OK, I think I've figured out what went wrong. I forgot to click the PKS7 checkbox when generating the test cert. (I know, I know but it has been a very long day). I have it working now, I still don't really understand why I had to install the same cert in my browser as I installed in my Tomcat keystore but I guess that is for another day.
I have pasted the sequence of events below this message just in case anyone else is trying to get this working. Just FYI The docs state that thawte root certs are at http://www.thawte.com/certs/trustmap.html This has changed to https://www.thawte.com/roots. This is NOT a criticism of the documentation which in all other respects seems to be spot on. --------------------------------------------------------------------------------------------------------------------- Installing a thawte test cert, please ignore if you are not interested First of all let me say that I followed the instructuons at http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html to the letter Here is the sequence of events. $> keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/local/tomcat/sslkeys/.keystore This generated a self signed certificate. I know this works because I can access via https and when the browser pops up the unknown certification authority message I can see the values I used to create the keystore. I then did the following keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore /usr/local/tomcat/sslkeys/.keystore This created a file certreq.csr in the directory in which I ran the command (and no doubt did some other stuff as well) I then went to www.thawte.com and clicked the 'trials' menu item Under the SSL FREE Trial Certificate heading I clicked 'Download Trial' I filled in the details, selected the 'immediately' radio button and clicked 'continue' Making very sure I clicked the PKS7 check box under the 'select your trial certificate' heading I selected the SSL Web Server Certificate (All servers) radio I pasted in my CSR and clicked continue I got what I assume to be a certificate I copied this to a text file called thawte_test_cert.txt and uploaded it to my server Next I went and got the Thawt Root certificate bundle Incidently (and this is NOT a criticism of the documentation) the docs state that these certs are available at http://www.thawte.com/certs/trustmap.html This has canged to https://www.thawte.com/roots. Just FYI Anyway, after unzipping the thawte-roots.zip file I selected the ./Thawt Test Roots/thawte test roor.cer file and installed it thus keytool -import -alias tomcat -keystore /usr/local/tomcat/sslkeys/.keystore -trustcacerts -file "thawte test root.cer" (note the "" required on Debian Linux) This seemed to work. I then installed the test certificate generated as described above thusly keytool -import -alias tomcat -keystore /usr/local/tomcat/sslkeys/.keystore -trustcacerts -file thawte_test_cert.txt this semed to work. Now I apparently needed to install a Root CA certificate in my browser (firefox 2.0.0.6) so I tried adding the Thawte Primary Root CA/Thawte_Primary_Root_CA.cer I then tried to access my site via https (having restarted Tomcat of course) I got the (now familiar) Website Certified By An Unknown Authority message and when I checked out the certificate it was actually my own self-signed certificate.... OK, so I thought I'd try to install the same certificate in the browser as I installed in the keystore this time I installed the ./Thawt Test Roots/thawte test roor.cer into my browser and tried again (I restarted Tomcat just to be on the safe side) ... success. No more messages --------------------------------------------------------------------------------------------------------------------- On 8/13/07, Hassan Schroeder <[EMAIL PROTECTED]> wrote: > On 8/13/07, Lyallex <[EMAIL PROTECTED]> wrote: > > > I was wondering if anyone has managed to get the Thawte SSL test > > certificate working with Tomcat 5.5. > > > > I have created a CSR and submitted it to Thawte. I got a test certificate > > back > > ? I'm not sure what "test" certificate you're referring to, but I have a > Thawte cert on a client site, and the installation was by-the-book -- > <http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html>); did > you follow that exactly? > > -- > Hassan Schroeder ------------------------ [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
