Thread: Install a commercial SSL certificate ??
View Single Post
  #5 (permalink)  
Old 03-15-2006, 11:12 PM
nick20 nick20 is offline
Member
  
Posts: 12
Exclamation Geotrust instruction to generate CSR
Thanks for marcmac's encouraging statement !

I did a google search and found geotrust instruction on how to generate CSR.

-------------------------------------------------------------------------------------
http://www.geotrusteurope.com/suppor...rta_tomcat.htm

Generate a Certificate Signing Request (CSR) for an SSL Certificate from GeoTrust
Jakarta-Tomcat

Follow these instructions to generate a CSR for your Web site. When you have completed this process, you will have a CSR ready to submit to GeoTrust in order to be generated into a SSL Security Certificate.

If you are not using JDK 1.4 or higher, you must download and install "Java Secure Socket Extensions" JSSE.

1. Generate a private key with the following command:

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /path/to/domainname.kdb

You will be prompted for a password. Tomcat uses a default password of "changeit". If you use a different password, you will need to specify a custom password in the server.xml configuration file.

The next field that you will be prompted for is "What is your first and last name?" At this prompt, you must specify the common name (FQDN) of your web site.

You will then be prompted for your organizational unit, organization, etc.

.2. Generate the Certificate Signing Request (CSR)

$JAVA_HOME/bin/keytool -certreq -alias tomcat -keystore /path/to/keystore.kdb -file filename.csr

You will not be prompted for the common name, organization, etc. The keytool will use the values that you specify when generating the private key.

3. Now go to GeoTrust, select your certificate product and click the relevant Order Now button. Make sure that you have your CSR file handy - you will need this during the enrollment process. Go through steps for purchasing a certificate and paste your certificate request in block when prompted
Be sure to include -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----

4. Make a backup of the keystore.kdb key database. GeoTrust is not responsible if your server crashes and this file is lost.
--------------------------------------------------------------------------------------------

After obtaining a CSR and then the crt file from geotrust, I did successfully on the following to install a commercial SSL certificate:

su - zimbra
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
keytool -delete -alias my_ca -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

then using your new certificate and key run:
zmcertinstall mailbox ssl/ssl/server/commercial.crt

EXCEPT:
zmcertinstall mta ssl/ssl/server/commercial.crt ssl/ssl/server/commercial.key

It's because I don't have a commercial.key file. I assume that it should have been generated and encoded in the domainname.kdb (keystore file). Is there a way to extract the commercial.key file from the keystore file ? If not, what will be an alternative way to generate the private key file ?

- nick20
Reply With Quote