Tomcat SSL certificate authority invalid

Question

Tried asking before but wasn't too good at it so heres attempt two

I'm trying to get SSL running on a tomcat 7 server under RHEL. Sever works fine under HTTP but when I try to access it with HTTPS, I get this error.

looking into it further, chrome tells me this

did some research. Added the certs to /etc/pki/ca-trust/source/anchors, update-ca-trust, still the same problem. tried rebuilding the keystore from scratch and changing up the order in which they were imported, still nothing.

Heres whats currently in my keystore:

root, Dec 29, 2017, trustedCertEntry,

tomcat, Dec 29, 2017, PrivateKeyEntry,

intermed, Dec 29, 2017, trustedCertEntry,

crm2.mydomain.org, Jan 3, 2018, trustedCertEntry,

and whats in my server.xml

<Connector
       port="443" maxThreads="200"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="/opt/apache-tomcat-7.0.82/conf/store" keystorePass=[pass]
       clientAuth="false" sslProtocol="TLS"/>

Other info:

Certs obtained from godaddy. Used guide for installation here

godddy ssl checker says I'm missing the intermediate certificate

Tomcat version 7

RHEL 7.4

java 1.8

any help is appreciated

Answer 1

It's hard to be certain, but you appear to have NOT correctly followed the instructions you cite. Your keystore shows a trustedCertEntry with an alias that looks like a redaction of your domainname; this suggests you imported your server cert to that entry and not to the privateKeyEntry named 'tomcat'.

Quoting from the page you linked, emphasis added:

To Install Your SSL [they clearly mean SSL/TLS Server Certificate] in Tomcat

1. Install the root certificate by running the following command:
   keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file [name of the root certificate]
2. Install the intermediate certificate by running the following command:
   keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file [name of the intermediate certificate]
3. Install the issued certificate [for your server] into the keystore by running the following command:
   keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file [name of the certificate]

On step 3 the alias is 'tomcat' which is the same alias you used for the -genkey[pair] and -certreq steps earlier in the procedure, NOT the name of your domain which typically is also the name of the file containing your server/EE cert.

To verify the correct procedure, keytool's response to commands 1 and 2 should be

 Certificate was added to keystore 

but the response to command 3 should be DIFFFERENT:

 Certificate reply was installed in keystore

However, if you have 'rebuil[t] the keystore from scratch' and that includes generating a new keypair after obtaining the cert, the cert is now worthless and unusable and this procedure will not work; it will instead say something like

 Public keys in reply and keystore don't match 

The cert that a server uses must match the private key, so this means you must follow the sequence specified in that page, and billions of other places: generate the keypair, then generate the CSR for that keypair, then get the CA to issue a cert from that CSR, then import that cert into the same keystore and alias, with its chain certs available either in the reply (as some CAs do, often with 'p7b' format) or elsewhere in the truststore (as GoDaddy apparently does).

Effectively dupe Import CA signed certificates to JKS for a different CA.