0

I purchased a Wildcard certificate and I'm trying to use it with Tomcat 8.

I've executed a few lines of commands in order to enable SSL. SSL is enabled but I'm always receiving the warning that I'm using a Self Signed Certificate. Of course this shouldn't be the case, it should be using the trusted certificate instead.

I have received the certificate and the intermediate certificate (from 1and1) and I figured out that the Root Certificate is issued by GeoTrust Global CA (I downloaded it).

Generating Key: keytool -genkey -alias tomcat -keyalg RSA

Adding Root Certificate keytool -import -alias root -keystore .keystore -trustcacerts -file root.pem

Adding Intermediate Certificate keytool -import -alias intermed -keystore .keystore -trustcacerts -file intermediate.cer

Adding Main Certificate keytool -import -alias main -keystore .keystore -file main.cer

I have modified the connector in server.xml, it's very simple part, providing the keystore and the password.

When I browse to the domain, I'm receiving a warning that this is a self signed certificate and I have to add an exception and so on...

This certificate is already used in IIS and it's working perfectly fine.

Using some online tools ssl-checker, it proves that this is a self signed certificate and the issuer is equal to the "First Name and Family Name" that I provide at the beginning of the first command.

What could be the missing issue?

Thanks!

Lex Li
  • 60,503
  • 9
  • 116
  • 147
Ali Bassam
  • 9,691
  • 23
  • 67
  • 117

1 Answers1

3

I recently experienced problem in Java/Keytool with certificate chain import and use.

My guess is that ONLY the first certificate is sent to the client (I'm assuming you are using the same browser used on IIS site). This could be checked with the output of the following openssl command:

openssl s_client -connect YOURSITE.COM:443 -showcerts

If confirmed, as the client misses the intermediate cert and makes your certificate impossibile to verify. In that case you should probably "force" keytool (don't know you java version/OS) to "eat" a cert chain made by hand.

Refer to this excellent post (that's what I did in my case). Remeber to put all the certs, including CA Root.

Community
  • 1
  • 1
Diego1974
  • 379
  • 3
  • 9
  • I'm on Windows 2008, Java 1.7 – Ali Bassam Sep 22 '16 at 11:52
  • @AliBassam - OK. install openssl for Windows and eventually post/edit your question to add the result of the above command, to see if Tomcat outputs the full certificate chain to you client (I suppose it's IE) – Diego1974 Sep 22 '16 at 12:45
  • @AliBassam I just noticed that the editor stripped out some information in the above openssl command; you need to substitue YOURSITE.COM with yours under test, put a ":" and specify the connection port (which defaults to 443 usually), with non http(S) part. Example: openssl s_client -connect www.google.it:443 -showcerts – Diego1974 Sep 22 '16 at 13:08
  • I already checked the post you referred to and it solved my problem `:)` Thank you soooooooo much! – Ali Bassam Sep 22 '16 at 14:08
  • So that was it. Glad it helped! – Diego1974 Sep 22 '16 at 15:39