CODEWITHSUNDEEP
javasslssl-certificatekeystorekeytool
ForeverStudent
ForeverStudent

Reputation: 2537

SSL certificate in keystore not working

I have a jks java keystore that I am using to keep my SSL certificate for my web server.

At first I created a private key using the keytool -genkey command and gave it the alias tomcatserver

Then I created a CSR for this key using the keytool -certreq command.

at this point I I took my CSR and submitted it to Comodo to get suitable certificates that I would use on my web server. the domain name I want to secure is adminhq.neo-image.com

I got a bunch of certificates from Comodo and imported all of them to my keystore.

now if I list all the entries in the keystore it looks like this:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 5 entries

intermediateone, 22-Mar-2016, trustedCertEntry, 
Certificate fingerprint (SHA1): 33:9C:DD:57:CF:D5:B1:41:16:9B:61:5F:F3:14:28:78:2D:1D:A6:39

root, 22-Mar-2016, trustedCertEntry, 
Certificate fingerprint (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68

tomcatserver, 22-Mar-2016, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 49:E8:28:47:04:53:77:CC:C8:5E:21:30:0C:4C:9A:29:C9:53:24:6C

intermediatetwo, 22-Mar-2016, trustedCertEntry, 
Certificate fingerprint (SHA1): F5:AD:0B:CC:1A:D5:6C:D1:50:72:5B:1C:86:6C:30:AD:92:EF:21:B0

adminhq.neo-image.com, 22-Mar-2016, trustedCertEntry, 
Certificate fingerprint (SHA1): AF:FA:22:7F:AE:3E:6B:8C:67:DC:98:02:1F:03:D6:E5:3A:5B:82:4E

but somehow this does not work for my web server. If I try to access my web application using the browser (Chrome) it will warn against bad SSL certificate. When I ask for more information it shows only the certificate for adminhq.neo-image.com and says it is issued by the same entity.

The certificate path shows only this one entry.

What have I done wrong?

Upvotes: 0

Views: 6573

Answers (1)

Omikron
Omikron

Reputation: 4143

You made a small mistake when you imported the SSL certificate. You have to use the same alias that you used for generating the key.

Right now the key and the certificate issued by Comodo are in two separate entries and the PrivateKeyEntry still contains the self-signed certificate that was created with the key:

tomcatserver, 22-Mar-2016, PrivateKeyEntry, 
...
adminhq.neo-image.com, 22-Mar-2016, trustedCertEntry,

By importing the CA reply using the key alias you replace the self-signed certificate with the one issued by the CA.

Upvotes: 2

Related Questions