4

I registered a domain and would like to set up SSL encryption for it. My domain provider offered me to get a SSL certificate from COMODO. I generated a key and a csr file using openSSL:

openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr

The command produced a private key, myserver.key and the csr file. I uploaded the content of the csr to comodo, and after verification, they sent me the following files:

Root CA Certificate - AddTrustExternalCARoot.crt Intermediate CA Certificate - COMODORSAAddTrustCA.crt Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt Your PositiveSSL Certificate - mydomain.crt

I'm lost on where to go from here. I followed these instructions:

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/638/0/certificate-installation-java-based-web-servers-tomcat-using-keytool

and created a domain.keystore file, but I'm not sure if that's the right thing to do or not. My configuration in Jboss now looks like this:

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true"> <ssl name="mydomain" password="*****" protocol="TLSv1" certificate-key-file="../standalone/configuration/domain.keystore"/> </connector>

But that doesn't seem to work. I get no error in the server log, the page simply times out. If i use http it works normally. Any advice?

EDIT:

I took a different approach, I generated my keystore in this way:

keytool -genkey -alias domain -keyalg RSA -keysize 2048 -keystore domain.keystore

then I uploaded the new csr info to comodo and got the three .crt certificates back. I imported them into the keystore with this command:

keytool -import -trustcacerts -alias domain -file domain.crt -keystore domain.keystore

and then I used the keystore in the standalone.xml in this way:

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true"> <ssl name="domain-ssl" key-alias="domain" password="******" certificate-key-file="../standalone/configuration/domain.keystore" protocol="TLSv1"/> </connector>

The server starts, but when I try to connect to it, my browser says that the connection is untrusted:

domain uses an invalid security certificate. The certificate is not trusted because it is self-signed. (Error code: sec_error_ca_cert_invalid)
Improve this question
2
  • "private key, myserver.key, ..." - they should be the same thing. What's the difference between them? Commented Jul 5, 2014 at 0:30
  • My bad, I wrote it in a weird way, it's the same thing. Commented Jul 9, 2014 at 8:48

3 Answers 3

Reset to default
4

I finally managed to get the installation right! Here's how you do it:

Install the COMODO certificates into your keystore wit this command:

keytool -import -trustcacerts -alias <filename> -file <filename>.crt -keystore domain.keystore

in the following order:

» Root: AddTrustExternalCARoot.crt » Intermediate 1: COMODOAddTrustServerCA.crt » Intermediate 2: COMODOExtendedValidationSecureServerCA.crt

Then install your domain certificate:

keytool -import -trustcacerts -alias mykey -file yourDomainName.crt -keystore domain.keystore

You should use the same alias instead of mykey, that you used to generate your keystore. If you do everything correctly, you should get this output:

Certificate reply was installed in keystore

Anything else means, you probably didn't use the correct alias. The final thing you need to do is to modify your standalone.xml like this:

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true"> <ssl name="<domain>-ssl" key-alias="<domain>" password="******" certificate-key-file="../standalone/configuration/<domain>.keystore"/> </connector>

And you should be good to go!

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0 
My domain provider offered me to get a SSL certificate from COMODO... ... Any advice?

Don't pay for the certificate. You can get a free Class 1 certificate from Startcom. The Class 1 is good for server authentication without a wildcard domain. If you want an extended validation certificate or a wilcard certificate, then you will have to buy a Class 2 or higher.

Also, while Startcom issues the certificate for free, they charge for revocation because that's where the cost lies.

I'm lost on where to go from here...

Convert Intermediate CA Certificate - COMODORSAAddTrustCA.crt, Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt and Your PositiveSSL Certificate - mydomain.crt to PEM files. PEM are the ones that start with ----- BEGIN CERTIFICATE ----- and finish with ----- END CERTIFICATE -----.

Then, concatenate your three PEM files into a single file. The file will have three certificates in it. Call it mydomain-chain.pem, and load that into your server. Also load myserver.key into your server.

Don't do anything with Root CA Certificate - AddTrustExternalCARoot.crt. Clients have to use it as a root. There's no {use|need} to send it to the client in the ServerHello.

You can test your setup with the following. Notice how the client uses the root:

openssl s_client -connect myserver:443 -CAfile AddTrustExternalCARoot.crt

The command should end with Verify (0) OK or similar.

Improve this answer

1 Comment

Thanks for your reply. I tried what you described, but now on server startup I get the following error: ERROR [org.apache.tomcat.util.net.jsse.JSSESocketFactory] (MSC service thread 1-1) Failed to load keystore type JKS with path ../standalone/configuration/mydomain-chain.pem due to Invalid keystore format: java.io.IOException: Invalid keystore format
0

Failed to load keystore type JKS with path ../standalone/configuration/mydomain-chain.pem due to Invalid keystore format: which mean your keystore is not valid. Dont create new one use the keystore file you were created while submitting csr file to them. Use same keystore if you change the keystore its not accept.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.