate certificate and my public
key certificate and get them to play together.  I'm hoping the openssl stuff
will take care of this, because keytool doesn't really seem to recognize
private keys as things that you can work with directly.

Thanks again,
Dave

-----Original Message-----
From: Jay Garala [mailto:jay@electrosoft-inc.com]
Sent: Friday, September 05, 2003 7:12 AM
To: 'Tomcat Users List'
Subject: RE: SSL/Verisign Confusion


Try the Java keytool help:
 http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html

Tomcat how-to:
 http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html

If you have OpenSSL:
 http://forum.java.sun.com/thread.jsp?forum=2&thread=4240

Jay
-----Original Message-----
From: Dave Wood [mailto:dave@woodtopia.org]
Sent: Friday, September 05, 2003 1:04 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

Thanks Bill.  I think this highlights something I'm really not
understanding...

Didn't I generate an important "private key" somewhere along the line that I
can't just regenerate if I blow away my keystore?  I assumed the certificate
I got back from verisign would only work if I still had the original private
key I generated before sending them my request.  Is that wrong?

(I'll take a look at the link you sent...at first glance, it looks a little
hard to follow, but hopefully not).

Thanks again.

Dave

-----Original Message-----
From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker
Sent: Thursday, September 04, 2003 11:06 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: SSL/Verisign Confusion


Firstly, it looks like you should wipe you keystore and start again.  To use
a VS cert with Tomcat, the two options I know are:
1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm.
2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and
use that as your keystore (remember to set 'keystoreType="pkcs12"' on the
Factory in server.xml).


"Dave Wood" <da...@woodtopia.org> wrote in message
news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org...
> I'm having a problem getting an SSL certificate from Verisign working
> correctly.  I'm going to include everything I can think of that MIGHT be a
> problem.  Unfortunately, there are a couple things I can't quite remember
> for certain.  Here's the situation:
>
> 1. I generated the initial key using an alias other than "tomcat" (we'll
> call it "company")
> 2. I generated the CSR and sent it to verisign.  I still have this file.
> 3. Verisign changed the company name during the verification process (from
> an acronym to the full spelling of the name)
> 4. I now have the certificate that they sent back after the validation
> process.
> 5. One thing I can't account for is why when I see this:
>
> $ keytool -list
>
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 4 entries: (...others removed...)
>
> company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
> Certificate fingerprint (MD5):
> 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really
> 0's)
>
> ...I think I must have self-signed or something (I was doing a couple of
> these things and don't recall exactly), but I'm surprised to see
> "trustedCertEntry" here.
>
> The problem I'm having is this:
>
> $ keytool -import -trustcacerts -alias company -file public.crt
> Enter keystore password: xxx
> keytool error: java.lang.Exception: Certificate not imported, alias
> <company> already exists
>
> (but I'm thinking it should be REPLACING this entry, so the fact that it
> exists shouldn't be a problem???)
>
> So, I have several questions:
>
> 1. Am I hosed completely because I didn't use "tomcat" as the alias?
> 2. How does the private key get stored exactly?  I assume that if I delete
> the current entry for the "company" alias, I'll be losing the private key,
> right?
> 3. Can someone provide steps I should take to get this working given what
I
> have said above.
>
> Thanks so much in advance.  Sorry to be so long-winded.
>
> -Dave
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

RE: SSL/Verisign Confusion

[Dave Wood <da...@woodtopia.org>]

I did everything with keytool.

I tried keyclone last night, but it appears that you can't clone a
"trustedCertEntry".  I get the error:

"Alias <company> has no (private) key"

...it almost seems like once your keyEntry becomes a trustedCertEntry, you
can't get to the private key at all. ???

The REALLY annoying this is that I can't imagine why I would have
self-signed this thing, but that's the only explanation I can come up with
for why it is showing as a trustedCertEntry when I do a keytool -list.

I *must* be missing something.

-----Original Message-----
From: Jay Garala [mailto:jay@electrosoft-inc.com]
Sent: Friday, September 05, 2003 9:21 AM
To: 'Tomcat Users List'
Subject: RE: SSL/Verisign Confusion


Hmm..  Did you create the PK in Tomcat's keystore or your JDK's keystore?

Try the keyclone?  Clone your 'company' to 'tomcat'.

