We are having a lot of trouble getting our SSL certificates to work properly.
We have generated our keystores (using multiple sources) from an existing key and certificate by first creating a pkcs12 file and exporting it to a java keystore.
Now, Thawte requires that you install 2 intermediate ca files. If I inspect our keystore, all three (the 2 intermediates and our own) are present. Tomcat starts up properly, but on visiting the site (and using the verisign ssl checker), the two intermediate certificates are not picked up.
If anyone has more experience with installing certificates from Thawte, any input would be appreciated. We have the following files at our disposal. Unfortunately we do not have the original keystore used to create the CSR, but we do have the private key.
- CSR file
- Private key (.key file)
- Our .crt file
- The primary and secondary intermediate files from Thawte (as seperate and a bundled .p7b files)
Also, we are using tomcat 7.0.27 without apache.
Thanks!
I answered to your another question, snippets from there should help with this problem too.
One caveat, to add full certificate chain to PKCS#12 keystore you must concatenate all intermediate PEM files like this:
And specify
-CAfile ca_chain.pem
and specify-caname
multiple time - once for every cert in chain in order they appeared inca_chain.pem
file.DER to PEM convertation just in case:
Seems the only way we got it working properly was by revoking the old certificate and renewing it with a new CSR.
Just to clarify, since I was not sure how to deal with it after reading those hints - I have put all certificates and private key into PKCS12 keystore and then configured Tomcat to use that keystore instead default JKS. It didn't worked for me with JKS - keytool was importing only private key and my site certificate from PKCS12 file, but intermediate certificate was missing.
Command I have used:
And in server.xml file I have added
in connector definition.
And now I have Tomcat 7 serving content over https using previously generated key, certificate and intermediate certificate. In my case it was only one intermediate certificate from RapidSSL.
I had the same problem with "Certificate chain length" coming up as "1", I was just beginning to loose all hope having tried many methods, but managed to solve by installing and using APR:
https://stackoverflow.com/a/22391211/2802916
Now the connector in server.xml looks like this: