4

I am trying to create a new certificate for my scala play framework on ubuntu but I cannot import my key with keytool. I haven't been able to figure out what is causing it so I thought I'd see here if anyone recognizes my problem.

I first create my private key using

keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore

Then I generate my CSR

keytool -certreq -keyalg RSA -alias tomcat -file my-csr-file.csr -keystore tomcat.keystore

copy and paste the generated CSR into godady

select the tomcat server on godaddy and i received godaddy new certification.i get 3 files:

28042ad1aadd20.crt
gd_bundle-g2-g1.crt
gdig2.crt

Installing Root and Intermediate Certificates

wget https://certs.godaddy.com/repository/valicert_class2_root.crt –no-check-certificate
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file valicert_class2_root.crt

wget https://certs.godaddy.com/repository/gd_cross_intermediate.crt –no-check-certificate
keytool -import -alias cross -keystore tomcat.keystore -trustcacerts -file gd_cross_intermediate.crt

Second intermediate (gd_intermediate.crt):

wget https://certs.godaddy.com/repository/gd_intermediate.crt –no-check-certificate
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_intermediate.crt

Installing SSL Certificate

keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file my-csr-file.csr

Here I receive the following error

keytool error: java.security.cert.CertificateParsingException: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 49)

Anyone recognize the problem? or any other way to install godaddy ssl certificate for tomcat server using ubuntu

Gabber
  • 179
  • 1
  • 2
  • 9
  • This can be due to several different things, namely: absent JCE, parsing errors in your cert (if ASCII, remove unneeded headers before `---BEGIN CERT---`). Try `keytool -printcert` on your cert to see a full error report. – dawud Jul 02 '14 at 07:19
  • `gd_cross_intermediate.crt` and `gd_intermediate.crt` *used to be* correct, but in 2014 all major CAs including GoDaddy **changed to SHA-256** for certs instead of SHA-1; for GoDaddy **these are called "G2"**. `gdig2.crt` is the new G2 intermediate for clients that have the GoDaddy G2 root, which now (in 2015) most do. `gd_bundle-g2-g1.crt` is the new cross-chain if clients have only old GoDaddy root; either split out the first two certs and add them separately, or concatentate at least those two after your leaf cert and import that chain against the privatekey alias. – dave_thompson_085 Jul 18 '15 at 13:22

1 Answers1

1

The CSR is used to generate a CRT, you need to go to godaddy and paste the CSR value from this keystore, this will generate the CRT - which you then import. At present, you are trying to add the CSR not a CRT.

D Whyte
  • 295
  • 1
  • 5
  • OP did paste the CSR to Godaddy and "get 3 files" of which `28042ad1aadd20.crt` is obviously the cert. He just needs to *use* that file -- and with the correct chain, see above. – dave_thompson_085 Jul 18 '15 at 13:08