I have bought a SSL Certificate from Comodo for my domain. The files which Comodo had provide me is:
After a research, I found this Steps to create a .jks keystore using .key and .crt files..., I using the 3,4 and 5 crt files and I am creating the cert.pem, then I am using the 1 crt to create the key.pem. After that, I am creating the jks as the guide says. Next, I am importing the 6 crt file in the keystore, like that:
keytool -import -alias mykey -file www_my-domain_com.crt -keystore www_my-domain_com.jks
Afterwards, I am using the keystore explorer to convert my keystore to PKCS12. Finally I am uploading the file at my server and here is my tomcat 8, connector:
<Connector port="9443" maxHttpHeaderSize="8192" maxThreads="100"
minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
protocol="org.apache.coyote.http11.Http11Protocol"
SSLEnabled="true" clientAuth="false"
keyAlias="server" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
keystoreFile="/home/test/ssls/www_my-domain_com.jks"
keystorePass="password" />
Restarting my tomcat and then the error which I am getting at the firefox
Error code: SEC_ERROR_BAD_SIGNATURE
I also use the KeyStore Explorer to examine the ssl and the error which are showing there is:
javax.net.ssl.SSLKeyException: Invalid signature on ECDH server key exchange message
at sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.<init>(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
at org.kse.utilities.ssl.SslUtils.readSSLConnectionInfos(SslUtils.java:116)
at org.kse.gui.dialogs.DExaminingSsl$ExamineSsl.run(DExaminingSsl.java:207)
at java.lang.Thread.run(Unknown Source)
I find the solution, after made contact with the SSL Certificate provider, which is:
- SectigoRSADomainValidationSecureServerCA.crt
- USERTrustRSAAddTrustCA.crt
- AddTrustExternalCARoot.crt
openssl pkcs12 -export -in my.crt -inkey my.key -certfile my.bundle -out my.pfx
Where the my.crt is the www_my-domain_com.crt, the my.key is your private key and the my.bundle is the file which we have made in the previous step.
keytool -importkeystore -srckeystore pkcs12FileName.p12 -srcstoretype pkcs12 -destkeystore jksFileName.jks -deststoretype jks
Here the pkcs12FileName.p12 is the file which produced from the previous step, rename it to p12(convert pfx format to p12)
Following step just convert the jks, which exported from the previous step to type pkcs12 with the help of the KeyStore Explorer.
Finally, the tomcat connector in the conf/server.xml is:
Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" SSLEnabled="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/opt/sslcertificates/www_my-domain_com.jks" keystorePass="mypassword"
And it works fine!