Installation of WildCard SSL certificate (By Comodo) on Tomcat Apache Web Server

Question

I am installing a wild Card SSL certificate to my keystore which will be used for Apache Tomcat web server. Description : My Tomcat Server is installed on windows 2012 server. And I have certificates provided from COMODO. The wildcard cert I'm using has already been used previously on a few servers. so I am directly installing same on my apache tomcat server . so what I've generated a public keystore using keytool providing the same information used while purchasing the certificate using following tool command.

keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore

Then I have attached my certificates to the generated keystore using following commond For "Comodo" certificates

i.keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystoreselfservice.keystore

And I have used correct chain of installation of certificate like root , all intermediate, primary from above command.

And while installing each certificate i received the following message

"Certificate added to keystore"

Though I have not got any error . And when i have opened my keystore there were no certificate chain , means there is individual entry of each certificate . but there is no chain hierarchy of certificates like Root then intermediate then primary. And in my final PI or certifcate, i am getting provider as local first name instead of Comodo . EXAMPLE :

CN=nims.ABC.com,OU=abcCommunications,O=abc Group LLC, L=Roseville,ST=Minnesota,C=US

Provider must be

CN=COMODO RSA Organization Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

So I would like to know which steps I have missed or used any extra steps . Please provide a solution to install a wild card certificate . Thanks in advance

Answer 1

I assume you mean Tomcat using Java SSL (JSSE) not APR/Native (OpenSSL). If you want Tomcat-APR, change your question.

If the cert you want to use is already in use on other servers, and you "generated a public keystore using" the keytool command you showed on the NEW server, you generated a NEW KEY which is different from the key the other servers used and different from the key included in the certificate, thus the certificate DOES NOT MATCH that new key and cannot be used with that new key. You also implicitly generated (and have not replaced) a self-signed cert, with both subject and issuer (what you call provider) identifying you rather than a CA like Comodo. This certificate is not good for general use but can be useful for some testing, which is why keytool does it implicitly.

You need to get the certificate, the ALREADY EXISTING private key that MATCHES the certficate, and the needed chain cert(s) into your JKS as a privateKey entry. If an existing SSL server is Java (using JSSE), just copy its JKS. If you want or need to change the password(s) on the copy for your new server, see keytool -storepassword and keytool -keypasswd.

If an existing server is OpenSSL (including Apache httpd and nginx), convert the OpenSSL PEM format to PKCS#12 (preferably on the old server); depending on that server's file layout this is something like

openssl pkcs12 -export -in certfile -inkey keyfile -certfile chaincert -out xxx

and then use keytool to convert PKCS#12 to JKS (preferably on the new server)

keytool -importkeystore -srckeystore xxx -srcstoretype pkcs12 -destkeystore yyy

Note you must use a password on the PKCS#12. This does not need to be the same as the old server keyfile (if any) or the new server JKS, but it's usually more convenient if it is.

If an existing server is IIS, you should be able to export the cert WITH private key AS PFX/PKCS#12 from the Certificate snapin of mmc, and then convert the PKCS12 to JKS as just above.

If an existing server is something else, add it to the question.

Answer 2

You did everything correctly. The trust chain is important for another aspect. If you trust one 'certificate' of the chain, you trust the following 'certificates' of the chain too. So to trust all certs of a CA you just have to trust the root CA's cert.

What you realy need to make the wild card certificate work on you server is to import the private key part of it.