Search code examples
tomcatsslhttpskeystore

SSL Wildcard Certificate into Tomcat

I purchased a Wildcard certificate and I'm trying to use it with Tomcat 8.

I've executed a few lines of commands in order to enable SSL. SSL is enabled but I'm always receiving the warning that I'm using a Self Signed Certificate. Of course this shouldn't be the case, it should be using the trusted certificate instead.

I have received the certificate and the intermediate certificate (from 1and1) and I figured out that the Root Certificate is issued by GeoTrust Global CA (I downloaded it).

Generating Key: keytool -genkey -alias tomcat -keyalg RSA

Adding Root Certificate keytool -import -alias root -keystore .keystore -trustcacerts -file root.pem

Adding Intermediate Certificate keytool -import -alias intermed -keystore .keystore -trustcacerts -file intermediate.cer

Adding Main Certificate keytool -import -alias main -keystore .keystore -file main.cer

I have modified the connector in server.xml, it's very simple part, providing the keystore and the password.

When I browse to the domain, I'm receiving a warning that this is a self signed certificate and I have to add an exception and so on...

This certificate is already used in IIS and it's working perfectly fine.

Using some online tools ssl-checker, it proves that this is a self signed certificate and the issuer is equal to the "First Name and Family Name" that I provide at the beginning of the first command.

What could be the missing issue?

Thanks!

Solution

  • I recently experienced problem in Java/Keytool with certificate chain import and use.

    My guess is that ONLY the first certificate is sent to the client (I'm assuming you are using the same browser used on IIS site). This could be checked with the output of the following openssl command:

    openssl s_client -connect YOURSITE.COM:443 -showcerts

    If confirmed, as the client misses the intermediate cert and makes your certificate impossibile to verify. In that case you should probably "force" keytool (don't know you java version/OS) to "eat" a cert chain made by hand.

    Refer to this excellent post (that's what I did in my case). Remeber to put all the certs, including CA Root.