You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by je...@playstation.sony.com on 2005/04/26 22:18:21 UTC
SSL
Tomcat Users,
I have followed the How-To for Jakarta Tomcat SSL and continue to have
some wierdness going on...
Our current SSL cert expired and we get a warning dialog box each time
we try to connect to this server about the expiration.. naturally.
I generated a new cert request utilizing keytool, sent that to verisign,
they returned the cert. Then I created a new keystore file, first
importing a chaincert, then importing the new cert. When I stop the
server, move the keystore file in place, start the server up, I continue
to get an expiration notice upon https request to the host. In a
troubleshooting effort, I moved the keystore file, stop/started the
server and *still* get the expired notice upon https request... The
server.xml file' SSL config points to the directory for which I have
located the keystore file too.
Any ideas what may be happening here?
-jrj
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL
Posted by je...@playstation.sony.com.
I am wondering if the cert gets rolled into a .jar file, and the old
keystore stomps on my new cert upon server startup?
-jrj
jejones@playstation.sony.com wrote:
> Tomcat Users,
>
> I have followed the How-To for Jakarta Tomcat SSL and continue to have
> some wierdness going on...
>
> Our current SSL cert expired and we get a warning dialog box each time
> we try to connect to this server about the expiration.. naturally.
>
> I generated a new cert request utilizing keytool, sent that to
> verisign, they returned the cert. Then I created a new keystore file,
> first importing a chaincert, then importing the new cert. When I stop
> the server, move the keystore file in place, start the server up, I
> continue to get an expiration notice upon https request to the host.
> In a troubleshooting effort, I moved the keystore file, stop/started
> the server and *still* get the expired notice upon https request...
> The server.xml file' SSL config points to the directory for which I
> have located the keystore file too.
>
> Any ideas what may be happening here?
>
> -jrj
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL
Posted by Jason Bainbridge <jb...@gmail.com>.
On 4/26/05, jejones@playstation.sony.com <je...@playstation.sony.com> wrote:
> Is there a way to look at the contents of the keystore file?
>
> -jrj
keytool -list -v -keystore /path/to/.keystore > allcerts.txt
Should do it if I got the syntax right...
--
Jason Bainbridge
http://kde.org - webmaster@kde.org
Personal Site - http://jasonbainbridge.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL
Posted by je...@playstation.sony.com.
Is there a way to look at the contents of the keystore file?
-jrj
Jason Bainbridge wrote:
>On 4/26/05, jejones@playstation.sony.com <je...@playstation.sony.com> wrote:
>
>
>>Finially, some progress; but not exactly what I wanted... I made the "F"
>>uppercase, stopped/started the server; now it's refusing connections.
>>This is from the log file:
>>
>>Apr 26, 2005 2:19:46 PM org.apache.tomcat.util.net.PoolTcpEndpoint
>>acceptSocket
>>SEVERE: Endpoint [SSL:
>>
>>
>
>when doing these steps:
>
>Import the Chain Certificate into you keystore
>
>keytool -import -alias root -keystore <your_keystore_filename>
>-trustcacerts -file <filename_of_the_chain_certificate>
>
>And finally import your new Certificate (It must be in X509 format):
>
>keytool -import -alias tomcat -keystore <your_keystore_filename>
>-trustcacerts -file <your_certificate_filename>
>
>Did you specify the full path names? I would backup the .keystore and
>then try again by specifying full path names to make sure.
>
>Sounds like you have an incomplete .keystore being used.
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL
Posted by Jason Bainbridge <jb...@gmail.com>.
On 4/27/05, jejones@playstation.sony.com <je...@playstation.sony.com> wrote:
> So I am new, obviously with the keytool use.. attached is the cert.txt
> file resulting from the keytool -list -v.. I changed the CSR data.. but
> the format is there... do you see anything wrong with the file?
Hazarding a guess but it looks like you created the CSR in a different
.keystore and then imported Verisign's certificate into this one as
the tomcat alias should look something like:
Alias name: tomcat
Creation date: Jan 28, 2005
Entry type: keyEntry
Certificate chain length: 4
Certificate[1]:
Owner: CN=XXX, OU=XXX, O=XXXXX, L=XXXXXX, ST=XXXXXX, C=XXXXX
Issuer: CN=XXXXXXXXXXXXXXXXXXXX
Serial number: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Valid from: Fri Jan 28 00:00:24 GMT 2005 until: Sun Jan 28 00:00:24 GMT 2007
Certificate fingerprints:
MD5: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
SHA1: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Then because that one has a chain length of 4 it has 3 other certs in
the chain, then each of those have their own aliases as well.
