Friday, September 18, 2015

How to install godaddy certificate on clib tomcat

Solved the issue by referring to this SO thread, and going back to the page on GoDaddy's HowTo For Tomcat4/5/6.x. Being an amateur to SSL Certificates, I did not realize the meaning of-inand-inkeyflags, and was trying to find a way by flanking them. Please excuse me if part of this appears increasingly matter-of-fact to a more trained eye.
I created a new keystore with
keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore tomcat.keystore
The-aliasvalue oftomcatis important here, and so is thepassword, sayP, which will be used for this keystore. So,tomcat.keystorecontains 1 entry listed as:
$ keytool -list -keystore tomcat.keystore 
tomcat, Jun 17, 2014, PrivateKeyEntry, 
Certificate fingerprint (MD5): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
This keystore is of typeJKS. Then, I generated a CSR by:
keytool -certreq -v -alias tomcat -file myrequest.csr -keystore tomcat.keystore
gives amyrequest.csrfile, against which GoDaddy issues back azipfile of 3 certificates:
  • gd_bundle-g2-g1.crt- Go Daddy Certificate Bundles - G2 With Cross to G1, includes Root
  • gdig2.crt- Go Daddy Secure Server Certificate (Intermediate Certificate) - G2
  • mydomain.crt- The certificate for my domain
Previously, I was incorrectly importing them back into thetomcat.keystorewhich gave me akeytool error: java.lang.Exception: Failed to establish chain from replyerror.
But instead, for the instructions on GoDaddy's page, by referring to the SO thread linked above, I first combined my certificatemydomain.crtand the certificate bundlegd_bundle-g2-g1.crtfrom GoDaddy as
cat mydomain.crt gd_bundle-g2-g1.crt > combinedcerts
Then make a keyfile by first exporting the private key oftomcat.keystoreas aPKCS12keystore and then extracting the key from thePKCS12keystore as the final keyfile required as specified:
keytool -importkeystore -srckeystore tomcat.keystore -destkeystore tomcatkey.p12 -deststoretype PKCS12
Take care to keep the password of the newPKCS12keystore being created, i.e.tomcatkey.p12to be exactly same as that oftomcat.keystore. The import should complete successfully with the following message:
Entry for alias tomcat successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
Then I extracted the key from the newPKCS12keystore as:
openssl pkcs12 -in tomcatkeystore.p12 -out tomcatkey.pem -nodes
At this point, we'll be again prompted for the password set in the step above, upon successful verification of which, the new key should be exported intotomcatkey.pemwith the following message:
MAC verified OK
With thecombinedcertsandtomcatkey.pemready, I now followed instructions on GoDaddy's HowTo Page as:
openssl pkcs12 -export -chain -CAfile gd_bundle-g2-g1.crt -in combinedcerts -inkey tomcatkey.pem -out new.tomcat.keystore -name tomcat -passout pass:yourpasswd
The new keystorenew.tomcat.keystoreis of the typePKCS12instead of the older one which wasJKS. To configure tomcat to use the new keystore, the values of the properties the SSL Connector are changed nominally as
keystoreFile=<path to>\new.tomcat.keystore
keystorePass="yourpasswd"
keystoreType="PKCS12"
After this, on restarting the tomcat, the new certificate worked.
I am sure there is a much more efficient usage of the options to get this done in lesser steps, but if the steps above seem unnecessary or can be optimized it's only due to my limited in my glaring lack of depth in understanding these tools. But hey, this works!