Ssl – How to install ssl certificates signed by CA into tomcat 8

httpssslssl-certificatetomcat

I have 2 certificates signed by CA. I want to enable ssl on tomcat using these certificates.

I ran the following commands to create jks file and imported the certificates into that jks file.

1. keytool -genkey -alias bmark.com -keyalg RSA -keystore keystore.jks
2. keytool -import -alias root -keystore keystore.jks -trustcacerts -file b32dasd75493.crt
3. keytool -import -alias intermed -keystore keystore.jks -trustcacerts -file sf_bundle-g2-g1.crt

And enabled https in server.xml of tomcat

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" keystoreFile="/Users/test/Desktop/keystore.jks" keystorePass="changeme"/>

Started tomcat and opened url https://bmark.com:8080 in chrome but it claims that CA-signed SSL certificate is not trusted, claims it is self-signed. Do I need any other files apart from these?
How can I resolve this issue?

Best Answer

To check if the CA response got correctly installed run:

keytool -list -keystore /Users/test/Desktop/keystore.jks -alias bmark.com -v

It should show you your certificate chain from leaf to root.

In your connector definition you didn't specify the key alias, so the first certificate found is used. Change it to:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="/Users/test/Desktop/keystore.jks"
           keystorePass="changeme"
           keyAlias="bmark.com" />

or, if you are using Tomcat 8.5 (you shouldn't use Tomcat 8.0), switch to the new SSL configuration:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" scheme="https" secure="true" SSLEnabled="true">
    <SSLHostConfig protocols="TLS">
        <Certificate certificateKeystoreFile="/Users/test/Desktop/keystore.jks"
                     certificateKeystorePassword="changeme"
                     certificateKeyAlias="bmark.com" />
    </SSLHostConfig>
</Connector>

Edit: To install all three certificates you just need a file with your certificate and the intermediates in order from stem to root and run:

keytool -importcert -keystore /Users/test/Desktop/keystore.jks\
-alias bmark.com -file <chain_file> -trustcacerts

or you might insert separately from root to stem.

Related Solutions

Tomcat – Exporting Private Key

Believe it or not, this functionality is not supported in keytool. The best solution I have found so far is the software and instructions available for download on this Web site.

I usually generate the key using openssl and then use this method to import the key, as that is not supported by keytool either.

To generate a 2048 bit key:

openssl genrsa -out host.domain.com.key 2048

To create a keystore from this key:

KEY=host.domain.com
openssl pkcs8 -topk8 -nocrypt -in $KEY.key -inform PEM -out key.der -outform DER
openssl x509 -in $KEY.crt -inform PEM -out cert.der -outform DER
wget http://www.agentbob.info/agentbob/81/version/default/part/AttachmentData/data/ImportKey.class
java ImportKey key.der cert.der

Tomcat – Import private key and certificate into Tomcat

All you need to do is this for a Tomcat server:

Start with the original keystore that you used to create your CSR. This keystore has on private key in it with the alias called "tomcat"
From your certificate reply you will have a reply-cert , a intermediate (probably) , and also a root cert that are 3 separate files.
use keytool -import root cert with alias "root"
use keytool -import intermediate cert with alias "intermediate"
finally use keytool -import cert-reply.crt into keystore with alias "tomcat". this action imports the cert reply into position on top of the cert you generated when you created the keystore. this action will generate a certificate chain of length 2 or 3
use keytool -list to see the contents and the chain

NOTE: for an Apache server, the steps are a bit different.

Best Answer

Related Solutions

Tomcat – Exporting Private Key

Tomcat – Import private key and certificate into Tomcat

Related Topic