Installing wildcard SSL Certificate on Tomcat 6 and 7

Question

I have followed the information given in the goDaddy web-site to get the SSL certificate and installing it but Not successful.

I created the keystore:

keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore D:\certificates\tomcat.keystore

generated the CSR:

keytool -certreq -keyalg RSA -alias tomcat -file D:\certificates\bimacsr.csr -keystore D:\certificates\tomcat.keystore

And after uploading the CSR in the goDaddy site, the certificates downloaded in a zip file which contains below 3 files-

gd_bundle-g2-g1.crt
gdig2.crt.pem
1c1f16606d7eadb7.crt

And after that used below 3 lines to install and import the certificate to keystore:

keytool -import -alias root -keystore D:\certificates\tomcat.keystore -trustcacerts -file D:\certificates\gd_bundle-g2-g1.crt
keytool -import -alias intermed -keystore D:\certificates\tomcat.keystore -trustcacerts -file D:\certificates\gdig2.crt.pem
keytool -import -alias tomcat -keystore D:\certificates\tomcat.keystore -trustcacerts -file D:\certificates\1c1f16606d7eadb7.crt

Finally made below changes in the server.xml file of conf/ tomcat 6 and 7

<Connector port="8443" 
    protocol="org.apache.coyote.http11.Http11Protocol" 
    maxHttpHeaderSize="8192" 
    maxThreads="150" 
    minSpareThreads="25" 
    maxSpareThreads="75" 
    enableLookups="false" 
    disableUploadTimeout="true" 
    acceptCount="100" 
    scheme="https" 
    secure="true" 
    SSLEnabled="true" 
    clientAuth="false" 
    sslProtocol="TLS" 
    keystoreFile="D:\certificates\tomcat.keystore" 
    keystorePass="mypwd" 
/>

But when we access this in the browser getting "Not secured" in the left hand side

https://localhost:8443/

https://< public domain name>:8443/

Please take a look in the above explanation and suggest and help if i am missing any step or doing anything wrongly.

enter image description here

Browse to the site using FQDN and press that arrow next to "Connection is Not Secure" in browser to get more info about what is wrong. Also if site is open to public you can use service like https://www.sslshopper.com/ssl-checker.html to find out reason for error. — MKT, Aug 17 '17 at 14:29
Are you really using the domain name? FF thinks you are using the private 10/8 address, and there's no way you got a current cert from GoDaddy (or any public web CA) for a private address because it's been prohibited for over a year. @Miikka.T+ the right arrow on the addressbar pulldown gives details of a _successful_ handshake but not on a failure; the 'Advanced' button at bottom right of the errorpage gives _some_ info (though often not very much). — dave_thompson_085, Aug 17 '17 at 16:50
@dave_thompson_085 That's correct, I remembered wrong which way it is in FF. Even if FF wouldn't give much details with advanced button sometimes it might tell just enough for example in case of domain not matching etc. so I would check it anyway. It's mentioned in question that warning also comes when accessed with `< public domain name>` so I quess pic was just for example but I also mentioned using FQDN because of that. @Anurag G I don't know Tomcat really well but where is it actually defined which alias is used from keystore? Maybe it should be in server.xml? — MKT, Aug 17 '17 at 17:12
@Miikka. T , yes i am giving those connector related changes in the server.xml file . But still facing the issue — Anurag Ghosh, Aug 18 '17 at 06:33
@AnuragG Yes but when you created the certificate to keystore you gave it alias called "tomcat" and for example in here https://www.digicert.com/ssl-certificate-installation-tomcat.htm it seems that `keyAlias=""` parameter is used in server.xml to tell Tomcat which alias is used from keystore which could have multiple entries. Usually it has some default self-signed certs at least when used with GlassFish, not sure about Tomcat. In your questions server.xml config you don't seem to have that defined. So now your server might use some self-signed cert from keystore. — MKT, Aug 18 '17 at 07:44
@Miikka.T+ OP said they created the keystore (and keypair) and CSR, and installed (the parts of) the CA reply; that replaces and eliminates the selfsigned cert originally created by keytool. I'll bet the problem is that the 'real' cert is valid for the FQDN (or FQDNs matching a wildcard) but not any address (and not 'localhost' either). OP: did you in fact try FQDN in your browser(s)? Assuming at least java7, try `keytool -printcert -sslserver (yourservername)` and look at the `Owner:` and `SubjectAlternativeName:` fields under `Certificate #0` — dave_thompson_085, Aug 18 '17 at 10:30
@dave_thompson_085 Yes I guess you are right. It seems that if keystore has only one empty Tomcat defaults to that then. If the issue is simple like the wrong domain name I don't see why OP doesn't just check that in browser. Every browser basically in that case says clearly that common name is invalid when you check for more details(that advanced button in FF) and what common name(s) the certificate is issued for. Of course OP should also check from server side with keytool that entry seems correct like you suggested. — MKT, Aug 18 '17 at 10:55

Installing wildcard SSL Certificate on Tomcat 6 and 7

0 Answers0