1

I have bought a SSL Certificate from Comodo for my domain. The files which Comodo had provide me is:

  1. SSL_PrivateKEY_www_my-domain_com.txt
  2. SSL_CSR_www_my-domain_com.txt
  3. AddTrustExternalCARoot.crt
  4. USERTrustRSAAddTrustCA.crt
  5. SectigoRSADomainValidationSecureServerCA.crt
  6. www_my-domain_com.crt

After a research, I found this Steps to create a .jks keystore using .key and .crt files..., I using the 3,4 and 5 crt files and I am creating the cert.pem, then I am using the 1 crt to create the key.pem. After that, I am creating the jks as the guide says. Next, I am importing the 6 crt file in the keystore, like that:

keytool -import -alias mykey -file www_my-domain_com.crt -keystore www_my-domain_com.jks

Afterwards, I am using the keystore explorer to convert my keystore to PKCS12. Finally I am uploading the file at my server and here is my tomcat 8, connector:

<Connector port="9443" maxHttpHeaderSize="8192" maxThreads="100"
           minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" scheme="https" secure="true"
           protocol="org.apache.coyote.http11.Http11Protocol"
           SSLEnabled="true" clientAuth="false"
           keyAlias="server" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
           keystoreFile="/home/test/ssls/www_my-domain_com.jks"
           keystorePass="password" />

Restarting my tomcat and then the error which I am getting at the firefox

Error code: SEC_ERROR_BAD_SIGNATURE

I also use the KeyStore Explorer to examine the ssl and the error which are showing there is:

javax.net.ssl.SSLKeyException: Invalid signature on ECDH server key exchange message
    at sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.<init>(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker.process_record(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
    at org.kse.utilities.ssl.SslUtils.readSSLConnectionInfos(SslUtils.java:116)
    at org.kse.gui.dialogs.DExaminingSsl$ExamineSsl.run(DExaminingSsl.java:207)
    at java.lang.Thread.run(Unknown Source)
KostasC
  • 1,076
  • 6
  • 20
  • 40

1 Answers1

2

I find the solution, after made contact with the SSL Certificate provider, which is:

  1. Firstly, I must create a bundle text file with name my.bundle with the following order:
  • SectigoRSADomainValidationSecureServerCA.crt
  • USERTrustRSAAddTrustCA.crt
  • AddTrustExternalCARoot.crt
  1. Secondly, you must run with OpenSSL the following command:

openssl pkcs12 -export -in my.crt -inkey my.key -certfile my.bundle -out my.pfx

Where the my.crt is the www_my-domain_com.crt, the my.key is your private key and the my.bundle is the file which we have made in the previous step.

  1. Next step is to run the command:

keytool -importkeystore -srckeystore pkcs12FileName.p12 -srcstoretype pkcs12 -destkeystore jksFileName.jks -deststoretype jks

Here the pkcs12FileName.p12 is the file which produced from the previous step, rename it to p12(convert pfx format to p12)

  1. Following step just convert the jks, which exported from the previous step to type pkcs12 with the help of the KeyStore Explorer.

  2. Finally, the tomcat connector in the conf/server.xml is:

    Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" SSLEnabled="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/opt/sslcertificates/www_my-domain_com.jks" keystorePass="mypassword"

And it works fine!

KostasC
  • 1,076
  • 6
  • 20
  • 40