1

I can't get my certificate bought from RapidSSL working on Tomcat but on Apache.

RapidSSL requires that you install 2 intermediate ca files.

When I create a keystore from the private key, certificate and the intermediary CA:s I can see 

Entry type: PrivateKeyEntry
Certificate chain length: 1

The two intermediate certificates does not seem to be picked up or something like that.

I have

I can get it working on an apache server with the following settings:

SSLCertificateFile /root/ssl_certs/rapidssl.crt
SSLCertificateKeyFile /root/ssl_certs/privatekey.key
SSLCACertificateFile /root/ssl_certs/intermediate.crt

I have heard of something called a root certificate, and I don't know what that is. Is that something that I need?

I have heard that Tomcat should e able to use PKCS12 so I did this to try to create a pkcs12 file:

openssl pkcs12 -export -in rapidssl.crt -inkey privatekey.key -out mycert.p12 -name tomcat -CAfile intermediate.crt -caname root -chain

But I get the error

Error unable to get local issuer certificate getting chain.

The intermediate.crt has the primary and secondary CA:s in it.

fredrik.hjarner
  • 715
  • 8
  • 22

2 Answers2

2

Try using Portecle to import all your stuff. I haven't used it myself, but the complete mess that is Java Keystores is evidently a lot more manageable if you use a tool like Portecle.

If you want to get better performance out of Tomcat and not bother merging your keys, certs, etc. into a single binary ball, consider using Tomcat's APR connector. You can use the same cert and key files you already use with Apache httpd, and you'll get better crypto performance.

Christopher Schultz
  • 20,221
  • 9
  • 60
  • 77
  • Thank you again! Using APR solved my problem! I am using a Windows Server 2008 and I had to download openssl from http://slproweb.com/download/Win32OpenSSL-1_0_1f.exe and apr from https://archive.apache.org/dist/tomcat/tomcat-connectors/native/1.1.29/binaries/tomcat-native-1.1.29-win32-bin.zip and then put it in the java/bin folder (or any folder that the server looks in for the APR packages). One thing to keep in mind is that the tomcat-native-1.1.29-win32-bin.zip contains three dll:s and the right one have to be used, if you don't know which one you need then just try then one after one. – fredrik.hjarner Mar 14 '14 at 12:42
  • Tomcat ships with a statically-linked tcnative that should include both OpenSSL and libAPR for win32. Are you sure you had to download something additional? The DLLs you have to pick from are for different architectures, and must match your JRE architecture (e.g. i386, x86-64, etc.). – Christopher Schultz Mar 14 '14 at 12:44
  • I have seen other sources also saying that. I am using TeamCity which itself uses Tomcat, perhaps the Tomcat included in TeamCity does not include the needed files. I just searchmy entire harddrive for "tcnative" and it didn't find anything except the files that I manually installed. – fredrik.hjarner Mar 14 '14 at 12:59
  • Aah, a 3rd-party-packaged version of Tomcat may not include everything the standard distribution includes. If it's working now, then you're all set. – Christopher Schultz Mar 14 '14 at 13:03
0

What is a root certificate? It is top certificate in a chain of certificates, typically issued by a certificate authority. It is used to sign other certificates that sign other certificates until it is used to sign your certificate. Software that use your certificate must trust the root certificate. It is done either by trusting the certificate authority by operating system (or java) or by trusting it by particular software (like apache or local keystore).

Leos Literak
  • 8,805
  • 19
  • 81
  • 156