Your verisgn cert isn't in any chain and I'm guessing the reason is
because it's not where the CSR was generated from so you either need
to find that .keystore or do another .CSR from this or another new
.keystore and import the trusted cert you receive from that CSR.
The all important part is the .CSR needs to match with the trusted
cert you get back.
> -jrj
>
> Jason Bainbridge wrote:
>
> >On 4/26/05, jejones@playstation.sony.com <je...@playstation.sony.com> wrote:
> >
> >
> >>Finially, some progress; but not exactly what I wanted... I made the "F"
> >>uppercase, stopped/started the server; now it's refusing connections.
> >>This is from the log file:
> >>
> >>Apr 26, 2005 2:19:46 PM org.apache.tomcat.util.net.PoolTcpEndpoint
> >>acceptSocket
> >>SEVERE: Endpoint [SSL:
> >>
> >>
> >
> >when doing these steps:
> >
> >Import the Chain Certificate into you keystore
> >
> >keytool -import -alias root -keystore <your_keystore_filename>
> >-trustcacerts -file <filename_of_the_chain_certificate>
> >
> >And finally import your new Certificate (It must be in X509 format):
> >
> >keytool -import -alias tomcat -keystore <your_keystore_filename>
> >-trustcacerts -file <your_certificate_filename>
> >
> >Did you specify the full path names? I would backup the .keystore and
> >then try again by specifying full path names to make sure.
> >
> >Sounds like you have an incomplete .keystore being used.
> >
> >
> >
> >
>
>
>
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 2 entries
>
> Alias name: root
> Creation date: Apr 21, 2005
> Entry type: trustedCertEntry
>
> Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network
> Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
> Serial number: 254b8a853842cce358f8c5ddae226ea4
> Valid from: Wed Apr 16 17:00:00 PDT 1997 until: Mon Oct 24 16:59:59 PDT 2011
> Certificate fingerprints:
> MD5: BC:0A:51:FA:C0:F4:7F:DC:62:1C:D8:E1:15:43:4E:CC
> SHA1: C2:F0:08:7D:01:E6:86:05:3A:4D:63:3E:7E:70:D4:EF:65:C2:CC:4F
>
> *******************************************
> *******************************************
>
> Alias name: tomcat
> Creation date: Apr 21, 2005
> Entry type: trustedCertEntry
>
> Owner: CN=????, OU=????, O=????, L=????, ST=California, C=US
> Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network
> Serial number: 46fefd812464db21ede3b8e4f39a9218
> Valid from: Wed Apr 06 17:00:00 PDT 2005 until: Fri Apr 07 16:59:59 PDT 2006
> Certificate fingerprints:
> MD5: D3:9B:5C:E3:41:D9:6D:AD:DE:62:2B:E0:E1:74:5B:FD
> SHA1: 37:55:D7:35:82:FA:13:33:F2:45:4E:13:92:8C:73:3B:7C:11:D8:61
>
> *******************************************
> *******************************************
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
--
Jason Bainbridge
http://kde.org - webmaster@kde.org
Personal Site - http://jasonbainbridge.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL
Posted by je...@playstation.sony.com.
So I am new, obviously with the keytool use.. attached is the cert.txt
file resulting from the keytool -list -v.. I changed the CSR data.. but
the format is there... do you see anything wrong with the file?
-jrj
Jason Bainbridge wrote:
>On 4/26/05, jejones@playstation.sony.com <je...@playstation.sony.com> wrote:
>
>
>>Finially, some progress; but not exactly what I wanted... I made the "F"
>>uppercase, stopped/started the server; now it's refusing connections.
>>This is from the log file:
>>
>>Apr 26, 2005 2:19:46 PM org.apache.tomcat.util.net.PoolTcpEndpoint
>>acceptSocket
>>SEVERE: Endpoint [SSL:
>>
>>
>
>when doing these steps:
>
>Import the Chain Certificate into you keystore
>
>keytool -import -alias root -keystore <your_keystore_filename>
>-trustcacerts -file <filename_of_the_chain_certificate>
>
>And finally import your new Certificate (It must be in X509 format):
>
>keytool -import -alias tomcat -keystore <your_keystore_filename>
>-trustcacerts -file <your_certificate_filename>
>
>Did you specify the full path names? I would backup the .keystore and
>then try again by specifying full path names to make sure.
