I can't get my certificate bought from RapidSSL working on Tomcat but on Apache.
RapidSSL requires that you install 2 intermediate ca files.
When I create a keystore from the private key, certificate and the intermediary CA:s I can see
Entry type: PrivateKeyEntry
Certificate chain length: 1
The two intermediate certificates does not seem to be picked up or something like that.
I have
- private key
- the certificate
- the primary and secondary CA:s from RapidSSL (as pem, pkcs7 and separate .crt) https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=AR1548
I can get it working on an apache server with the following settings:
SSLCertificateFile /root/ssl_certs/rapidssl.crt
SSLCertificateKeyFile /root/ssl_certs/privatekey.key
SSLCACertificateFile /root/ssl_certs/intermediate.crt
I have heard of something called a root certificate, and I don't know what that is. Is that something that I need?
I have heard that Tomcat should e able to use PKCS12 so I did this to try to create a pkcs12 file:
openssl pkcs12 -export -in rapidssl.crt -inkey privatekey.key -out mycert.p12 -name tomcat -CAfile intermediate.crt -caname root -chain
But I get the error
Error unable to get local issuer certificate getting chain.
The intermediate.crt has the primary and secondary CA:s in it.
Try using Portecle to import all your stuff. I haven't used it myself, but the complete mess that is Java Keystores is evidently a lot more manageable if you use a tool like Portecle.
If you want to get better performance out of Tomcat and not bother merging your keys, certs, etc. into a single binary ball, consider using Tomcat's APR connector. You can use the same cert and key files you already use with Apache httpd, and you'll get better crypto performance.
What is a root certificate? It is top certificate in a chain of certificates, typically issued by a certificate authority. It is used to sign other certificates that sign other certificates until it is used to sign your certificate. Software that use your certificate must trust the root certificate. It is done either by trusting the certificate authority by operating system (or java) or by trusting it by particular software (like apache or local keystore).
来源:https://stackoverflow.com/questions/22390465/cant-create-keystore-for-tomcat-with-key-cert-and-cas-certificate-chain-length