Can't get intermediate Certificate to work in Tomcat

I purchased a Comodo certificate for our website and attempted to install it in a keystore for Tomcat to use.  I followed all of the various instructions that I have found online including:

1) Importing the main CA as "root"
2) Importing the Intermediate as "intermed", "intermed-2" and "intermed-1"
3) Importing my certificate as "tomcat"

With the SSL connector configured in tomcat, the site will load but gives an HTTPS exception that the certificate chain isn't trusted.  What else am I missing?
LVL 2
bloodAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bloodAuthor Commented:
Output from my keystore:


Keystore type: JKS
Keystore provider: SUN

Your keystore contains 6 entries

Alias name: intermed-1
Creation date: Jul 16, 2015
Entry type: trustedCertEntry

Owner: CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
Serial number: 2b2e6eead975366c148a6edba37c8c07
Valid from: Tue Feb 11 16:00:00 PST 2014 until: Sun Feb 11 15:59:59 PST 2029
Certificate fingerprints:
       MD5:  83:E1:04:65:B7:22:EF:33:FF:0B:6F:53:5E:8D:99:6B
       SHA1: 33:9C:DD:57:CF:D5:B1:41:16:9B:61:5F:F3:14:28:78:2D:1D:A6:39
       SHA256: 02:AB:57:E4:E6:7A:0C:B4:8D:D2:FF:34:83:0E:8A:C4:0F:44:76:FB:08:CA:6B:E3:F5:CD:84:6F:64:68:40:F0
       Signature algorithm name: SHA384withRSA
       Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://crt.comodoca.com/COMODORSAAddTrustCA.crt
,
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.comodoca.com
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: BB AF 7E 02 3D FA A6 F1   3C 84 8E AD EE 38 98 EC  ....=...<....8..
0010: D9 32 32 D4                                        .22.
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.comodoca.com/COMODORSACertificationAuthority.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.5.29.32.0]
[]  ]
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 90 AF 6A 3A 94 5A 0B D8   90 EA 12 56 73 DF 43 B4  ..j:.Z.....Vs.C.
0010: 3A 28 DA E7                                        :(..
]
]



*******************************************
*******************************************


Alias name: root
Creation date: Jul 16, 2015
Entry type: trustedCertEntry

Owner: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
Serial number: 1
Valid from: Tue May 30 03:48:38 PDT 2000 until: Sat May 30 03:48:38 PDT 2020
Certificate fingerprints:
       MD5:  1D:35:54:04:85:78:B0:3F:42:42:4D:BF:20:73:0A:3F
       SHA1: 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68
       SHA256: 68:7F:A4:51:38:22:78:FF:F0:C8:B1:1F:8D:43:D5:76:67:1C:6E:B2:BC:EA:B4:13:FB:83:D9:65:D0:6D:2F:F2
       Signature algorithm name: SHA1withRSA
       Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: AD BD 98 7A 34 B4 26 F7   FA C4 26 54 EF 03 BD E0  ...z4.&...&T....
0010: 24 CB 54 1A                                        $.T.
]
[CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE]
SerialNumber: [    01]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AD BD 98 7A 34 B4 26 F7   FA C4 26 54 EF 03 BD E0  ...z4.&...&T....
0010: 24 CB 54 1A                                        $.T.
]
]



*******************************************
*******************************************


Alias name: tomcat
Creation date: Jul 16, 2015
Entry type: trustedCertEntry

Owner: CN=XXX.XXXX.XXXXXX, OU=COMODO SSL, OU=Domain Control Validated
Issuer: CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
Serial number: 43e2add0537a470cd65b447188817844
Valid from: Tue Apr 07 17:00:00 PDT 2015 until: Thu Apr 07 16:59:59 PDT 2016
Certificate fingerprints:
       MD5:  DF:FE:19:EE:7A:62:2D:2C:95:F5:9E:20:8D:65:6F:64
       SHA1: D7:28:04:89:50:A9:3D:63:C3:8B:24:26:7D:B8:32:1B:DB:84:0D:F4
       SHA256: BF:86:E0:99:69:33:C3:23:F5:8E:30:1E:63:1E:EA:33:74:3A:CF:3E:71:4C:B8:26:B0:F4:D2:E2:50:DF:87:8E
       Signature algorithm name: SHA256withRSA
       Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
,
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.comodoca.com
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 90 AF 6A 3A 94 5A 0B D8   90 EA 12 56 73 DF 43 B4  ..j:.Z.....Vs.C.
0010: 3A 28 DA E7                                        :(..
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.7]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1D 68 74 74 70 73 3A   2F 2F 73 65 63 75 72 65  ..https://secure
0010: 2E 63 6F 6D 6F 64 6F 2E   63 6F 6D 2F 43 50 53     .comodo.com/CPS

