Home / server / Questions / 747135
Accepted
bgStack15
Asked: 2016-01-07 07:14:16 +0800 CST

Loading whole cert chain into keystore for Tomcat 7

  • 772

Environment: Tomcat 7.0 on Windows 2008 R2

What to accomplish

Get Tomcat 7.0 to use a specific wildcard certificate with accompanying cert chain so customers' browsers do not throw errors. The provided certificate is a wildcard cert. This is non-negotiable and irrelevant to getting the certificate installed.

My problem is that I cannot get tomcat to use the chain (root certificates) in addition to the main cert.

What I've tried

At first it took me forever to get the certificate working with the provided key pair. References 2 and 3 showed me these steps to import a provided key pair as a "PrivateKeyEntry" which Tomcat likes better:

#on a CentOS server cuz easier than getting a windows tool for it
openssl pkcs12 -export -in wildcard-customer-2016.crt -inkey wildcard-customer-2016.key -out wildcard-customer-2016.p12 -name wildcard -CAfile rapidssl.crt -caname root

#back on windows
C:\Program Files\Java\jre7\bin\keytool -importkeystore -deststorepass tomcat -destkeystore c:\.keystore -srckeystore c:\certificate\wildcard-customer-2016\wildcard-customer-2016.p12 -srcstoretype PKCS12 -alias wildcard

But I don't know how to add the root certificate so that it uses that as well. You can see the command I used to build the .p12 file included a CAfile command. The importkeystore command when run with a "-trustcacerts" didn't add the root certs, although it did work with the *.customer.com cert.

Possible alternatives
Somebody explain how to configure my server.xml for using APR properly. Pretend I don't know where the files from the zip file go. (Reference 4)

References

  1. https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
  2. https://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i
  3. http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.html
  4. Create jks for tomcat using .key ,.ca and .cert file
tomcat

1 Answers

  1. Best Answer

    I use the following steps to accomplish this where

    1. HOSTNAME.key containing the unencrypted private key
    2. HOSTNAME.cer containing the public cert + CA chain.

    The $HOSTNAME should be the FQDN of the host (important in steps 2 & 3for the alias).

    openssl pkcs12 \
  -export \
  -out   $HOSTNAME.pfx \
  -inkey $HOSTNAME.key \
  -in    $HOSTNAME.cer

    Then using $HOSTNAME.pfx

    keytool -importkeystore \
  -srckeystore   $HOSTNAME.pfx \
  -srcstoretype  pkcs12 \
  -srcstorepass  pazzword \
  -destkeystore  $HOSTNAME.jks \
  -deststoretype JKS \
  -deststorepass pazzword \
  -srcalias      1 \
  -destalias     $HOSTNAME

    Finally in Tomcat's server.xml

    keystoreFile="/etc/tomcat7/security/$HOSTNAME.jks"
keystorePass="pazzword"
keyAlias="$HOSTNAME"
truststoreFile="/etc/tomcat7/security/mastercert.jks" 
truststorePass="changeit"

    The final part (truststore) is if you need Tomcat to trust an extra CA so may not be needed for your setup. So the Keystore is where the server's cert is and the trust store is who the server will trust (incase you want to do mutual auth etc).

    • 2