-----Original Message-----
From: Dave Wood [mailto:dave@woodtopia.org]
Sent: Friday, September 05, 2003 11:07 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

I realize you can't do this with keytool.  Is there no way to do it at all?

I'm beginning to think I might be totally hosed here.

Thanks,
Dave

-----Original Message-----
From: Jay Garala [mailto:jay@electrosoft-inc.com]
Sent: Friday, September 05, 2003 8:37 AM
To: 'Tomcat Users List'
Subject: RE: SSL/Verisign Confusion


NOTE: You cannot export private key from keystore.

-----Original Message-----
From: Dave Wood [mailto:dave@woodtopia.org]
Sent: Friday, September 05, 2003 10:32 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

Thanks.  With the exception of the openssl doc, I've been over these quite a
bit.  The result is the problem I've mentioned where keytool says it can't
import my certificate because the alias already exists.

After some help I got last night, I think the question boils down to this:

* once I have extracted my private key from keytool (haven't done this yet),
how do I take that key, the VeriSign intermediate certificate and my public
key certificate and get them to play together.  I'm hoping the openssl stuff
will take care of this, because keytool doesn't really seem to recognize
private keys as things that you can work with directly.

Thanks again,
Dave

-----Original Message-----
From: Jay Garala [mailto:jay@electrosoft-inc.com]
Sent: Friday, September 05, 2003 7:12 AM
To: 'Tomcat Users List'
Subject: RE: SSL/Verisign Confusion


Try the Java keytool help:
 http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html

Tomcat how-to:
 http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html

If you have OpenSSL:
 http://forum.java.sun.com/thread.jsp?forum=2&thread=4240

Jay
-----Original Message-----
From: Dave Wood [mailto:dave@woodtopia.org]
Sent: Friday, September 05, 2003 1:04 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

Thanks Bill.  I think this highlights something I'm really not
understanding...

Didn't I generate an important "private key" somewhere along the line that I
can't just regenerate if I blow away my keystore?  I assumed the certificate
I got back from verisign would only work if I still had the original private
key I generated before sending them my request.  Is that wrong?

(I'll take a look at the link you sent...at first glance, it looks a little
hard to follow, but hopefully not).

Thanks again.

Dave

-----Original Message-----
From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker
Sent: Thursday, September 04, 2003 11:06 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: SSL/Verisign Confusion


Firstly, it looks like you should wipe you keystore and start again.  To use
a VS cert with Tomcat, the two options I know are:
1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm.
2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and
use that as your keystore (remember to set 'keystoreType="pkcs12"' on the
Factory in server.xml).


"Dave Wood" <da...@woodtopia.org> wrote in message
news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org...
> I'm having a problem getting an SSL certificate from Verisign working
> correctly.  I'm going to include everything I can think of that MIGHT be a
> problem.  Unfortunately, there are a couple things I can't quite remember
> for certain.  Here's the situation:
>
> 1. I generated the initial key using an alias other than "tomcat" (we'll
> call it "company")
> 2. I generated the CSR and sent it to verisign.  I still have this file.
> 3. Verisign changed the company name during the verification process (from
> an acronym to the full spelling of the name)
> 4. I now have the certificate that they sent back after the validation
> process.
> 5. One thing I can't account for is why when I see this:
>
> $ keytool -list
>
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 4 entries: (...others removed...)
>
> company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
> Certificate fingerprint (MD5):
> 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really
> 0's)
>
> ...I think I must have self-signed or something (I was doing a couple of
> these things and don't recall exactly), but I'm surprised to see
> "trustedCertEntry" here.
>
> The problem I'm having is this:
>
> $ keytool -import -trustcacerts -alias company -file public.crt
> Enter keystore password: xxx
> keytool error: java.lang.Exception: Certificate not imported, alias
> <company> already exists
>
> (but I'm thinking it should be REPLACING this entry, so the fact that it
> exists shouldn't be a problem???)
>
> So, I have several questions:
>
> 1. Am I hosed completely because I didn't use "tomcat" as the alias?
> 2. How does the private key get stored exactly?  I assume that if I delete
> the current entry for the "company" alias, I'll be losing the private key,
> right?
> 3. Can someone provide steps I should take to get this working given what
I
> have said above.
>
> Thanks so much in advance.  Sorry to be so long-winded.
>
> -Dave
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

RE: SSL/Verisign Confusion

[Jay Garala <ja...@electrosoft-inc.com>]

Hmm..  Did you create the PK in Tomcat's keystore or your JDK's keystore?

Try the keyclone?  Clone your 'company' to 'tomcat'.

-----Original Message-----
From: Dave Wood [mailto:dave@woodtopia.org] 
Sent: Friday, September 05, 2003 11:07 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

I realize you can't do this with keytool.  Is there no way to do it at all?

I'm beginning to think I might be totally hosed here.

Thanks,
Dave

-----Original Message-----
From: Jay Garala [mailto:jay@electrosoft-inc.com]
Sent: Friday, September 05, 2003 8:37 AM
To: 'Tomcat Users List'
Subject: RE: SSL/Verisign Confusion


NOTE: You cannot export private key from keystore.

-----Original Message-----
From: Dave Wood [mailto:dave@woodtopia.org]
Sent: Friday, September 05, 2003 10:32 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

Thanks.  With the exception of the openssl doc, I've been over these quite a
bit.  The result is the problem I've mentioned where keytool says it can't
import my certificate because the alias already exists.

After some help I got last night, I think the question boils down to this:

* once I have extracted my private key from keytool (haven't done this yet),
how do I take that key, the VeriSign intermediate certificate and my public
key certificate and get them to play together.  I'm hoping the openssl stuff
will take care of this, because keytool doesn't really seem to recognize
private keys as things that you can work with directly.

Thanks again,
Dave

-----Original Message-----
From: Jay Garala [mailto:jay@electrosoft-inc.com]
Sent: Friday, September 05, 2003 7:12 AM
To: 'Tomcat Users List'
Subject: RE: SSL/Verisign Confusion


Try the Java keytool help:
 http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html

Tomcat how-to:
 http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html

If you have OpenSSL:
 http://forum.java.sun.com/thread.jsp?forum=2&thread=4240

Jay
-----Original Message-----
From: Dave Wood [mailto:dave@woodtopia.org]
Sent: Friday, September 05, 2003 1:04 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

Thanks Bill.  I think this highlights something I'm really not
understanding...

Didn't I generate an important "private key" somewhere along the line that I
can't just regenerate if I blow away my keystore?  I assumed the certificate
I got back from verisign would only work if I still had the original private
key I generated before sending them my request.  Is that wrong?

(I'll take a look at the link you sent...at first glance, it looks a little
hard to follow, but hopefully not).

Thanks again.

Dave

-----Original Message-----
From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker
Sent: Thursday, September 04, 2003 11:06 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: SSL/Verisign Confusion


Firstly, it looks like you should wipe you keystore and start again.  To use
a VS cert with Tomcat, the two options I know are:
1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm.
2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and
use that as your keystore (remember to set 'keystoreType="pkcs12"' on the
Factory in server.xml).


"Dave Wood" <da...@woodtopia.org> wrote in message
news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org...
> I'm having a problem getting an SSL certificate from Verisign working
> correctly.  I'm going to include everything I can think of that MIGHT be a
> problem.  Unfortunately, there are a couple things I can't quite remember
> for certain.  Here's the situation:
>
> 1. I generated the initial key using an alias other than "tomcat" (we'll
> call it "company")
> 2. I generated the CSR and sent it to verisign.  I still have this file.
> 3. Verisign changed the company name during the verification process (from
> an acronym to the full spelling of the name)
> 4. I now have the certificate that they sent back after the validation
> process.
> 5. One thing I can't account for is why when I see this:
>
> $ keytool -list
>
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 4 entries: (...others removed...)
>
> company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
> Certificate fingerprint (MD5):
> 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really
> 0's)
>
> ...I think I must have self-signed or something (I was doing a couple of
> these things and don't recall exactly), but I'm surprised to see
> "trustedCertEntry" here.
>
> The problem I'm having is this:
>
> $ keytool -import -trustcacerts -alias company -file public.crt
> Enter keystore password: xxx
> keytool error: java.lang.Exception: Certificate not imported, alias
> <company> already exists
>
> (but I'm thinking it should be REPLACING this entry, so the fact that it
> exists shouldn't be a problem???)
>
> So, I have several questions:
>
> 1. Am I hosed completely because I didn't use "tomcat" as the alias?
> 2. How does the private key get stored exactly?  I assume that if I delete
> the current entry for the "company" alias, I'll be losing the private key,
> right?
> 3. Can someone provide steps I should take to get this working given what
I
> have said above.
>
> Thanks so much in advance.  Sorry to be so long-winded.
>
> -Dave
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

RE: SSL/Verisign Confusion

[Dave Wood <da...@woodtopia.org>]

I realize you can't do this with keytool.  Is there no way to do it at all?

I'm beginning to think I might be totally hosed here.

Thanks,
Dave

-----Original Message-----
From: Jay Garala [mailto:jay@electrosoft-inc.com]
Sent: Friday, September 05, 2003 8:37 AM
To: 'Tomcat Users List'
Subject: RE: SSL/Verisign Confusion


NOTE: You cannot export private key from keystore.

-----Original Message-----
From: Dave Wood [mailto:dave@woodtopia.org]
Sent: Friday, September 05, 2003 10:32 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

Thanks.  With the exception of the openssl doc, I've been over these quite a
bit.  The result is the problem I've mentioned where keytool says it can't
import my certificate because the alias already exists.

After some help I got last night, I think the question boils down to this:

* once I have extracted my private key from keytool (haven't done this yet),
how do I take that key, the VeriSign intermediate certificate and my public
key certificate and get them to play together.  I'm hoping the openssl stuff
will take care of this, because keytool doesn't really seem to recognize
private keys as things that you can work with directly.

Thanks again,
Dave

-----Original Message-----
From: Jay Garala [mailto:jay@electrosoft-inc.com]
Sent: Friday, September 05, 2003 7:12 AM
To: 'Tomcat Users List'
Subject: RE: SSL/Verisign Confusion


Try the Java keytool help:
 http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html

Tomcat how-to:
 http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html

If you have OpenSSL:
 http://forum.java.sun.com/thread.jsp?forum=2&thread=4240

Jay
-----Original Message-----
From: Dave Wood [mailto:dave@woodtopia.org]
Sent: Friday, September 05, 2003 1:04 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

Thanks Bill.  I think this highlights something I'm really not
understanding...

Didn't I generate an important "private key" somewhere along the line that I
can't just regenerate if I blow away my keystore?  I assumed the certificate
I got back from verisign would only work if I still had the original private
key I generated before sending them my request.  Is that wrong?

(I'll take a look at the link you sent...at first glance, it looks a little
hard to follow, but hopefully not).

Thanks again.

Dave

-----Original Message-----
From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker
Sent: Thursday, September 04, 2003 11:06 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: SSL/Verisign Confusion


Firstly, it looks like you should wipe you keystore and start again.  To use
a VS cert with Tomcat, the two options I know are:
1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm.
2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and
use that as your keystore (remember to set 'keystoreType="pkcs12"' on the
Factory in server.xml).


"Dave Wood" <da...@woodtopia.org> wrote in message
news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org...
> I'm having a problem getting an SSL certificate from Verisign working
> correctly.  I'm going to include everything I can think of that MIGHT be a
> problem.  Unfortunately, there are a couple things I can't quite remember
> for certain.  Here's the situation:
>
> 1. I generated the initial key using an alias other than "tomcat" (we'll
> call it "company")
> 2. I generated the CSR and sent it to verisign.  I still have this file.
> 3. Verisign changed the company name during the verification process (from
> an acronym to the full spelling of the name)
> 4. I now have the certificate that they sent back after the validation
> process.
> 5. One thing I can't account for is why when I see this:
>
> $ keytool -list
>
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 4 entries: (...others removed...)
>
> company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
> Certificate fingerprint (MD5):
> 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really
> 0's)
>
> ...I think I must have self-signed or something (I was doing a couple of
> these things and don't recall exactly), but I'm surprised to see
> "trustedCertEntry" here.
>
> The problem I'm having is this:
>
> $ keytool -import -trustcacerts -alias company -file public.crt
> Enter keystore password: xxx
> keytool error: java.lang.Exception: Certificate not imported, alias
> <company> already exists
>
> (but I'm thinking it should be REPLACING this entry, so the fact that it
> exists shouldn't be a problem???)
>
> So, I have several questions:
>
> 1. Am I hosed completely because I didn't use "tomcat" as the alias?
> 2. How does the private key get stored exactly?  I assume that if I delete
> the current entry for the "company" alias, I'll be losing the private key,
> right?
> 3. Can someone provide steps I should take to get this working given what
I
> have said above.
>
> Thanks so much in advance.  Sorry to be so long-winded.
>
> -Dave
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

RE: SSL/Verisign Confusion

[Jay Garala <ja...@electrosoft-inc.com>]

NOTE: You cannot export private key from keystore.

-----Original Message-----
From: Dave Wood [mailto:dave@woodtopia.org] 
Sent: Friday, September 05, 2003 10:32 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

Thanks.  With the exception of the openssl doc, I've been over these quite a
bit.  The result is the problem I've mentioned where keytool says it can't
import my certificate because the alias already exists.

After some help I got last night, I think the question boils down to this:

* once I have extracted my private key from keytool (haven't done this yet),
how do I take that key, the VeriSign intermediate certificate and my public
key certificate and get them to play together.  I'm hoping the openssl stuff
will take care of this, because keytool doesn't really seem to recognize
private keys as things that you can work with directly.

Thanks again,
Dave

-----Original Message-----
From: Jay Garala [mailto:jay@electrosoft-inc.com]
Sent: Friday, September 05, 2003 7:12 AM
To: 'Tomcat Users List'
Subject: RE: SSL/Verisign Confusion


Try the Java keytool help:
 http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html

Tomcat how-to:
 http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html

If you have OpenSSL:
 http://forum.java.sun.com/thread.jsp?forum=2&thread=4240

Jay
-----Original Message-----
From: Dave Wood [mailto:dave@woodtopia.org]
Sent: Friday, September 05, 2003 1:04 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

Thanks Bill.  I think this highlights something I'm really not
understanding...

Didn't I generate an important "private key" somewhere along the line that I
can't just regenerate if I blow away my keystore?  I assumed the certificate
I got back from verisign would only work if I still had the original private
key I generated before sending them my request.  Is that wrong?

(I'll take a look at the link you sent...at first glance, it looks a little
hard to follow, but hopefully not).

Thanks again.

Dave

-----Original Message-----
From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker
Sent: Thursday, September 04, 2003 11:06 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: SSL/Verisign Confusion


Firstly, it looks like you should wipe you keystore and start again.  To use
a VS cert with Tomcat, the two options I know are:
1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm.
2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and
use that as your keystore (remember to set 'keystoreType="pkcs12"' on the
Factory in server.xml).


"Dave Wood" <da...@woodtopia.org> wrote in message
news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org...
> I'm having a problem getting an SSL certificate from Verisign working
> correctly.  I'm going to include everything I can think of that MIGHT be a
> problem.  Unfortunately, there are a couple things I can't quite remember
> for certain.  Here's the situation:
>
> 1. I generated the initial key using an alias other than "tomcat" (we'll
> call it "company")
> 2. I generated the CSR and sent it to verisign.  I still have this file.
> 3. Verisign changed the company name during the verification process (from
> an acronym to the full spelling of the name)
> 4. I now have the certificate that they sent back after the validation
> process.
> 5. One thing I can't account for is why when I see this:
>
> $ keytool -list
>
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 4 entries: (...others removed...)
>
> company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
> Certificate fingerprint (MD5):
> 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really
> 0's)
>
> ...I think I must have self-signed or something (I was doing a couple of
> these things and don't recall exactly), but I'm surprised to see
> "trustedCertEntry" here.
>
> The problem I'm having is this:
>
> $ keytool -import -trustcacerts -alias company -file public.crt
> Enter keystore password: xxx
> keytool error: java.lang.Exception: Certificate not imported, alias
> <company> already exists
>
> (but I'm thinking it should be REPLACING this entry, so the fact that it
> exists shouldn't be a problem???)
>
> So, I have several questions:
>
> 1. Am I hosed completely because I didn't use "tomcat" as the alias?
> 2. How does the private key get stored exactly?  I assume that if I delete
> the current entry for the "company" alias, I'll be losing the private key,
> right?
> 3. Can someone provide steps I should take to get this working given what
I
> have said above.
>
> Thanks so much in advance.  Sorry to be so long-winded.
>
> -Dave
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

RE: SSL/Verisign Confusion

[Dave Wood <da...@woodtopia.org>]

Thanks.  With the exception of the openssl doc, I've been over these quite a
bit.  The result is the problem I've mentioned where keytool says it can't
import my certificate because the alias already exists.

After some help I got last night, I think the question boils down to this:

* once I have extracted my private key from keytool (haven't done this yet),
how do I take that key, the VeriSign intermediate certificate and my public
key certificate and get them to play together.  I'm hoping the openssl stuff
will take care of this, because keytool doesn't really seem to recognize
private keys as things that you can work with directly.

Thanks again,
Dave

-----Original Message-----
From: Jay Garala [mailto:jay@electrosoft-inc.com]
Sent: Friday, September 05, 2003 7:12 AM
To: 'Tomcat Users List'
Subject: RE: SSL/Verisign Confusion


Try the Java keytool help:
 http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html

Tomcat how-to:
 http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html

If you have OpenSSL:
 http://forum.java.sun.com/thread.jsp?forum=2&thread=4240

Jay
-----Original Message-----
From: Dave Wood [mailto:dave@woodtopia.org]
Sent: Friday, September 05, 2003 1:04 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

Thanks Bill.  I think this highlights something I'm really not
understanding...

Didn't I generate an important "private key" somewhere along the line that I
can't just regenerate if I blow away my keystore?  I assumed the certificate
I got back from verisign would only work if I still had the original private
key I generated before sending them my request.  Is that wrong?

(I'll take a look at the link you sent...at first glance, it looks a little
hard to follow, but hopefully not).

Thanks again.

Dave

-----Original Message-----
From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker
Sent: Thursday, September 04, 2003 11:06 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: SSL/Verisign Confusion


Firstly, it looks like you should wipe you keystore and start again.  To use
a VS cert with Tomcat, the two options I know are:
1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm.
2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and
use that as your keystore (remember to set 'keystoreType="pkcs12"' on the
Factory in server.xml).


"Dave Wood" <da...@woodtopia.org> wrote in message
news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org...
> I'm having a problem getting an SSL certificate from Verisign working
> correctly.  I'm going to include everything I can think of that MIGHT be a
> problem.  Unfortunately, there are a couple things I can't quite remember
> for certain.  Here's the situation:
>
> 1. I generated the initial key using an alias other than "tomcat" (we'll
> call it "company")
> 2. I generated the CSR and sent it to verisign.  I still have this file.
> 3. Verisign changed the company name during the verification process (from
> an acronym to the full spelling of the name)
> 4. I now have the certificate that they sent back after the validation
> process.
> 5. One thing I can't account for is why when I see this:
>
> $ keytool -list
>
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 4 entries: (...others removed...)
>
> company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
> Certificate fingerprint (MD5):
> 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really
> 0's)
>
> ...I think I must have self-signed or something (I was doing a couple of
> these things and don't recall exactly), but I'm surprised to see
> "trustedCertEntry" here.
>
> The problem I'm having is this:
>
> $ keytool -import -trustcacerts -alias company -file public.crt
> Enter keystore password: xxx
> keytool error: java.lang.Exception: Certificate not imported, alias
> <company> already exists
>
> (but I'm thinking it should be REPLACING this entry, so the fact that it
> exists shouldn't be a problem???)
>
> So, I have several questions:
>
> 1. Am I hosed completely because I didn't use "tomcat" as the alias?
> 2. How does the private key get stored exactly?  I assume that if I delete
> the current entry for the "company" alias, I'll be losing the private key,
> right?
> 3. Can someone provide steps I should take to get this working given what
I
> have said above.
>
> Thanks so much in advance.  Sorry to be so long-winded.
>
> -Dave
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

RE: SSL/Verisign Confusion

[Jay Garala <ja...@electrosoft-inc.com>]

Try the Java keytool help:
 http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html

Tomcat how-to:
 http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html

If you have OpenSSL:
 http://forum.java.sun.com/thread.jsp?forum=2&thread=4240

Jay
-----Original Message-----
From: Dave Wood [mailto:dave@woodtopia.org] 
Sent: Friday, September 05, 2003 1:04 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

Thanks Bill.  I think this highlights something I'm really not
understanding...

Didn't I generate an important "private key" somewhere along the line that I
can't just regenerate if I blow away my keystore?  I assumed the certificate
I got back from verisign would only work if I still had the original private
key I generated before sending them my request.  Is that wrong?

(I'll take a look at the link you sent...at first glance, it looks a little
hard to follow, but hopefully not).

Thanks again.

Dave

-----Original Message-----
From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker
Sent: Thursday, September 04, 2003 11:06 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: SSL/Verisign Confusion


Firstly, it looks like you should wipe you keystore and start again.  To use
a VS cert with Tomcat, the two options I know are:
1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm.
2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and
use that as your keystore (remember to set 'keystoreType="pkcs12"' on the
Factory in server.xml).


