Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

tomcat doesn't deliver intermediate certificate (https)

Tags:

I created a key and a csr on console, using the openssl executable. Then I sent the csr to a CA and got the certificate back. Now I want to import it into tomcat.

So I created a PKCS#12 file out of my key and my certificate:

openssl pkcs12 -export -in mycert.cert -inkey mykey.pem -out key_and_cert.p12

and then created a keystore containing it:

keytool -importkeystore -deststorepass [password] -destkeystore keystore.jks -srckeystore key_and_cert.p12 -srcstoretype PKCS12 -srcstorepass [password]

Then I import the intermediate certificate chain.crt:

keytool -import -trustcacerts -alias root -file chain.crt -keystore keystore.jks

Here the output of "keytool -keystore keystore.jks -list":

Keystore-Typ: JKS Keystore-Provider: SUN  Ihr Keystore enthält 2 Einträge.  root, 14.11.2011, trustedCertEntry, Zertifikatsfingerabdruck (MD5): [fingerprint] 1, 14.11.2011, PrivateKeyEntry,  Zertifikatsfingerabdruck (MD5): [fingerprint]

The tomcat server.xml contains:

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"            maxThreads="150" scheme="https" secure="true"            clientAuth="false" URIEncoding="UTF-8" compression="on"            sslProtocol="TLS"            keystoreFile="/[absolute-path]/keystore.jks"            keystorePass="[password]" />

When I restart tomcat, it logs no errors in catalina.out, everything seems to be ok. But when I run firefox, it reports

[domain] uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)

Running "openssl s_client -connect [domain]:443 -showcerts" returns

CONNECTED(00000003) depth=0 C = DE, OU = Domain Control Validated, CN = [domain] verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = DE, OU = Domain Control Validated, CN = [domain] verify error:num=27:certificate not trusted verify return:1 depth=0 C = DE, OU = Domain Control Validated, CN = [domain] verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain  0 s:/C=DE/OU=Domain Control Validated/CN=[domain]    i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2 -----BEGIN CERTIFICATE----- [certificate from mycert.cert] -----END CERTIFICATE----- --- Server certificate subject=/C=DE/OU=Domain Control Validated/CN=[domain] issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2 --- No client certificate CA names sent --- SSL handshake has read 1777 bytes and written 289 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session:     Protocol  : SSLv3     Cipher    : ECDHE-RSA-AES256-SHA     Session-ID: [session-id]     Session-ID-ctx:      Master-Key: [master-key]     Key-Arg   : None     PSK identity: None     PSK identity hint: None     Start Time: 1321268519     Timeout   : 7200 (sec)     Verify return code: 21 (unable to verify the first certificate) ---

I think tomcat doesn't deliver the intermediate certificate although it knows it. What can I do to make tomcat deliver it?

Additional information: When importing the pkcs12 certificate, there is no certificate chain error, because the -importkeystore command doesn't checks the chain. I also tried to import the intermediate certificate first and then call -importkeystore. I got the same results.

edit: I just tried another way by inserting the chain directly in the PKCS#12 certificate and get the following error:

$ openssl pkcs12 -export -CAfile chain.pem -in mycert.cert -inkey mykey.pem -out key_and_cert.p12 -name tomcat -chain Error unable to get issuer certificate getting chain.

But the chain certificate is ok:

$ openssl verify chain.pem chain.pem: OK
like image 450
Heinzi Avatar asked Nov 14 '11 11:11

Heinzi

People also ask

Does Tomcat support https?

The good news is that Tomcat fully supports the SSL protocol.

How do I know if intermediate certificate is installed?

One of the simplest ways to find the intermediate certificate and export it is through an Internet Browser such as Google Chrome. Browse to the website that you need to get an intermediate certificate for and press F12. Browse to the security tab inside the developer tools. Click View certificate.

1 Answers

I had to create a CA file by finding the root cert for my issuer and then putting the intermediate cert above it in the same file. Then I ran:

 openssl pkcs12 -export -chain -inkey mykey.key -in mye.crt -name "tomcat" -CAfile intermediate_plus_root.crt -out key_and_cert.p12
like image 199
juanenrique Avatar answered Jan 05 '23 07:01

juanenrique
Sign in to Comment

Related questions

Symfony 2 load different template depending on user agent properties
How to set seed for random simulations with foreach and doMC packages?
Embedding Lua in C++
Is there a way to set the page title by data-binding using Knockout.js?
Disruptor.NET example
How to add PDFBox to an Android project or suggest alternative
Builder pattern for polymorphic object hierarchy: possible with Java?
Getting Error Transport error code was 0x80040217 while Sending Email in Asp.Net
Active solution platform VS Project Platform VS Platform target
Google+ share url: what parameters does it use?
Getting list of SVN users for Subversion -> Git migration?
App Store Submission: No Identities [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!