Reputation: 173
Add Self Signed Certificate Chain to keystore
I need to create a .keystore file with my self-signed certificate chain.
I tried 2 methods.
Method 1 :
https://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/
I used the above post to create my self-signed certificate chain. I converted the .crt to .p7b and tried to create the keystore file but I got "Input not an X.509 certificate" in OpenSSL.
I'm using Windows machine. So I opened the .crt file, Clicked "Copy To File" and saved it as .p7b file.
Method 2 :
https://www.pixelstech.net/article/1450354633-Using-keytool-to-create-certificate-chain
I used the above post to create my keystore with certificate chain but when I added it to the , I got "This site can't be reached" error in my browser and no error in logs.
My Connector is as follows :
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" connectionTimeout="20000" debug="0" disableUploadTimeout="true" enableLookups="false" keystoreFile="test.keystore" keystorePass="test" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" name="SSL" port="9372" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="TLS"/>
The above connector works if the keystore file has only one certificate. So, the problem is with the process of generating keystore.
How can I add an certificate chain to my keystore successfully?
EDIT :
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" connectionTimeout="20000" debug="0" disableUploadTimeout="true" enableLookups="false" keystoreFile="test.p12" keystorePass="test" keystoreType="PKCS12" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" name="SSL" port="9372" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="TLS"/>
I modified the format of keystore from .keystore to .p12. My application runs now but The status for “Didier Stevens Code Signing (https://DidierStevens.com)” shows “This certificate is OK.” while the status for “Didier Stevens(https://DidierStevens.com)” shows “This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.”. It should be the other way around but don’t know whats the issue.
Upvotes: 0
Views: 1174
Answers (1)
Reputation: 18809
You have quoted that "The above connector works if the keystore file has only one certificate. So, the problem is with the process of generating keystore." So if the problem is picking a specific set of cert/keys in a keystore you need to specific that as part of the Connector.
If this is not specified the first entry is going to be used.
See here: https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#Common_Attributes
Attribute keyAlias
The alias used for the server key and certificate in the keystore. If not specified, the first key read from the keystore will be used. The order in which keys are read from the keystore is implementation dependent. It may not be the case that keys are read from the keystore in the same order as they were added. If more than one key is present in the keystore it is strongly recommended that a keyAlias is configured to ensure that the correct key is used.
Upvotes: 0
Related Questions
- How to add certificate chain to keystore?
- Adding certificate chain to p12(pfx) certificate
- How to export private key from a keystore of self-signed certificate
- How to create keystore and truststore using self-signed certificate?
- Tomcat Server/Client Self-Signed SSL Certificate
- Unable to load certificate chain to java keystore
- How to Import p7s certificate chain into keystore?
- How to add a certificate chain to a JKS
- Self-signed Certificate and Client Keystore for SSL Authentication
- java add self signed certificate to keystore programatically