GoDaddy SSL Certificate Keystore Installation Tomcat7
Solution 1
You will need to have your existing keystore which contains your private key (and provisional certificate). If you've lost that, you'll need to start over again by generating a new private key, cert, and CSR,and sent it to your CA for a replacement.
Then, import the certificates you received from your CA (GoDaddy) using this command each time:
$ keytool -importcert -trustcacerts -keystore [yourstore.jks] \
-alias [certname] < [certificate].crt
Import the certs in the order in which GoDaddy suggested. You may want to make a copy of your keystore before you begin, just in case you break everything.
Solution 2
If can help someone.Tomcat 8
You don't need the xxxx.crt.pem file. Just run the following command on your original version of the keystore file (if renew certificate) for new certificate just use the same keystore file you've just create to get the csr.
So after you receive your zip file from Goddady type the following command.
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file gd_bundle-g2-g1.crt
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file 123456fgscd.crt
sudo initctl restart tomcat
Don't forget to setup Catalina to point to your keystore (server.xml file)
Bingo.
Goodwin
Updated on June 04, 2022Comments
-
Goodwin almost 2 years
I recently bought ann SSL certificate for my website and came across something weird when generating the keystore. In the Godaddy Tutorial it says to import the root certificate, install the intermediate certificate and install the issued certificate into the keystore.
When downloading the files from GoDaddy though it gives me three .crt files. One having a hex name which is the actual certificate and two others files name: gdig2.crt and gd_bundle-g2-g1.crt.
How am I suppose to use import these files in the fashion that they do?
Note: when looking at the bundle file it contains 3 certificates.
-
Goodwin over 7 yearsDo i need to import all the .crt files or just the bundle? Am I able to import all the certificates at ones from the bundle file?
-
Christopher Schultz over 7 yearsI don't believe
keytool
can handle a bundle file (which is just all the certs together in a single file). I'd import them one-at-a-time and ignore the bundle file. Remember: backups. -
Mr.Fireman over 6 yearsActually the bundle contains the intermediate cert and can be important in some cases. With keytool you can import it like this: keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore KeyStore.jks
-
Christopher Schultz over 6 years@Mr.Fireman Yes, intermediate certs are important but your example only imports a single certificate, not multiple certs that might be in a chain in the
intermediate.crt
file. -
AyukNayr over 5 yearsHi is this legit? and is it working today september 2, 2018? I tried and throws me an error certificate reply and certificate in keystore are identical
-
dave_thompson_085 about 4 yearsThis is wrong. The hex-named file is NOT a root certifcate. Not ever.
-
dave_thompson_085 about 4 yearsYour first import is wrong; your second and third duplicate a correct answer posted two years ago.
-
dave_thompson_085 about 4 yearsChristopher: actually if you have a 'bundle' file containing the chain including the leaf, keytool can (since at least j6 ~2005) import that to the matching privatekey entry all at once. But gd_bundle-g2-g1 contains only the intermediate, cross, and root, NOT the leaf. You're right that importing to a new (trustedcert) entry does only one cert (the first); gdig2 is (a copy of) the first cert in gd_bundle-g2-g1 and is sufficient if/when the cross isn't needed
-
Panneerchelvam Piratheepan about 4 yearsdo you mean is this not "gd_bundle-g2-g1.crt" is godady cert bundule file?
-
Panneerchelvam Piratheepan about 4 yearsThis i found at godaddy.com/help/… check it out
-
dave_thompson_085 about 4 yearsgd_bundle-g2-g1.crt is one of about a dozen bundle files used by GoDaddy, and although it isn't actually just the intermediate cert, when read by keytool it does yield the intermediate cert, and so could be 'consider[ed]' the same. The 'hex name' file specified in the Q is the server (also called leaf) cert, NOT a root cert. The root cert is often not supplied because it isn't actually needed, but when present it is gdroot-g2.crt which you can easily see is not hex.
-
Panneerchelvam Piratheepan about 4 yearsthen can you can't find the root cert
-
dave_thompson_085 about 4 yearsThat page says to use 'name of the root certificate' which as it clearly says a few lines earlier is (now) gdroot-g2.crt -- which is not normally provided in the download, and accordingly was not in the question, and is NOT the hex-named file. If you do have gdroot-g2 putting it in 'root' is valid though unnecessary, but the long-existing answer was still better.
-
dave_thompson_085 about 4 yearsYou can if you want to, using AIA, the GoDaddy site, or the public transparency logs. But you don't need to because the server doesn't need the root cert -- see RFCs 2246, 4346, 5246, and 8446.