how to install ssl on tomcat 7?

Question

I know this question might sound too easy and I should had read all docs available on internet, the true is that I did, and I had no luck, its kinda confusing for me, I have installed many times this thing but for Apache, never for Tomcat.

I want to install a certificate from GoDaddy, so, I followed this instructions

http://support.godaddy.com/help/article/5239/generating-a-csr-and-installing-an-ssl-certificate-in-tomcat-4x5x6x

I created my keyfile like this

keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore tomcat.keystore 

I changed tomcat for mydomain.com .. is it wrong?

I created the keystore, later the csr, after that the problem comes, I add to server.xml on the config folder

<Connector port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="path to your keystore file" keystorePass="changeit" clientAuth="false" sslProtocol="TLS"/> 

Later I imported the certs

keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file valicert_class2_root.crt 

and I did, but I dont have a gd_intermediate.crt and the last step is

keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file <name of your certificate> 

reading in other blogs I saw they import here the crt , but tomcat is the user I have to leave? or its for example only??

In the docs of tomcat I found this (http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html)

Download a Chain Certificate from the Certificate Authority you obtained the Certificate keytool -import -alias root -keystore \ -trustcacerts -file

 And finally import your new Certificate keytool -import -alias tomcat -keystore <your_keystore_filename> \ -file <your_certificate_filename> 

but I have no idea what is a "chain certificate" ... can somebody help me? I am really confused and lost. I am using Tomcat7

Thanks.

Answer 1

I spend hours trying to figure this out and here are the fruits of my labor

Problem

You are unable to create a valid Tomcat Keystore using a GoDaddy crt and key file

Curl output may look like this:

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 

Getting the Script

curl -O https://raw.github.com/ssstonebraker/braker-scripts/master/working-scripts/crt_to_keystore.sh chmod +x crt_to_keystore.sh 

Using the script

./crt_to_keystore.sh <path_to_crt> <path_to_key> 

RAW Contents of Script

#!/bin/bash # Filename: crt_to_keystore.sh # Description: create tomcat keystore from cert and key # Usage: "Usage: ./crt_to_keystore.sh <path_to_crt> <path_to_key>" # Author: Steve Stonebraker # pretty printing functions function print_status { echo -e "\x1B[01;34m[*]\x1B[0m $1"; } function print_good { echo -e "\x1B[01;32m[*]\x1B[0m $1"; } function print_error { echo -e "\x1B[01;31m[*]\x1B[0m $1"; } function print_notification { echo -e "\x1B[01;33m[*]\x1B[0m $1"; } function printline { hr=------------------------------------------------------------------------------------------------------------------------------- printf '%s\n' "${hr:0:${COLUMNS:-$(tput cols)}}" } #################################### # print message and exit program function die { print_error "$1" >&2;exit 1; } #################################### # function that is called when the script exits function finish { [ -f $(dirname $0)/temp.p12 ] && shred -u $(dirname $0)/temp.p12; } #whenver the script exits call the function "finish" trap finish EXIT ####################################### # if file exists remove it function move_file_if_exist { [ -e $1 ] && mv $1 $1.old && print_status "moved file $1 to $1.old"; } ####################################### # Verify user provided valid file function file_must_exist { [ ! -f $1 ] && die "$1 is not a valid file, please provide a valid file name! Exiting...."; print_status "$1 is a valid file" } ####################################### # Verify user provided two arguments # Verify user provided two arguments [ $# -ne 2 ] && die "Usage: ./crt_to_keystore.sh <path_to_crt> <path_to_key>"; # Assign user's provided input to variables crt=$1 key=$2 #read -p "Provide password to export .crt and .key: " key_pw read -p "Provide password for new keystore: " pw # Define some Variables readonly ourPath="$(dirname $0)" readonly gdbundle="$ourPath/gd_bundle.crt" readonly keystore="$ourPath/tomcat.keystore" readonly p12="$ourPath/temp.p12" readonly KEYTOOL=$(which keytool) readonly OPENSSL=$(which openssl) ####################################### # Functions used by main execution function gd_check_cert { # Verify gd_bundle.crt exists [ ! -f "$1" ] && print_error "$1 not found! Downloading..." && wget https://certs.godaddy.com/repository/$1; [ ! -f "$1" ] && die "$1 must exist in current path! Exiting...."; [ -f "$1" ] && print_status "found $1 in current path" } function verify_before_execution { printline #verify godaddy cert gd_check_cert $gdbundle #Check to make sure the user provided valid files file_must_exist ${crt} file_must_exist ${key} move_file_if_exist ${keystore} } function import_godaddy_root { print_status "Importing gd_bundle.crt to java key store..." ${KEYTOOL} -import \ -alias root \ -keystore ${keystore} \ -trustcacerts \ -file ${gdbundle} \ -keypass ${pw} \ -storepass ${pw} >/dev/null 2>/dev/null [ ! $? -eq 0 ] && die "Error running command... Exiting!"; } function export_to_p12 { printline print_status "Exporting your key and cert to pkcs12 format..." ${OPENSSL} pkcs12 -export -chain -CAfile gd_bundle.crt -inkey ${key} -in ${crt} -out ${p12} -password pass:${pw} [ ! $? -eq 0 ] && die "Error running command... Exiting!"; } function import_p12_file { print_status "Importing p12 file to java key store..." ${KEYTOOL} -importkeystore \ -srcalias 1 \ -destalias tomcat \ -srckeystore ${p12} \ -srcstoretype PKCS12 \ -srcstorepass ${pw} \ -destkeystore ${keystore} \ -keypass ${pw} \ -storepass ${pw} \ -dest‐storepass ${pw} >/dev/null 2>/dev/null [ ! $? -eq 0 ] && die "Error running command... Exiting!"; } function print_msg_after_creation { printline print_good "Keystore ${keystore} creation complete!" printline print_status "Don't forget to copy ${keystore} to /etc/tomcat7/tomcat.keystore and update server.xml" printline } ####################################### # Main Execution verify_before_execution export_to_p12 import_godaddy_root import_p12_file print_msg_after_creation 

Source: http://brakertech.com/convert-valid-godaddy-cert-key-to-java-keystore/

Answer 2

I'll try to clarify a bit the signing procedure:

• Key generation: you create a private key
• CSR generation: with your private key you create a request to a Certification Autority that contains a cert to be signed
• CA signature: CA signs your certificate and send it back to you (it now has inside your fingerprint and ca one).
• cert import: import signed cert in keystore thus making it available to tomcat
• chain-cert import: import certs that defines the trust-chain

CA can delegate signing so in order to be sure that a signed cert is valid, clients should be able to check every CA identity. (i.e your cert is signed by ca.contoso and contoso uses verisign as cert authority; client will check then contoso and then verisign one, if all are OK your cert is considered valid)