Re: how to get a digital certificate

From: Nigel Wade <nmw@xxxxxxxxxxxx>
Date: Fri, 24 Oct 2008 10:18:09 +0100

jimgardener wrote:

hi
i am trying out the ssl-howto tutorial that comes with apache
tomcat5.5..I used
keytool -genkey -alias tomcat -keyalg RSA to create a .keystore file
in home directory and added the password using keystorePass in
Connector element of server.xml.When i try
https://localhost:8443 the browser complains that it is self signed
and that it uses an invalid security certificate.( Error code:
sec_error_ca_cert_invalid)..

Certificates include the hostname. If your self-signed cert. was issued
containing the FQDN, then when you connect via "localhost" the hostname does
not match the hostname in the cert.

This got me when I was testing SSL, and connecting using an IP number. The same
problem arises there, the IP number does not match the hostname and the cert.
is refused.

so i wanted to get a certificate from verisign and went to their free
ssl trial certificate page.In the textbox for pasting csr data i
copied the data of certreq.csr created by
keytool -genkey -alias tomcat -keyalg RSA -keystore mylocalkeystore
and
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore
mylocalkeystore

But here i get an error message that it contains invalid characters in
common name.

Can someone please help me to get this right?Is the csr created by
keytool inappropriate?Do i have to use some other tool?

What Common Name did you use in the request? It must be the FQDN of the host for
which you are requesting the cert. When keytool asks you for your first and
last name this is the Common Name. Don't enter your name, enter the name of the
host. See
https://www.verisign.com/support/ssl-certificates-support/page_dev020184.html

If you have openssl installed you can view the contents of the request using the
command:

openssl req -text -noout -in /path/to/request

--
Nigel Wade
.

Follow-Ups:
- Re: how to get a digital certificate
  - From: jimgardener

References:
- how to get a digital certificate
  - From: jimgardener

Prev by Date: Re: How to add package to project?
Next by Date: Re: How to convert integer to hexadecimal in Java ?
Previous by thread: Re: how to get a digital certificate
Next by thread: Re: how to get a digital certificate
Index(es):
- Date
- Thread

Relevant Pages

Re: JSP login from only a single pc
... Is it possible to implement them using JSP? ... You can access certificate inform from JSP - something was added ... You can include information in a cert. ... could presumably include the hostname for which the cert. ...
(comp.lang.java.programmer)
Re: Insurance Certificates Database
... table based on a questionnaire, ... We did have a commercial certificate tracking application a while back, ... I agree my Indefinite Cert Fields look like fixed attributes of the ... firm. ...
(microsoft.public.access.tablesdbdesign)
Re: Insurance Certificates Database
... I agree my Indefinite Cert Fields look like fixed attributes of the ... piece of data as an attribute of the insurance certificate (excepting firm ID ... The Policies table presents more of a problem than the Certs table, ... I suggested having a different table for each type of policy to solve this ...
(microsoft.public.access.tablesdbdesign)
Re: Insurance Certificates Database
... table based on a questionnaire, ... We did have a commercial certificate tracking application a while back, ... breaking the data down into various tables, ie normalization. ... I agree my Indefinite Cert Fields look like fixed attributes of the ...
(microsoft.public.access.tablesdbdesign)
Re: ADFS Token-signing Certs Not in Trusted Root Store
... This is good info, Joe. ... So now I know that the token-signing certificate is ... Get a signing cert from a CA ... case, you never have to worry about expiration or CRL checking, as your cert ...
(microsoft.public.windows.server.active_directory)