I have received a Bunch of SSL certificates that i need to install into tomcat servers, and normally this is easy enough. However, these certificates have had their private keys generated elsewhere and handed over with the private keys and all the SSL certificates.
Keytool doesn't allow me to import Private keys, directly so im unable to follow the standard process for generating a private key and then send it off to get the certificate. I have found another question 'https://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i' which i was able to follow and managed to get the keystore kinda of working with Tomcat. However, it seems the intermediary certificates are somehow not associated properly and thus SSL Checks actually fail.
Heres is what i did:
- keytool -import -trustcacerts -alias Primary -file Primary.crt -keystore keystore.key
- keytool -import -trustcacerts -alias Secondary -file Secondary.crt -keystore keystore.key
- openssl pkcs12 -export -in domain.crt -inkey domain.key > server.p12
- keytool -importkeystore -srckeystore server.p12 -destkeystore keystore.key -srcstoretype pkcs12
So even though i have imported the primary and secondary intermediate certificates it seems they are not part of the chain with the imported pkcs12 generate certificate chain.
Error message that comes from SSL checker
Please install or replace the following intermediate CA certificates
on your Web or Application server and perform this test again.——Certificate 2——
–Issued To– Organization: Thawte, Inc.
Organizational Unit: Domain Validated SSL
Common Name: Thawte DV SSL
CA Country: US
–Issued By– Organization: thawte, Inc.
Organizational Unit: (c) 2006 thawte, Inc. – For authorized use only
Organizational Unit 2: Certification Services Division
Common Name: thawte Primary Root CA Country: US
Best Answer
Some applications (I can't remember if Tomcat is one of them) like to have the certificate chain as part of the same keystore entry as your server certificate, rather than as seperate items.
To do this, first remove the two CA certs from the keystore:
Next, create a PKCS#7 file containing your cert with its CA chain:
Then import this into your existing keystore (this will overwrite the certificate, but keep the existing private key):
Make sure the alias you specify matches the alias of the cert/key already in the keystore.
Now, a keystore listing (
keytool -list -keystore keystore.key
) should show the certificate, with its CA chain, as a single keystore entry.