]]  ]
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: XXXXX.XXXXX.XXXXX
  DNSName: XXXX.XXXXX.XXXXX
]

#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: BE 37 77 C0 9A 7A 73 FE   4D 6F E8 5F E5 22 84 FA  .7w..zs.Mo._."..
0010: 81 A2 F6 32                                        ...2
]
]



*******************************************
*******************************************


Alias name: server
Creation date: Apr 8, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=xxxx.xxx.xxx, OU=Web Security, O=xxxxxx America, L=xxxxxxx, ST=California, C=US
Issuer: CN=xxxx.xxx.xxxx, OU=Web Security, O=xxxxxx America, L=xxxxxxx, ST=California, C=US
Serial number: 32949e0b
Valid from: Wed Apr 08 14:17:52 PDT 2015 until: Tue Jul 07 14:17:52 PDT 2015
Certificate fingerprints:
       MD5:  E1:4D:F7:3B:58:32:7F:D1:19:EF:0D:3E:5B:E3:E9:59
       SHA1: 5F:CF:80:BD:4A:61:9B:E9:C7:06:E7:89:61:95:AE:3D:1C:62:A8:EB
       SHA256: DF:64:E3:A5:D7:EF:95:CE:E0:4C:B3:91:97:3F:AD:03:22:00:A7:58:B0:7D:53:FD:3D:69:E2:F9:6A:0B:18:5C
       Signature algorithm name: SHA256withRSA
       Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: BE 37 77 C0 9A 7A 73 FE   4D 6F E8 5F E5 22 84 FA  .7w..zs.Mo._."..
0010: 81 A2 F6 32                                        ...2
]
]



*******************************************
*******************************************


Alias name: intermed-2
Creation date: Jul 16, 2015
Entry type: trustedCertEntry

Owner: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
Serial number: 2766ee56eb49f38eabd770a2fc84de22
Valid from: Tue May 30 03:48:38 PDT 2000 until: Sat May 30 03:48:38 PDT 2020
Certificate fingerprints:
       MD5:  1E:DA:F9:AE:99:CE:29:20:66:7D:0E:9A:8B:3F:8C:9C
       SHA1: F5:AD:0B:CC:1A:D5:6C:D1:50:72:5B:1C:86:6C:30:AD:92:EF:21:B0
       SHA256: 4F:32:D5:DC:00:F7:15:25:0A:BC:C4:86:51:1E:37:F5:01:A8:99:DE:B3:BF:7E:A8:AD:BB:D3:AE:F1:C4:12:DA
       Signature algorithm name: SHA384withRSA
       Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.usertrust.com
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: AD BD 98 7A 34 B4 26 F7   FA C4 26 54 EF 03 BD E0  ...z4.&...&T....
0010: 24 CB 54 1A                                        $.T.
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.usertrust.com/AddTrustExternalCARoot.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.5.29.32.0]
[]  ]
]

#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: BB AF 7E 02 3D FA A6 F1   3C 84 8E AD EE 38 98 EC  ....=...<....8..
0010: D9 32 32 D4                                        .22.
]
]



*******************************************
*******************************************


Alias name: intermed
Creation date: Jul 16, 2015
Entry type: trustedCertEntry

Owner: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
Serial number: 2766ee56eb49f38eabd770a2fc84de22
Valid from: Tue May 30 03:48:38 PDT 2000 until: Sat May 30 03:48:38 PDT 2020
Certificate fingerprints:
       MD5:  1E:DA:F9:AE:99:CE:29:20:66:7D:0E:9A:8B:3F:8C:9C
       SHA1: F5:AD:0B:CC:1A:D5:6C:D1:50:72:5B:1C:86:6C:30:AD:92:EF:21:B0
       SHA256: 4F:32:D5:DC:00:F7:15:25:0A:BC:C4:86:51:1E:37:F5:01:A8:99:DE:B3:BF:7E:A8:AD:BB:D3:AE:F1:C4:12:DA
       Signature algorithm name: SHA384withRSA
       Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.usertrust.com
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: AD BD 98 7A 34 B4 26 F7   FA C4 26 54 EF 03 BD E0  ...z4.&...&T....
0010: 24 CB 54 1A                                        $.T.
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.usertrust.com/AddTrustExternalCARoot.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.5.29.32.0]
[]  ]
]

