SSL intermediate certificates

StackOverflow https://stackoverflow.com/questions/10090263

Question

We are having a lot of trouble getting our SSL certificates to work properly.

We have generated our keystores (using multiple sources) from an existing key and certificate by first creating a pkcs12 file and exporting it to a java keystore.

Now, Thawte requires that you install 2 intermediate ca files. If I inspect our keystore, all three (the 2 intermediates and our own) are present. Tomcat starts up properly, but on visiting the site (and using the verisign ssl checker), the two intermediate certificates are not picked up.

If anyone has more experience with installing certificates from Thawte, any input would be appreciated. We have the following files at our disposal. Unfortunately we do not have the original keystore used to create the CSR, but we do have the private key.

  1. CSR file
  2. Private key (.key file)
  3. Our .crt file
  4. The primary and secondary intermediate files from Thawte (as seperate and a bundled .p7b files)

Also, we are using tomcat 7.0.27 without apache.

Thanks!

Was it helpful?

Solution 3

Seems the only way we got it working properly was by revoking the old certificate and renewing it with a new CSR.

OTHER TIPS

I answered to your another question, snippets from there should help with this problem too.

One caveat, to add full certificate chain to PKCS#12 keystore you must concatenate all intermediate PEM files like this:

cat specific_ca.pem general_ca.pem root_ca.pem > ca_chain.pem

And specify -CAfile ca_chain.pem and specify -caname multiple time - once for every cert in chain in order they appeared in ca_chain.pem file.

DER to PEM convertation just in case:

openssl x509 -in cert.der -inform der -outform pem -out cert.pem

Just to clarify, since I was not sure how to deal with it after reading those hints - I have put all certificates and private key into PKCS12 keystore and then configured Tomcat to use that keystore instead default JKS. It didn't worked for me with JKS - keytool was importing only private key and my site certificate from PKCS12 file, but intermediate certificate was missing.

Command I have used:

openssl pkcs12 -export -in mycert.crt -inkey my-key.key -out server.p12 -name site.com -caname intermediate -chain -CAfile intermediate.crt

And in server.xml file I have added

keystoreType="PKCS12"

in connector definition.

And now I have Tomcat 7 serving content over https using previously generated key, certificate and intermediate certificate. In my case it was only one intermediate certificate from RapidSSL.

I had the same problem with "Certificate chain length" coming up as "1", I was just beginning to loose all hope having tried many methods, but managed to solve by installing and using APR:

https://stackoverflow.com/a/22391211/2802916

Now the connector in server.xml looks like this:

<Connector port="443"
    SSLEnabled="true"
    maxThreads="150"
    scheme="https"
    secure="true"
    clientAuth="false"
    SSLCertificateFile="thecertificate.cer"
    SSLCertificateKeyFile="privatekey.key"
    SSLCACertificateFile="intermediate.crt"
    SSLPassword="thePassForPrivateKey"
/>
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top