Solved the issue by referring to this SO thread, and going back to the page on GoDaddy's HowTo For Tomcat4/5/6.x. Being an amateur to SSL Certificates, I did not realize the meaning of
-inand-inkeyflags, and was trying to find a way by flanking them. Please excuse me if part of this appears increasingly matter-of-fact to a more trained eye.
I created a new keystore with
keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore tomcat.keystore
The
-aliasvalue oftomcatis important here, and so is thepassword, sayP, which will be used for this keystore. So,tomcat.keystorecontains 1 entry listed as:$ keytool -list -keystore tomcat.keystore
tomcat, Jun 17, 2014, PrivateKeyEntry,
Certificate fingerprint (MD5): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
This keystore is of type
JKS. Then, I generated a CSR by:keytool -certreq -v -alias tomcat -file myrequest.csr -keystore tomcat.keystore
gives a
myrequest.csrfile, against which GoDaddy issues back azipfile of 3 certificates:gd_bundle-g2-g1.crt- Go Daddy Certificate Bundles - G2 With Cross to G1, includes Rootgdig2.crt- Go Daddy Secure Server Certificate (Intermediate Certificate) - G2mydomain.crt- The certificate for my domain
Previously, I was incorrectly importing them back into the
tomcat.keystorewhich gave me akeytool error: java.lang.Exception: Failed to establish chain from replyerror.
But instead, for the instructions on GoDaddy's page, by referring to the SO thread linked above, I first combined my certificate
mydomain.crtand the certificate bundlegd_bundle-g2-g1.crtfrom GoDaddy ascat mydomain.crt gd_bundle-g2-g1.crt > combinedcerts
Then make a keyfile by first exporting the private key of
tomcat.keystoreas aPKCS12keystore and then extracting the key from thePKCS12keystore as the final keyfile required as specified:keytool -importkeystore -srckeystore tomcat.keystore -destkeystore tomcatkey.p12 -deststoretype PKCS12
Take care to keep the password of the new
PKCS12keystore being created, i.e.tomcatkey.p12to be exactly same as that oftomcat.keystore. The import should complete successfully with the following message:Entry for alias tomcat successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Then I extracted the key from the new
PKCS12keystore as:openssl pkcs12 -in tomcatkeystore.p12 -out tomcatkey.pem -nodes
At this point, we'll be again prompted for the password set in the step above, upon successful verification of which, the new key should be exported into
tomcatkey.pemwith the following message:MAC verified OK
With the
combinedcertsandtomcatkey.pemready, I now followed instructions on GoDaddy's HowTo Page as:openssl pkcs12 -export -chain -CAfile gd_bundle-g2-g1.crt -in combinedcerts -inkey tomcatkey.pem -out new.tomcat.keystore -name tomcat -passout pass:yourpasswd
The new keystore
new.tomcat.keystoreis of the typePKCS12instead of the older one which wasJKS. To configure tomcat to use the new keystore, the values of the properties the SSL Connector are changed nominally askeystoreFile=<path to>\new.tomcat.keystore
keystorePass="yourpasswd"
keystoreType="PKCS12"
After this, on restarting the tomcat, the new certificate worked.
I am sure there is a much more efficient usage of the options to get this done in lesser steps, but if the steps above seem unnecessary or can be optimized it's only due to my limited in my glaring lack of depth in understanding these tools. But hey, this works!
No comments:
Post a Comment