"Dave Wood" <da...@woodtopia.org> wrote in message
news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org...
> I'm having a problem getting an SSL certificate from Verisign working
> correctly.  I'm going to include everything I can think of that MIGHT be a
> problem.  Unfortunately, there are a couple things I can't quite remember
> for certain.  Here's the situation:
>
> 1. I generated the initial key using an alias other than "tomcat" (we'll
> call it "company")
> 2. I generated the CSR and sent it to verisign.  I still have this file.
> 3. Verisign changed the company name during the verification process (from
> an acronym to the full spelling of the name)
> 4. I now have the certificate that they sent back after the validation
> process.
> 5. One thing I can't account for is why when I see this:
>
> $ keytool -list
>
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 4 entries: (...others removed...)
>
> company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
> Certificate fingerprint (MD5):
> 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really
> 0's)
>
> ...I think I must have self-signed or something (I was doing a couple of
> these things and don't recall exactly), but I'm surprised to see
> "trustedCertEntry" here.
>
> The problem I'm having is this:
>
> $ keytool -import -trustcacerts -alias company -file public.crt
> Enter keystore password: xxx
> keytool error: java.lang.Exception: Certificate not imported, alias
> <company> already exists
>
> (but I'm thinking it should be REPLACING this entry, so the fact that it
> exists shouldn't be a problem???)
>
> So, I have several questions:
>
> 1. Am I hosed completely because I didn't use "tomcat" as the alias?
> 2. How does the private key get stored exactly?  I assume that if I delete
> the current entry for the "company" alias, I'll be losing the private key,
> right?
> 3. Can someone provide steps I should take to get this working given what
I
> have said above.
>
> Thanks so much in advance.  Sorry to be so long-winded.
>
> -Dave
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

RE: SSL/Verisign Confusion

[Dave Wood <da...@woodtopia.org>]

Thanks Bill.  I think this highlights something I'm really not
understanding...

Didn't I generate an important "private key" somewhere along the line that I
can't just regenerate if I blow away my keystore?  I assumed the certificate
I got back from verisign would only work if I still had the original private
key I generated before sending them my request.  Is that wrong?

(I'll take a look at the link you sent...at first glance, it looks a little
hard to follow, but hopefully not).

Thanks again.

Dave

-----Original Message-----
From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker
Sent: Thursday, September 04, 2003 11:06 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: SSL/Verisign Confusion


Firstly, it looks like you should wipe you keystore and start again.  To use
a VS cert with Tomcat, the two options I know are:
1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm.
2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and
use that as your keystore (remember to set 'keystoreType="pkcs12"' on the
Factory in server.xml).


"Dave Wood" <da...@woodtopia.org> wrote in message
news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org...
> I'm having a problem getting an SSL certificate from Verisign working
> correctly.  I'm going to include everything I can think of that MIGHT be a
> problem.  Unfortunately, there are a couple things I can't quite remember
> for certain.  Here's the situation:
>
> 1. I generated the initial key using an alias other than "tomcat" (we'll
> call it "company")
> 2. I generated the CSR and sent it to verisign.  I still have this file.
> 3. Verisign changed the company name during the verification process (from
> an acronym to the full spelling of the name)
> 4. I now have the certificate that they sent back after the validation
> process.
> 5. One thing I can't account for is why when I see this:
>
> $ keytool -list
>
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 4 entries: (...others removed...)
>
> company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
> Certificate fingerprint (MD5):
> 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really
> 0's)
>
> ...I think I must have self-signed or something (I was doing a couple of
> these things and don't recall exactly), but I'm surprised to see
> "trustedCertEntry" here.
>
> The problem I'm having is this:
>
> $ keytool -import -trustcacerts -alias company -file public.crt
> Enter keystore password: xxx
> keytool error: java.lang.Exception: Certificate not imported, alias
> <company> already exists
>
> (but I'm thinking it should be REPLACING this entry, so the fact that it
> exists shouldn't be a problem???)
>
> So, I have several questions:
>
> 1. Am I hosed completely because I didn't use "tomcat" as the alias?
> 2. How does the private key get stored exactly?  I assume that if I delete
> the current entry for the "company" alias, I'll be losing the private key,
> right?
> 3. Can someone provide steps I should take to get this working given what
I
> have said above.
>
> Thanks so much in advance.  Sorry to be so long-winded.
>
> -Dave
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

Re: SSL/Verisign Confusion

[Bill Barker <wb...@wilshire.com>]

Firstly, it looks like you should wipe you keystore and start again.  To use
a VS cert with Tomcat, the two options I know are:
1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm.
2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and
use that as your keystore (remember to set 'keystoreType="pkcs12"' on the
Factory in server.xml).


