-1

I have a wildcard ssl certificate that was generated by one of our Server Admins. I would like to use a copy for one of our sub-domains. Do I need to go through recreating a CSR file using keytool. How do just import the 3 files as shown below, to the server?

  • gd_bundle-g2-g1.crt
  • gdig2.crt
  • some_hex_string.crt
MadHatter
  • 79,770
  • 20
  • 184
  • 232
Jaseme Jakorango
  • 1
  • 1
  • 1
  • 2

3 Answers3

1

Have you tried following the process described in the documentation?

Here's what your files are (source: GoDaddy cert chain repo)

  • gd_bundle-g2-g1.crt: Go Daddy Certificate Bundles - G2 With Cross to G1, includes Root
  • gdig2.crt: Go Daddy Secure Server Certificate (Intermediate Certificate) - G2
  • some_hex_string.crt: Your certificate

Before you start, you may wish to confirm what exactly all these files are from your server admin, just in case...

You will also need the private key for the wildcard cert if you want to install it on your TomCat server, unless you already have the private key (e.g. if this is a renewal). If this is a fresh install, you will definitely need the private key.

Also keep in mind that keytool is extremely unforgiving and also very dumb when it comes to error messages. It will mislead you with useless error messages like

keytool error: java.lang.Exception: Failed to establish chain from reply

What that could mean is that you need to explicitly specify key sizes and algorithms manually (see keytool help for syntax and parameters).

Practical advice: avoid keytool unless you absolutely have to, or unless you know it inside out. It will most likely drive you insane, unless you know it well. If you don't know it well or get stuck, I suggest using a 3d party Java keystore editor like KeyStore Explorer or Portecle.

Advice #2: use nginx as a reverse-proxy front end and SSL offloader for your site. SSL is much easier to implement on nginx, and it will allow your Tomcat instance to focus on application delivery, which is more than enough to keep a Tomcat instance busy with. :) Furthermore, you will be able to tweak your SSL/TLS settings to achieve a reasonable score on Qualys' SSL Labs SSL Test. In this day and age of numerous SSL vulnerabilities, this is not a bad idea... I'm not certain what the default Tomcat 6 SSL config scores on that test.

Rouben
  • 1,312
  • 10
  • 15
  • A CSR was generated from one of our servers (MS Windows) using the CN= *.domain.org and I want to add **bold**site.domain.org**bold**. I have been asked by them just load these certificates as they were requested as Tomcat SSL certificates, but most documentation mention using the keystore generated by keytool to create a CSR which can be used to request an SSL certificate. So i a bit caught up wondering how I can go about this. When I create the keystore file and import the certificates to this keystore, the browsers still treat the connection as through a self-signed certificate. – Jaseme Jakorango Jan 24 '15 at 12:24
  • If the browsers are not recognizing the cert, it means that you didn't import the chain certs correctly. In other words, you didn't import **gd_bundle-g2-g1.crt** and **gdig2.crt** into your keystore correctly. – Rouben Jan 26 '15 at 18:22
1

For Tomcat 9 I followed creating the PKCS12 format keystore as per this documentation http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Configuration. Since I have the signed certificate from GoDaddy, I imported the required certificates and key into the PKCS12 keystore by executing the following OpenSSL command.

openssl pkcs12 -export -in mycert.crt -inkey mykey.key
                   -out mycert.p12 -name tomcat -CAfile myCA.crt
                   -caname root -chain
  • mycert.crt -> is your certificate provided by GoDaddy (usually, this will be your GoDaddy serial number.crt)
  • mykey.key -> The key that is created along with the CSR.
  • mycert.p12 -> This is going to be your keystore file.
  • myCA.crt -> is your root certificate provided by GoDaddy (in my case, it was gd_bundle-g2-g1.crt.

After running the above command, the mycert.p12 file will get generated to the location you mentioned.

Now configure the same into your server.xml

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" keystoreFile="/your/path/mycert.p12" keystorePass="changeit" keyAlias="tomcat">

keyAlias="tomcat" is the -name which is given while importing the PKCS12 keystore.

Save the files and then restart the server.

rameshrasaiyan
  • 11
  • 1
0

Maybe this will help you going through the problem: http://linuxadmin.com.pl/tomcat-and-ssl-certificates-small-how-to/

Anyway, imho handling ssl in tomcat is quite hard. That is why I prefer putting Apache/Nginx 'in front' of Tomcat.

Piotr
  • 133
  • 1
  • 3
  • 12
  • Suppose I have several tomcat servers, do I need to generate and submit multiple CSRs for each server? And how do you – Jaseme Jakorango Jan 24 '15 at 12:28
  • CSR, Certificate Signing Request, is needed only when you buy or create SSL certificate on your own. It is not needed in server configuration. If you have wildcard certificate you can reuse *.crt, *.key and intermediate ssl certificate on every server you have. – Piotr Jan 24 '15 at 16:22