0

I need to create a .keystore file with my self-signed certificate chain.

I tried 2 methods.

Method 1 :

https://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/

I used the above post to create my self-signed certificate chain. I converted the .crt to .p7b and tried to create the keystore file but I got "Input not an X.509 certificate" in OpenSSL.

I'm using Windows machine. So I opened the .crt file, Clicked "Copy To File" and saved it as .p7b file.

Method 2 :

https://www.pixelstech.net/article/1450354633-Using-keytool-to-create-certificate-chain

I used the above post to create my keystore with certificate chain but when I added it to the , I got "This site can't be reached" error in my browser and no error in logs.

My Connector is as follows : 

<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" connectionTimeout="20000" debug="0" disableUploadTimeout="true" enableLookups="false" keystoreFile="test.keystore" keystorePass="test" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" name="SSL" port="9372" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="TLS"/>

The above connector works if the keystore file has only one certificate. So, the problem is with the process of generating keystore.

How can I add an certificate chain to my keystore successfully?

EDIT :

<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" connectionTimeout="20000" debug="0" disableUploadTimeout="true" enableLookups="false" keystoreFile="test.p12" keystorePass="test" keystoreType="PKCS12" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" name="SSL" port="9372" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="TLS"/>

I modified the format of keystore from .keystore to .p12. My application runs now but The status for “Didier Stevens Code Signing (https://DidierStevens.com)” shows “This certificate is OK.” while the status for “Didier Stevens(https://DidierStevens.com)” shows “This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.”. It should be the other way around but don’t know whats the issue.

enter image description here

jww
  • 97,681
  • 90
  • 411
  • 885
Hulk Man
  • 153
  • 1
  • 15
  • ***`CN=www.example.com`*** is probably wrong. ***`https://`*** is surely wrong. Hostnames always go in the *SAN*. If its present in the *CN*, then it must be present in the *SAN* too (you have to list it twice in this case). For more rules and reasons, see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) You will also need to place the self-signed certificate in the appropriate trust store. – jww Dec 26 '17 at 18:16

1 Answers1

0

You have quoted that "The above connector works if the keystore file has only one certificate. So, the problem is with the process of generating keystore." So if the problem is picking a specific set of cert/keys in a keystore you need to specific that as part of the Connector.

If this is not specified the first entry is going to be used.

See here: https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#Common_Attributes

Attribute keyAlias

The alias used for the server key and certificate in the keystore. If not specified, the first key read from the keystore will be used. The order in which keys are read from the keystore is implementation dependent. It may not be the case that keys are read from the keystore in the same order as they were added. If more than one key is present in the keystore it is strongly recommended that a keyAlias is configured to ensure that the correct key is used.

Yogesh_D
  • 17,656
  • 10
  • 41
  • 55
  • your CA cert is not trusted by the system and hence you are getting the error, for the CA that you created using OpenSSL, you will have a CA public cert, open that and import it into windows. You can open the cert, In the Certification Path select the root/intermediate CA cert. Click on View Certificate. On the new cert window, go to the details tab, and click Copy To File. Export it to a .cer file. Open that, and click Install Certificate. Go through the wizard and install the cert in the Trusted root Certs and that should help your system trust certs from your CA. – Yogesh_D Dec 26 '17 at 17:38