I have imported: root, intermediate, server certificates into the Java Keystore for Tomcat for Windows.
These are VeriSign (commercial) certificates..
We cannot use keyAlias for the connector - ssl page never comes up. Port 80 or standard web traffic is fine, but ssl is not. What is curious to me about this, is that one of our server guys did say that it is acting like we had a self-signed cert installed..
Our current \tomcat\conf\server.xml has:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="C:\NewCert\keystore.ks" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
What is interesting out of this, we see the following error: "There is a problem with this website's security certificate" Going to the web page (https://servername.domain.local:8443) - and we requested the certificate as servername.domain.local .. Consequently, we see: "Untrusted Certificate" When viewing the certificate from the website versus the one from our CA has a different ThumbPrint.
I have read that we are supposed to be able to import the root/intermediate/server certificates as one file (*.p7b) - and when doing so, keytool responds back to say this is not an X.509 certificate. But, I do believe that if I can get the .p7b file imported, it would be what we need..
"%JAVA_HOME%\bin\keytool.exe" -import -trustcacerts -file "C:\NewCert\ap01.p7b" -keystore "C:\NewCert\keystore.ks" -alias "tomcat" -storepass "changeit"
And the resulting message is:
keytool error: java.lang.Exception: Input not an X.509 certificate
Thanks.