>
>Sounds like you have an incomplete .keystore being used.
>
>
>
>
Re: SSL
Posted by je...@playstation.sony.com.
I figured out the problem.. when the purchasing folks signed away for
the cert, they did not select "Apache", but accepted the default. "Old
Server Cert", whatever the heck that is... I generated a new CSR, sent
that to verisign, selecting Apache as the cert type, got back the cert,
did the keytool magic, ,and Voila!
Thanks for all the troubleshooting assistance!!
Jeff
Jason Bainbridge wrote:
>On 4/27/05, jejones@playstation.sony.com <je...@playstation.sony.com> wrote:
>
>
>>Is a chain cert really *required*? I see for an older selfsigned
>>cert that a chain cert was not part of the keystore file.
>>
>>
>
>Well for self signed no as it isn't part of a chain, the chain is
>required for trusted certs to prove that it is trusted by an authority
>that users trust ike Verisign as they have the ROOT verisign
>ceritificate in their browser.
>
>Regards,
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL
Posted by Jason Bainbridge <jb...@gmail.com>.
On 4/27/05, jejones@playstation.sony.com <je...@playstation.sony.com> wrote:
> Is a chain cert really *required*? I see for an older selfsigned
> cert that a chain cert was not part of the keystore file.
Well for self signed no as it isn't part of a chain, the chain is
required for trusted certs to prove that it is trusted by an authority
that users trust ike Verisign as they have the ROOT verisign
ceritificate in their browser.
Regards,
--
Jason Bainbridge
http://kde.org - webmaster@kde.org
Personal Site - http://jasonbainbridge.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL
Posted by je...@playstation.sony.com.
Is a chain cert really *required*? I see for an older selfsigned
cert that a chain cert was not part of the keystore file.
-jrj
jejones@playstation.sony.com wrote:
> If I run keytool again, will it generate a keystore with a different
> private key? If so, then the cert I received from verisign will not
> work with that file.
>
> -jrj
>
>
> Jason Bainbridge wrote:
>
>> Did you specify the full path names? I would backup the .keystore and
>>
>> then try again by specifying full path names to make sure.
>>
>> Sounds like you have an incomplete .keystore being used.
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL
Posted by je...@playstation.sony.com.
If I run keytool again, will it generate a keystore with a different
private key? If so, then the cert I received from verisign will not
work with that file.
-jrj
Jason Bainbridge wrote:
> Did you specify the full path names? I would backup the .keystore and
>
>then try again by specifying full path names to make sure.
>
>Sounds like you have an incomplete .keystore being used.
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL
Posted by Jason Bainbridge <jb...@gmail.com>.
On 4/26/05, jejones@playstation.sony.com <je...@playstation.sony.com> wrote:
> Finially, some progress; but not exactly what I wanted... I made the "F"
> uppercase, stopped/started the server; now it's refusing connections.
> This is from the log file:
>
> Apr 26, 2005 2:19:46 PM org.apache.tomcat.util.net.PoolTcpEndpoint
> acceptSocket
> SEVERE: Endpoint [SSL:
when doing these steps:
Import the Chain Certificate into you keystore
keytool -import -alias root -keystore <your_keystore_filename>
-trustcacerts -file <filename_of_the_chain_certificate>
And finally import your new Certificate (It must be in X509 format):
keytool -import -alias tomcat -keystore <your_keystore_filename>
-trustcacerts -file <your_certificate_filename>
Did you specify the full path names? I would backup the .keystore and
then try again by specifying full path names to make sure.
Sounds like you have an incomplete .keystore being used.
--
Jason Bainbridge
http://kde.org - webmaster@kde.org
Personal Site - http://jasonbainbridge.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL
Posted by je...@playstation.sony.com.
Finially, some progress; but not exactly what I wanted... I made the "F"
uppercase, stopped/started the server; now it's refusing connections.
