HTTPS not working with Veri-sign certificate in Tomcat 8 but works with self-signed certificate

Question

I have Axis2 API hosted on Tomcat 8.0.26 version. I'm re-routing the Axis2 application from http://localhost1:8080/axis2/ to https://localhost:8443/axis2/. For testing purpose, I used Self-signed certificate and the secure link is working fine. But I need to use Veri-sign certificate. Just when I change the certificate with Veri-sign one, the link stops working. Here is my server.xml

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="chap8.keystore"
keystorePass="rmi+ssl" />

I created this certificate by this command:

keytool -genkey -keystore chap8.keystore -storepass rmi+ssl -keypass rmi+ssl   -keyalg RSA -alias chapter8 -validity 3650 -dname "cn=http://brm.abc.net example,ou=admin book,dc=jboss,dc=org"

I got the Veri-sign certificate in 2 files .crt and .key. I imported that to .jks format using the below command:

keytool -import -alias primary -keystore sslkey -trustcacerts -file brm.abc.com.crt -storepass ssl123

I am new to Tomcat so not sure how to resolve this! Thanks in advance!

Thanks All! I got another post - http://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i which resolved my issue. The issue was that conversion of the Veri-sign .key and .crt were not correct. — Gagan, Oct 17 '15 at 07:42

score 0 · Answer 1 · edited May 23 '17 at 12:03

Found the answer!! Thanks All!

Please refer to the post:importing an existing x509 certificate and private key in Java keystore to use in ssl

Step one: Convert x509 Cert and Key to a pkcs12 file

openssl pkcs12 -export -in server.crt -inkey server.key \
           -out server.p12 -name [some-alias] \
           -CAfile ca.crt -caname root

Note: Make sure you put a password on the p12 file - otherwise you'll get a null reference exception when you try to import it. (In case anyone else had this headache). (Thanks jocull!)

Note 2: You might want to add the -chainoption to preserve the full certificate chain. (Thanks Mafuba)

Step two: Convert the pkcs12 file to a java keystore

keytool -importkeystore \
    -deststorepass [changeit] -destkeypass [changeit] -destkeystore   server.keystore \
    -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass some-password  \
    -alias [some-alias]

Finished

HTTPS not working with Veri-sign certificate in Tomcat 8 but works with self-signed certificate

1 Answers1