#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: BB AF 7E 02 3D FA A6 F1   3C 84 8E AD EE 38 98 EC  ....=...<....8..
0010: D9 32 32 D4                                        .22.
]
]



*******************************************
*******************************************
0
David Johnson, CD, MVPOwnerCommented:
did you add the intermediate certs to your operating system?  Where is it showing as untrusted?
0
gheistCommented:
screenshot of invalid certificate chain could help...
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

btanExec ConsultantCommented:
there is a server, tomcat and root besides the other 3 intermediate certs. there is only the server with private key so I supposed that is your web server?

also I noticed the issuer are different as below but it seems there is chain of trust cannot be build from the server cert...need to see more error specific details as mentioned by all
intermed-1
Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB

tomcat
Issuer: CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB

server
Issuer: CN=xxxx.xxx.xxxx, OU=Web Security, O=xxxxxx America, L=xxxxxxx, ST=California, C=US

root, intermed-2, intermed
Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
1
gheistCommented:
Just a small catch - do you use tomcat native module? (It is soon after server start in catalina.out)
0
bloodAuthor Commented:
Does anyone know what the Aliases of the certs should be for Tomcat native (no Apache)?

I have seen online:

root
tomcat
server
intermed
intermediate
intermed-1
intermed-2
your.sitename.tld

And I can't believe that 4 certs (1 Trusted CA, 2 Intermediate & my site certificate) can all exist under these different aliases.

Thanks!
0
btanExec ConsultantCommented:
Alias is like a unique tag to entity when latter is being used or reference. There is the SSL certificate alias and SSL key alias to be specific. This is important because one keystore can contain multiple public/private key pairs. For command below, the alias “tomcat” is to identify new certificate within the keystore (by specifying the command argument -alias tomcat).

Windows --- keytool -genkeypair -alias tomcat -keyalg RSA -keystore C:\mykeystore

You can also define key alias which further the alias for the server key within the specified keystore. You can check that in the keystoreFile and keyAlias specified in the <Connector> element in the Tomcat configuration file. Sample connector should look something like this:
<Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keyAlias="server" keystoreFile="/home/user_name/your_site_name.jks" keystorePass="your_keystore_password" />
Do note that - keyAlias values can be case sensitive. These values are case sensitive for some of the supported keystore formats like PKCS#11. To avoid issues related to the case sensitivity of aliases, it is not recommended to use aliases that differ only in case.

Regardless, we must always install the SSL Certificate file to the same keystore and under the same alias name (i.e. "server") that is used to generate our CSR or import into the right keystore. E.g.

keytool -import -trustcacerts -alias server -file your_site_name.p7b -keystore your_site_name.jks

Note that the information entered and stored in the keystore as the common name (CN) of the certificate is the host name (FQDN) for the server for which you are generating a certificate. It is can be (and most of the time is) different from alias stated.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bloodAuthor Commented:
So the issue was complicated:

1) I installed the "temporary" certificate that was generated by Comodo first.  
2) I installed the certificate as "tomcat" when I had generated the certificate as "my.domain.tld"
3) Somehow a self-signed certificate was installed

I decided to start with a new keystore and reissue the certificate with the new CSR as indicated.   I didn't know what the actual "intermediate" aliases should be so I created an intermed, intermediate, intermed-1 and intermed-2 cert (since Comodo has two intermediate certs).  This allowed successful import of my domain.crt and the problem went away.

keytool -genkey -alias my.domain.tld -dname "cn=my.domain.tld,o=domain,o=.tld" -keystore raz_war_us.jks -keysize 2048 -keyalg RSA

keytool -certreq -alias my.domain.tld -keystore raz_war_us.jks -file raz.war.csr

keytool -import -v -trustcacerts -alias root -file ..\AddTrustExternalCARoot.crt -keystore raz_war_us.jks

keytool -import -v -trustcacerts -alias intermediate -file ..\COMODORSAAddTrustCA.crt -keystore raz_war_us.jks

keytool -import -v -trustcacerts -alias intermed -file ..\COMODORSAAddTrustCA.crt -keystore raz_war_us.jks

keytool -import -v -trustcacerts -alias intermed-1 -file ..\COMODORSAAddTrustCA.crt -keystore raz_war_us.jks

keytool -import -v -trustcacerts -alias intermed-2 -file ..\COMODORSAOrganizationValidationSecureServerCA.crt -keystore raz_war_us.jks

keytool -import -v -trustcacerts -alias my.domain.tld -file ..\raz.crt -keystore raz_war_us.jks
0
btanExec ConsultantCommented:
thanks for sharing!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java App Servers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.