-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Miguel,
On 4/26/12 5:58 AM, Miguel González Castaños wrote: > On 26/04/2012 03:58, Christopher Schultz wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> Miguel, >> >> On 4/25/12 6:24 PM, Miguel González Castaños wrote: >>>> Please post your SSL<Connector> configuration (cleansed of >>>> any passwords). > By the way, double checking the info from my web browser I get this > is a verisign class 3 secure server G3 It looks like you were using the "EV" intermediate certificates before. This page[1] says that C3G3 certs are not frequently used except for client certificates... is that what you've got? [1] http://www.verisign.com/support/roots.html > I'm sorry but I come from the Apache world and I'm pretty new to > Tomcat. Also I have inherited this server and the configuration is > messy. When you use Java, you generally have to work with keystores. It's just a file full of keys and certificates. Think of a Java keystore as all of the following httpd directives mashed together into a single binary entity: SSLCertificateKeyFile SSLCertificateFile SSLCertificateChainFile SSLCACertificateFile Also, you have to use an "alias" that Tomcat uses (it's "tomcat") as the alias for the certificate to actually use for the server (as opposed to any other certificates you might have in the keystore). > Maybe I'm wrong but should I add the CAcert somewhere in the SSL > connector? There's no place to do that: the whole chain must be in the keystore, including the CA root all the way down to your own certificate. You may be able to get away with not having the very top-root CA certificate... I haven't worked too much with Java keystores so it's possible that there is a set of root, trusted certificates that are inherited by all keystores, but there are many ways to create/configure a ServerSocketFactory, so it's probably possible to set one up both with or without that globally-recognized set of root CA certs (i.e. those trusted by the JVM implicitly). If you are getting this error in Javamelody, then you need to configure Javamelody properly -- this isn't a Tomcat thing if web browsers can connect properly to Tomcat via HTTPS. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+ZUt4ACgkQ9CaO5/Lv0PDr1ACgrTdE7YioyGAbGGUU6wzJJOSL vFsAoI1pjrU1YPs/hH4QMGaWYSlDLEzN =47Nf -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
