• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 182
  • Last Modified:

Issues installing SSL certificate into Apache Tomcat

Hi,

I'm trying to install a certificate into Tomcat 8 and am having trouble.

I've been given a Trustwave certificate in the form of:

chain.cer
domainname.co.uk.cer
domainname.co.uk.der
domainname.co.uk.p7b
domainname.co.uk.pem

I create a keystore with:

keytool -genkey -keystore c:\livecontent03.jks -alias livecontent03 -keyalg RSA -keysize 2048 -validity 3650

Open in new window


and fill out the answers with the details given to me although I leave the First name last name field blank as I was n't supplied these details.

I then import the CA certificate file "root certificate" with:

keytool -import -keystore c:\livecontent03.jks -trustcacerts -alias CACert -file c:\chain.cer -storepass ******

Open in new window


and then import the signed certificate:

keytool -import -keystore c:\livecontent03.jks -trustcacerts -alias livecontent03 -file c:\domainname.co.uk.cer -storepass ******

Open in new window



But at this point I get:

keytool error: java.lang.Exception: Public keys in reply and keystore don't match

I've spoken to Trustwave and they say that I should use "root certificate for Apache is STCA either from TEXT or PEM format"

So I tried again from scratch with stca.tx first before installing the domain.co.uk.cer but get the same error.

I'm now scratching my head and looking for advice.

Thanks.
0
Letterpart
Asked:
Letterpart
  • 2
1 Solution
 
mccarlIT Business Systems Analyst / Software DeveloperCommented:
It's not clear from that list of files if one of them is the PRIVATE KEY for the certificate that you are trying to install. If you don't have the private key, nothing is going to work anyway. You need the before you can do anything further.

Now, just to clarify the reason for the error that you are seeing... In the first keytool command, you are creating a new keystore, BUT you are also creating a new private key and public key with the alias "livecontent03". This private/public key pair will have NOTHING in common with the details in the certificate that you are importing. So then, when you execute the third keytool command, that is why you are getting the error saying that the public key in the certificate doesn't match with the public key generated in the first command.

So, if you deleted the keystore that you created, and then just ran the 2nd and 3rd commands above, you would be able to import those certificates into the keystore without error, but this would still be useless to Tomcat as it wouldn't have the associated private key that is required for SSL/TLS to work.

The usual process of getting SSL up and going is this...
 - Using something like the first command, create a private/public key pair. At this point you have a self-signed certificate.
 - Using that key pair, get keytool to generate a "Certificate Signing Request" and send that to your CA
 - The CA will verify all your details and generate a new certificate, signed using their own private key, asserting that you are how you say you are. They send you this new certificate (and often their root certificate that verifies your new certificate)
 - You then import the certificate that they send back into the same keystore overwriting the self-signed certificate that was created in the first step.
 - This entry in the keystore now has the private key that Tomcat can use to encrypt information, plus the CA signed certificate (including the public key) that it can send to the remote client, so that the client can decrypt information.
1
 
LetterpartAuthor Commented:
Thanks for that.

Created the CSR on the server, sent it off and the cert installed fine first time.
0
 
mccarlIT Business Systems Analyst / Software DeveloperCommented:
You're welcome!!
1

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now