"Dave Wood" <da...@woodtopia.org> wrote in message
news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org...
> I'm having a problem getting an SSL certificate from Verisign working
> correctly.  I'm going to include everything I can think of that MIGHT be a
> problem.  Unfortunately, there are a couple things I can't quite remember
> for certain.  Here's the situation:
>
> 1. I generated the initial key using an alias other than "tomcat" (we'll
> call it "company")
> 2. I generated the CSR and sent it to verisign.  I still have this file.
> 3. Verisign changed the company name during the verification process (from
> an acronym to the full spelling of the name)
> 4. I now have the certificate that they sent back after the validation
> process.
> 5. One thing I can't account for is why when I see this:
>
> $ keytool -list
>
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 4 entries: (...others removed...)
>
> company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
> Certificate fingerprint (MD5):
> 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really
> 0's)
>
> ...I think I must have self-signed or something (I was doing a couple of
> these things and don't recall exactly), but I'm surprised to see
> "trustedCertEntry" here.
>
> The problem I'm having is this:
>
> $ keytool -import -trustcacerts -alias company -file public.crt
> Enter keystore password: xxx
> keytool error: java.lang.Exception: Certificate not imported, alias
> <company> already exists
>
> (but I'm thinking it should be REPLACING this entry, so the fact that it
> exists shouldn't be a problem???)
>
> So, I have several questions:
>
> 1. Am I hosed completely because I didn't use "tomcat" as the alias?
> 2. How does the private key get stored exactly?  I assume that if I delete
> the current entry for the "company" alias, I'll be losing the private key,
> right?
> 3. Can someone provide steps I should take to get this working given what
I
> have said above.
>
> Thanks so much in advance.  Sorry to be so long-winded.
>
> -Dave
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

RE: SSL/Verisign Confusion

[Jay Garala <ja...@electrosoft-inc.com>]

Is public the one returned from Versign or is it the Verisign's CA Cert?

If you want try following to see if the cert exists within JDK trusted
calist: 
Execute from jdk\jre\lib\security Directory

keytool -list -keystore cacerts -storepass changeit

Jay

-----Original Message-----
From: Dave Wood [mailto:dave@woodtopia.org] 
Sent: Thursday, September 04, 2003 11:12 PM
To: Tomcat Email List
Subject: SSL/Verisign Confusion

I'm having a problem getting an SSL certificate from Verisign working
correctly.  I'm going to include everything I can think of that MIGHT be a
problem.  Unfortunately, there are a couple things I can't quite remember
for certain.  Here's the situation:

1. I generated the initial key using an alias other than "tomcat" (we'll
call it "company")
2. I generated the CSR and sent it to verisign.  I still have this file.
3. Verisign changed the company name during the verification process (from
an acronym to the full spelling of the name)
4. I now have the certificate that they sent back after the validation
process.
5. One thing I can't account for is why when I see this:

$ keytool -list

Keystore type: jks
Keystore provider: SUN

Your keystore contains 4 entries: (...others removed...)

company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
Certificate fingerprint (MD5):
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really
0's)

...I think I must have self-signed or something (I was doing a couple of
these things and don't recall exactly), but I'm surprised to see
"trustedCertEntry" here.

The problem I'm having is this:

$ keytool -import -trustcacerts -alias company -file public.crt
Enter keystore password: xxx
keytool error: java.lang.Exception: Certificate not imported, alias
<company> already exists

(but I'm thinking it should be REPLACING this entry, so the fact that it
exists shouldn't be a problem???)

So, I have several questions:

1. Am I hosed completely because I didn't use "tomcat" as the alias?
2. How does the private key get stored exactly?  I assume that if I delete
the current entry for the "company" alias, I'll be losing the private key,
right?
3. Can someone provide steps I should take to get this working given what I
have said above.

Thanks so much in advance.  Sorry to be so long-winded.

-Dave
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org