问题
One of our clients purchased wild card SSL certificates (*.example.com)
from GoDaddy and he simply downloaded without giving CSR data. We have 3 files in that zip file. Those are fce4f111a61ea3f4.crt, gd_bundle-g2-g1.crt and gdig2.crt.pem.
I searched so many articles regarding this but everyone is saying first take the CSR data from your server and past it in the GoDaddy for getting SSL certificates.
In my case we didn't provide CSR data to GoDaddy, which means I don't have the keystore file.
Now, I tried to install certificates without keystore to my server. For that I used the below commands with no success:
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file fce4f111a61ea3f4.crt
keytool -import -alias interm -keystore tomcat.keystore -trustcacerts -file gd_bundle-g2-g1.crt
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file gdig2.crt.pem
回答1:
I'm assuming you already have keystore maintained as per your statements above. Take a backup of your keystore first in order to avoid any mishap.
Apart from the files you have, you should also has Private Key of your generated certificate.
Now follow the steps as ordered.
- Delete any existing entries from keystore file first.
keytool -delete -alias tomcat -keystore domain.jks
You may also view any other existing entries by keytool -list -keystore domain.jks delete them as well.
- Now export the certificate and private key into PKCS12 file
openssl pkcs12 -export -in fce4f111a61ea3f4.crt -inkey private.key -out cert_and_key.p12 -name tomcat -CAfile gd_bundle-g2-g1.crt -caname root
If you receive similar to following error
unable to load private key
139995851216720:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: ANY PRIVATE KEY
It means your private.key isn't in proper format, you need to change encoding to ASCII text run following command to convert your private key
# You can do a dry run before manipulating the actual file
tail -c +4 private.key | file -
# Change encoding
tail -c +4 private.key > private.key
- Import PKCS12 file into JKS keystore:
keytool -importkeystore -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -alias tomcat -keystore domain.jks
- Now import root certificate into JKS keystore (with root alias)
keytool -import -trustcacerts -alias root -file $certdir/gd_bundle-g2-g1.crt -noprompt -keystore domain.jks
- Add following in
server.xml
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150"
SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
keystoreFile="/path/to/keysore/domain.jks" keystorePass="xxxxxx"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA" />
Don't forget to replace xxxxxx with your JKS keystore password and keystoreFile parameter
- Done. Now restart your Tomcat server and listen to your log file
sudo service tomcat7 restart
sudo tail -f /var/log/tomcat7/catalina.out
Note: replace domain.jks with your actual keystore file.
来源:https://stackoverflow.com/questions/53439545/how-to-install-godaddy-ssl-certificates-in-tomcat-without-csr