Solved the issue by referring to this SO thread, and going back to the page on GoDaddy's HowTo For Tomcat4/5/6.x. Being an amateur to SSL Certificates, I did not realize the meaning of
-in
and-inkey
flags, and was trying to find a way by flanking them. Please excuse me if part of this appears increasingly matter-of-fact to a more trained eye.
I created a new keystore with
keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore tomcat.keystore
The
-alias
value oftomcat
is important here, and so is thepassword
, sayP
, which will be used for this keystore. So,tomcat.keystore
contains 1 entry listed as:$ keytool -list -keystore tomcat.keystore
tomcat, Jun 17, 2014, PrivateKeyEntry,
Certificate fingerprint (MD5): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
This keystore is of type
JKS
. Then, I generated a CSR by:keytool -certreq -v -alias tomcat -file myrequest.csr -keystore tomcat.keystore
gives a
myrequest.csr
file, against which GoDaddy issues back azip
file of 3 certificates:gd_bundle-g2-g1.crt
- Go Daddy Certificate Bundles - G2 With Cross to G1, includes Rootgdig2.crt
- Go Daddy Secure Server Certificate (Intermediate Certificate) - G2mydomain.crt
- The certificate for my domain
Previously, I was incorrectly importing them back into the
tomcat.keystore
which gave me akeytool error: java.lang.Exception: Failed to establish chain from reply
error.
But instead, for the instructions on GoDaddy's page, by referring to the SO thread linked above, I first combined my certificate
mydomain.crt
and the certificate bundlegd_bundle-g2-g1.crt
from GoDaddy ascat mydomain.crt gd_bundle-g2-g1.crt > combinedcerts
Then make a keyfile by first exporting the private key of
tomcat.keystore
as aPKCS12
keystore and then extracting the key from thePKCS12
keystore as the final keyfile required as specified:keytool -importkeystore -srckeystore tomcat.keystore -destkeystore tomcatkey.p12 -deststoretype PKCS12
Take care to keep the password of the new
PKCS12
keystore being created, i.e.tomcatkey.p12
to be exactly same as that oftomcat.keystore
. The import should complete successfully with the following message:Entry for alias tomcat successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Then I extracted the key from the new
PKCS12
keystore as:openssl pkcs12 -in tomcatkeystore.p12 -out tomcatkey.pem -nodes
At this point, we'll be again prompted for the password set in the step above, upon successful verification of which, the new key should be exported into
tomcatkey.pem
with the following message:MAC verified OK
With the
combinedcerts
andtomcatkey.pem
ready, I now followed instructions on GoDaddy's HowTo Page as:openssl pkcs12 -export -chain -CAfile gd_bundle-g2-g1.crt -in combinedcerts -inkey tomcatkey.pem -out new.tomcat.keystore -name tomcat -passout pass:yourpasswd
The new keystore
new.tomcat.keystore
is of the typePKCS12
instead of the older one which wasJKS
. To configure tomcat to use the new keystore, the values of the properties the SSL Connector are changed nominally askeystoreFile=<path to>\new.tomcat.keystore
keystorePass="yourpasswd"
keystoreType="PKCS12"
After this, on restarting the tomcat, the new certificate worked.
I am sure there is a much more efficient usage of the options to get this done in lesser steps, but if the steps above seem unnecessary or can be optimized it's only due to my limited in my glaring lack of depth in understanding these tools. But hey, this works!
No comments:
Post a Comment