Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unable to get SSL working

      openssl req -new -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr
This resulted in the creation of 2 files :
      mydomain.csr mydomain.key

I submitted the mydomain.csr to godaddy and was able to get a zip file.
$ unzip
inflating: gdig2.crt
inflating: gd_bundle-g2-g1.crt
inflating: 92b553a029b7b18c.crt
The gd_bundle-g2-g1.crt seems to be a bundle of the root and intermed cert. gdig2.crt seems to be an intermediate CA cert which is inside the gd_bundle-g2-g1.crt file, and 92b553a029b7b18c.crt seems to be signed for my csr.
Since I need to add this to tomcat now, I need to have a keystore. Adding a key to keystore is not as simple as it should be. I need to write the key to a pkcs12 keystore using the "openssl" command and then import the created keystore using the "keytool" command.

STEP 3 : Get the certificate from the csr generated in STEP 1
      openssl x509 -req -in mydomain.csr -signkey mydomain.key -out mydomain.crt

STEP 4: Create a pkcs12 keystore form the crt file(from STEP 3) and key (from STEP 1)
            openssl pkcs12 -export -in mydomain.crt -inkey mydomain.key -name "" -out my.p12

STEP 5: Import the pkcs12 keystore to a java keystore using keytool
       keytool -importkeystore -deststorepass changeit -destkeystore my-keystore.jks -srckeystore my.p12 -srcstoretype PKCS12

STEP6: Add certificates to the keystore
               keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file gd_bundle-g2-g1.crt
       keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gdig2.crt   # not necessary since bundled above
       keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file 92b553a029b7b18c.crt

STEP7: I've made the changes to tomcat config as in But on trying to connect to 8443, I see:
   $ curl "https://localhost:8443"
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here:

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

Please let me know how do I try to debug and solve this.


Some missed out info:
Step 5 onwards my-keystore.jks and tomcat.keystore are the same file.