I've only barely glanced at this thread, so forgive me if I'm saying
something that's already been mentioned, or that's irrelevant.
But yesterday, I was tearing my hair out over something similar while
setting up a keystore for a customer: it seems that the customer's CA of
choice had assumed that the customer was using the same keystore that
they'd used previously (I'd created a new one because of some changes in
ownership and location information), and so they'd signed the CSR with
the OLD intermediate certificates, without bothering to tell anybody.
And so every time I tried to plug the response certificate in with the
NEW intermediates, Keytool would balk.
I dunno what possessed me to try the old intermediates, but try them I
did (by that time, I'd also found and installed "KeyStore Explorer," a
nifty little open-source Keytool-replacement). (Ironically, because
installing a CSR response certificate is a bit counter-intuitive in
KeyStore Explorer [it's ONLY on the right-click menu, and ONLY if you
right-click on a keypair], the keystore I made using it was worthless,
but once I'd discovered the problem, I'd also done one with Keytool as a
backup. Didn't find out I'd screwed up the KeyStore Explorer version
until this afternoon, and didn't figure out the right way to do it in
KeyStore Explorer until after I'd already put the Keytool version of the
keystore into service.)
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
