问题描述:

I developed a web service to be consumed by another team.

These were my steps:

  • developed a web service with jax-ws 2.2.8 and jdk 1.7
  • deployed the web service to run on Tomcat 7
  • generated the client classes
  • created a self-signed server certificate using the jdk's keytool
  • configured Tomcat to support SSL connection
  • exported the generated server certificate to a certificate file
  • imported the server certificate into the truststore file
  • specified CONFIDENTIAL transport-guarantee in web.xml for the web service's servlet
  • developed a test client to consume the web service using the client classes

So then the other team started working with it and I was informed that the certificate is not properly signed. Is a self-signed certificate improperly signed? Is that true? I didn't think so. Well I don't want to argue the point. I was informed that they have their own signing authority that is already trusted by most of their system and it was suggested to me that I replace my cert with the one that is signed by the certs displayed in two screenshots that I was provided. I wasn't provided any further information but I guessed the screenshots were taken in Internet Explorer, Tools, Internet Options, Content, Certificates, Intermediate Certification Authorities, then in the list I found a certificate and clicked on View, clicked on Certification Path and my screen matches the screen of the other team member with one exception. His screen displays:

Company Name Root CA

Company Name Issuing CA

teamname.companyname.com

Whereas my screen only displays:

Company Name Root CA

Company Name Issuing CA

I don't see the

 team.companyname.com

on my screen and not too sure how that got there or if I need that.

Then I clicked on Details and compared Version, Serial number, Signature algorithm, Signature hash algorithm, Issuer, Valid from, Valid To, Subject and Public key and they are all the same. The rest of the fields are not visible in the screenshot.

So where do I go from here? I am not certain.

According to: Apache Tomcat 7 documentation, Tomcat operates only on JKS, PKCS11 or PKCS12 format keystores.

My questions are these:

1) Should I export the certificate using the Certificate Export Wizard? (I am using Windows 7)

2) If so, should I select the format Personal Information Exchange - PKCS #12 (.PFX)?

3) And if so, which of the following options need to be selected?

 Include all certificates in the certification path if possible

Delete the private key if the export is successful

Export all extended properties

Wait! Hold on! I just tried to select Personal Information Exchange - PKCS #12 and it is disabled. Hmmm.

Is there a way to export the certificate from the browser for the purposes of somehow getting a keystore format supported by Tomcat? And I must add that I don't know how to get from point a to point b and any help would be appreciated. And it also concerns me that my certificate doesn't display:

 teamname.companyname.com

in

Company Name Root CA

Company Name Issuing CA

teamname.companyname.com

Any ideas/suggestions/feedback would be greatly appreciated as I not too familiar with certificates!

网友答案:

None of the above.

You need to follow the same steps you used to create your self-signed certificate but after you have created your Certificate Signing Request (CSR) you need to give that to the other team to get them to sign it with their Certificate Authority (CA). Then you continue as you did before.

相关阅读:
Top