I created a key and a csr on console, using the openssl executable. Then I sent the csr to a CA and got the certificate back. Now I want to import it into tomcat.
So I created a PKCS#12 file out of my key and my certificate:
openssl pkcs12 -export -in mycert.cert -inkey mykey.pem -out key_and_cert.p12
and then created a keystore containing it:
keytool -importkeystore -deststorepass [password] -destkeystore keystore.jks -srckeystore key_and_cert.p12 -srcstoretype PKCS12 -srcstorepass [password]
Then I import the intermediate certificate chain.crt:
keytool -import -trustcacerts -alias root -file chain.crt -keystore keystore.jks
Here the output of "keytool -keystore keystore.jks -list":
Keystore-Typ: JKS Keystore-Provider: SUN Ihr Keystore enthält 2 Einträge. root, 14.11.2011, trustedCertEntry, Zertifikatsfingerabdruck (MD5): [fingerprint] 1, 14.11.2011, PrivateKeyEntry, Zertifikatsfingerabdruck (MD5): [fingerprint]
The tomcat server.xml contains:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" URIEncoding="UTF-8" compression="on" sslProtocol="TLS" keystoreFile="/[absolute-path]/keystore.jks" keystorePass="[password]" />
When I restart tomcat, it logs no errors in catalina.out, everything seems to be ok. But when I run firefox, it reports
[domain] uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)
Running "openssl s_client -connect [domain]:443 -showcerts" returns
CONNECTED(00000003) depth=0 C = DE, OU = Domain Control Validated, CN = [domain] verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = DE, OU = Domain Control Validated, CN = [domain] verify error:num=27:certificate not trusted verify return:1 depth=0 C = DE, OU = Domain Control Validated, CN = [domain] verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=DE/OU=Domain Control Validated/CN=[domain] i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2 -----BEGIN CERTIFICATE----- [certificate from mycert.cert] -----END CERTIFICATE----- --- Server certificate subject=/C=DE/OU=Domain Control Validated/CN=[domain] issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2 --- No client certificate CA names sent --- SSL handshake has read 1777 bytes and written 289 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : ECDHE-RSA-AES256-SHA Session-ID: [session-id] Session-ID-ctx: Master-Key: [master-key] Key-Arg : None PSK identity: None PSK identity hint: None Start Time: 1321268519 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) ---
I think tomcat doesn't deliver the intermediate certificate although it knows it. What can I do to make tomcat deliver it?
Additional information: When importing the pkcs12 certificate, there is no certificate chain error, because the -importkeystore command doesn't checks the chain. I also tried to import the intermediate certificate first and then call -importkeystore. I got the same results.
edit: I just tried another way by inserting the chain directly in the PKCS#12 certificate and get the following error:
$ openssl pkcs12 -export -CAfile chain.pem -in mycert.cert -inkey mykey.pem -out key_and_cert.p12 -name tomcat -chain Error unable to get issuer certificate getting chain.
But the chain certificate is ok:
$ openssl verify chain.pem chain.pem: OK
The good news is that Tomcat fully supports the SSL protocol.
One of the simplest ways to find the intermediate certificate and export it is through an Internet Browser such as Google Chrome. Browse to the website that you need to get an intermediate certificate for and press F12. Browse to the security tab inside the developer tools. Click View certificate.
I had to create a CA file by finding the root cert for my issuer and then putting the intermediate cert above it in the same file. Then I ran:
openssl pkcs12 -export -chain -inkey mykey.key -in mye.crt -name "tomcat" -CAfile intermediate_plus_root.crt -out key_and_cert.p12
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With