This is from the log file:
Apr 26, 2005 2:19:46 PM org.apache.tomcat.util.net.PoolTcpEndpoint
acceptSocket
SEVERE: Endpoint [SSL:
ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=443]] ignored
exception: java.net.SocketException: SSL handshake
errorjavax.net.ssl.SSLException: No available certificate corresponds to
the SSL cipher suites which are enabled.
java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException:
No available certificate corresponds to the SSL cipher suites which are
enabled.
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:152)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:371)
at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:553)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:666)
at java.lang.Thread.run(Thread.java:534)
Apr 26, 2005 2:19:46 PM org.apache.tomcat.util.net.PoolTcpEndpoint
acceptSocket
WARNING: Reinitializing ServerSocket
Thoughts?
Jeff
Jason Bainbridge wrote:
>On 4/26/05, jejones@playstation.sony.com <je...@playstation.sony.com> wrote:
>
>
>>Actually, I did not start with the old cert. I generated a completely
>>new cert, started with the chaincert, then imported the new cert that
>>verisign sent back.
>>
>>This is the connector tect:
>>
>><Factory
>>className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"clientAuth="false"
>>protocol="TLS" keystorefile="/usr/local/qmetrix/.keystore" keystorePass=
>>
>>
>
>Is that a copy and paste? If so you're going to first want to make
>sure there are no sharp instruments around and then change
>keystorefile to keystoreFile as it's case sensitive, then restart
>Tomcat. With it lower case like that it will still look in the default
>location and would expain the behaviour you are seeing.
>
>However if that isn't the case then we have some more digging to do.
>
>Regards,
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL
Posted by Jason Bainbridge <jb...@gmail.com>.
On 4/26/05, jejones@playstation.sony.com <je...@playstation.sony.com> wrote:
> Actually, I did not start with the old cert. I generated a completely
> new cert, started with the chaincert, then imported the new cert that
> verisign sent back.
>
> This is the connector tect:
>
> <Factory
> className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"clientAuth="false"
> protocol="TLS" keystorefile="/usr/local/qmetrix/.keystore" keystorePass=
Is that a copy and paste? If so you're going to first want to make
sure there are no sharp instruments around and then change
keystorefile to keystoreFile as it's case sensitive, then restart
Tomcat. With it lower case like that it will still look in the default
location and would expain the behaviour you are seeing.
However if that isn't the case then we have some more digging to do.
Regards,
--
Jason Bainbridge
http://kde.org - webmaster@kde.org
Personal Site - http://jasonbainbridge.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL
Posted by je...@playstation.sony.com.
Sorry, the thawrt sting is in there by error and some extra forward
slashes..
jejones@playstation.sony.com wrote:
> Actually, I did not start with the old cert. I generated a completely
> new cert, started with the chaincert, then imported the new cert that
> verisign sent back.
>
> This is the connector tect:
>
> <Factory
> className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"clientAuth="false"
> protocol="TLS" keystorefile="/usr/local/qmetrix/.keystore" keystorePass=
>
> Here are the steps I used to generate the cert:
>
> keytool -genkey -keyalg RSA -alias tomcat –keystore
> //export/home/jjones//.keystore
>
> then
>
> keytool -certreq -keyalg RSA -alias tomcat
> –keystore////export/home/jjones//.keystore -file <filename>
>
>
>
> then once we receive the cert back from VERISIGN...
>
>
>
> <http://www.thawte.com/certs/trustmap.html>
>
> Import the Chain Certificate into you keystore
>
> keytool -import -alias root -keystore <your_keystore_filename>
> -trustcacerts -file
> <filename_of_the_chain_certificate>
>
> And finally import your new Certificate (It must be in X509 format):
>
> keytool -import -alias tomcat -keystore <your_keystore_filename>
> -trustcacerts -file <your_certificate_filename>
>
> Then I moved the keystore from my home directory to the "connector"
> defined location. In this case, does keytool built the path from my
> home directory in the keystore file?
>
> Jeff
>
> Jason Bainbridge wrote:
>
>> On 4/26/05, jejones@playstation.sony.com
>> <je...@playstation.sony.com> wrote:
>>
>>
>>
>>> I generated a new cert request utilizing keytool, sent that to
>>> verisign,
>>> they returned the cert. Then I created a new keystore file, first
>>> importing a chaincert, then importing the new cert. When I stop the
>>> server, move the keystore file in place, start the server up, I
>>> continue
>>> to get an expiration notice upon https request to the host. In a
>>> troubleshooting effort, I moved the keystore file, stop/started the
>>> server and *still* get the expired notice upon https request... The
>>> server.xml file' SSL config points to the directory for which I have
>>> located the keystore file too.
