I have 2 certificates signed by CA. I want to enable ssl on tomcat using these certificates.
I ran the following commands to create jks file and imported the certificates into that jks file.
1. keytool -genkey -alias bmark.com -keyalg RSA -keystore keystore.jks
2. keytool -import -alias root -keystore keystore.jks -trustcacerts -file b32dasd75493.crt
3. keytool -import -alias intermed -keystore keystore.jks -trustcacerts -file sf_bundle-g2-g1.crt
And enabled https in server.xml of tomcat
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="/Users/test/Desktop/keystore.jks" keystorePass="changeme"/>
Started tomcat and opened url https://bmark.com:8080 in chrome but it claims that CA-signed SSL certificate is not trusted, claims it is self-signed. Do I need any other files apart from these?
How can I resolve this issue?
Best Answer
To check if the CA response got correctly installed run:
It should show you your certificate chain from leaf to root.
In your connector definition you didn't specify the key alias, so the first certificate found is used. Change it to:
or, if you are using Tomcat 8.5 (you shouldn't use Tomcat 8.0), switch to the new SSL configuration:
Edit: To install all three certificates you just need a file with your certificate and the intermediates in order from stem to root and run:
or you might insert separately from root to stem.