0

I bought a wildcard SSL certificate at rapidSSL which provided me web certificate and an intermediate certificate. i installed the web certificate using:

keytool -import -alias root -keystore keystore -trustcacerts -file valicert_class2_root.crt

maybe web certificate is not a root certificate?!

and i installed the intermediate certificate using:

keytool -import -alias intermed -keystore keystore -trustcacerts -file gd_intermediate.crt

i didn't get any cross certificates.

i used the following url to create the keystore file:

http://trac.red5.org/wiki/Documentation/Tutorials/Red5DeveloperTips/SSLTLS

the problem is that when I try to browse on https, the browser complains that it's a self signed certificate.

any ideas ?!

thanks!

ufk
  • 333
  • 3
  • 8
  • 31

1 Answers1

0

The CA provided web certificate for your site is not a root certificate but you added it as if it was a root certificate. Client browsers and runtimes should have the root certificate--you would only need to install the intermediate into your server's keystore with the -trustcacerts option.

I think you should have imported the web cert without the -trustcacerts option.

mahnsc
  • 1,796
  • 13
  • 11
  • i tried importing the web cert without the -trustcacerts but I got the exact results. – ufk Oct 10 '11 at 13:38
  • You removed the site certificate first, then imported without -trustcacerts? – mahnsc Oct 10 '11 at 13:55
  • i created new certificate at godaaddy instead and it provided all the required certificates. it would not work with or without the -trustcacerts property. i enabled debug the output is at http://pastebin.com/Hdp9XyLq – ufk Oct 10 '11 at 17:18
  • it's not the same results.. now instead of getting a warning that i have a self signed certificate i get an empty page on the browser and the output in pastebin as the error on the red5.log – ufk Oct 10 '11 at 17:23
  • This post on google groups might help: http://code.google.com/p/red5/issues/detail?id=109 (although I'm not sure. A blank page would indicate that ssl might actually be working. You can always try to connect with openssl or curl to your https listener to see whether you at least get a successful handshake or not) – mahnsc Oct 10 '11 at 18:48
  • when I use that same keystore file on tomcat6 on the same linux server https does work. – ufk Oct 11 '11 at 13:25