TechQA.

Installing an Intermediate/chain certificate using Java Key Tool

12.9k views Asked by At

I have a JKS file made for Confluence that already contains my private and public key. It works fine with most browser albeit one small issue. On sslshopper I get the following message:

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate.

I got the CA chain + Root from Comodo, read through and attempted the following:

keytool -importcert -keystore fecru.jks -storepass SECRET -trustcacerts -alias chain -file cachain.bundle

Even though the cert was successfully added the to key store I still get the same results.

What am I missing?

tomcat ssl tomcat7 ssl-certificate jks
Original Q&A
1

There are 1 answers

0
Christopher Schultz On

Here's what I have in my "Java TLS with Keystores" cheat-sheet, which I need to refer to all the time because, for some reason, if you don't do it perfectly, nothing seems to work.

  1. Generate a server key (and self-signed certificate)

    $ keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 4096-alias ${HOSTNAME}-keystore ${HOSTNAME}.jks

  2. Create a Certificate Signing Request (CSR)

    $ keytool -certreq -sigalg SHA256withRSA -keystore ${HOSTNAME}.jks

  3. Get your CSR signed by a Certificate Authority (CA)

  4. Import the certificates back into your keystore, starting with the CA's root certificate and going down the chain back to your server's certificate

    $ keytool -import -alias [Authority.CA] -trustcacerts -file [authority's CA cert] -keystore ${HOSTNAME}.jks

    $ keytool -import -alias [Authority.intermediate] -trustcacerts -file [authority's intermediate cert] -keystore ${HOSTNAME}.jks

    $ keytool -import-alias ${HOSTNAME}-file ${HOSTNAME}.crt -keystore ${HOSTNAME}.jks

I always make a backup copy of the keystore after I generate my server's key just in case I break something.

A few things are critically important:

  1. Remember to use the same alias in steps 1 and 4c (importing your server's signed certificate) above
  2. Remember to set the keyAlias attribute in Tomcat's <Connector> to the same value you have used for your server's certificate (again, the same value as steps 1 and 4c above)

I highly recommend using Qualys's SSLTest tool to test your site. It is the most comprehensive testing tool I know of, and it's not trying to sell you anything.

Related Questions in TOMCAT

Related Questions in SSL

Related Questions in TOMCAT7

Related Questions in SSL-CERTIFICATE

Related Questions in JKS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions