From: "Frank Yellin" <Frank.Yellin@eng.sun.com>
To: "Jan Luehe" <Jan.Luehe@eng.sun.com>, <java-security@java.sun.com>,
Subject: RE: Getting a CA-signed certificate. . . Futility
Date: Mon, 15 Mar 1999 10:21:01 -0800
> You generated a keystore and created a CSR,
> but then when you tried to import the reply, you specified
> a different keystore (or had removed the original one),
> so that the reply could not be identified as being a reply
> (because keytool could not find the corresponding keypair),
> and therefore your reply was interpreted as a trusted
> certificate, but since it was encoded in PKCS#7, keytoo
> rejected it and printed the error message:
> "Input not an X.509 certificate".
Nope. I have exactly one keystore. I generated the CSR, had
it signed, and tried to import it all within about two minutes.
[Well, on the third try it was within two minutes.
The first couple of times took longer.]
I can send you a complete transcript, if you wish.
> "keytool error: Certificate chain in reply does not verify: Signature
not
> available",
That would have been a more useful error message.
Perhaps www.thawte.com, for "development" certificates, changes the
CSR in some strange way? I have one keystore, with only one alias in it.
== Frank