>>>
>>
>>
>> Are you specifying the location of the keystore with a keystoreFile
>> parameter in your HTTPS connector? If not you might be dealing with
>> the wrong .keystore by default I think it stores it in the home
>> directory of the user that created it so it might be pointing to the
>> wrong one. Try using the keystoreFile if you aren't already.
>>
>> Plus I don't think you can do it the way you did by creating the CSR
>> in your old .keystore and then importing it into the new one, the cert
>> Verisign returned needs to match up with the CSR if I understand it
>> correctly.
>>
>> Regards,
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL
Posted by je...@playstation.sony.com.
Actually, I did not start with the old cert. I generated a completely
new cert, started with the chaincert, then imported the new cert that
verisign sent back.
This is the connector tect:
<Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"clientAuth="false"
protocol="TLS" keystorefile="/usr/local/qmetrix/.keystore" keystorePass=
Here are the steps I used to generate the cert:
keytool -genkey -keyalg RSA -alias tomcat –keystore //export/home/jjones//.keystore
then
keytool -certreq -keyalg RSA -alias tomcat –keystore////export/home/jjones//.keystore -file <filename>
then once we receive the cert back from VERISIGN...
<http://www.thawte.com/certs/trustmap.html>
Import the Chain Certificate into you keystore
keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_chain_certificate>
And finally import your new Certificate (It must be in X509 format):
keytool -import -alias tomcat -keystore <your_keystore_filename> -trustcacerts -file <your_certificate_filename>
Then I moved the keystore from my home directory to the "connector"
defined location. In this case, does keytool built the path from my home
directory in the keystore file?
Jeff
Jason Bainbridge wrote:
>On 4/26/05, jejones@playstation.sony.com <je...@playstation.sony.com> wrote:
>
>
>
>>I generated a new cert request utilizing keytool, sent that to verisign,
>>they returned the cert. Then I created a new keystore file, first
>>importing a chaincert, then importing the new cert. When I stop the
>>server, move the keystore file in place, start the server up, I continue
>>to get an expiration notice upon https request to the host. In a
>>troubleshooting effort, I moved the keystore file, stop/started the
>>server and *still* get the expired notice upon https request... The
>>server.xml file' SSL config points to the directory for which I have
>>located the keystore file too.
>>
>>
>
>Are you specifying the location of the keystore with a keystoreFile
>parameter in your HTTPS connector? If not you might be dealing with
>the wrong .keystore by default I think it stores it in the home
>directory of the user that created it so it might be pointing to the
>wrong one. Try using the keystoreFile if you aren't already.
>
>Plus I don't think you can do it the way you did by creating the CSR
>in your old .keystore and then importing it into the new one, the cert
>Verisign returned needs to match up with the CSR if I understand it
>correctly.
>
>Regards,
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL
Posted by Jason Bainbridge <jb...@gmail.com>.
On 4/26/05, jejones@playstation.sony.com <je...@playstation.sony.com> wrote:
> I generated a new cert request utilizing keytool, sent that to verisign,
> they returned the cert. Then I created a new keystore file, first
> importing a chaincert, then importing the new cert. When I stop the
> server, move the keystore file in place, start the server up, I continue
> to get an expiration notice upon https request to the host. In a
> troubleshooting effort, I moved the keystore file, stop/started the
> server and *still* get the expired notice upon https request... The
> server.xml file' SSL config points to the directory for which I have
> located the keystore file too.
Are you specifying the location of the keystore with a keystoreFile
parameter in your HTTPS connector? If not you might be dealing with
the wrong .keystore by default I think it stores it in the home
directory of the user that created it so it might be pointing to the
wrong one. Try using the keystoreFile if you aren't already.
Plus I don't think you can do it the way you did by creating the CSR
in your old .keystore and then importing it into the new one, the cert
Verisign returned needs to match up with the CSR if I understand it
correctly.
Regards,
--
Jason Bainbridge
http://kde.org - webmaster@kde.org
Personal Site - http://jasonbainbridge.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org