GoDaddy SSL Certificate Keystore Installation Tomcat7

tomcat ssl ssl-certificate keystore

11,473

Solution 1

You will need to have your existing keystore which contains your private key (and provisional certificate). If you've lost that, you'll need to start over again by generating a new private key, cert, and CSR,and sent it to your CA for a replacement.

Then, import the certificates you received from your CA (GoDaddy) using this command each time:

$ keytool -importcert -trustcacerts -keystore [yourstore.jks] \
    -alias [certname] < [certificate].crt

Import the certs in the order in which GoDaddy suggested. You may want to make a copy of your keystore before you begin, just in case you break everything.

Solution 2

If can help someone.Tomcat 8

You don't need the xxxx.crt.pem file. Just run the following command on your original version of the keystore file (if renew certificate) for new certificate just use the same keystore file you've just create to get the csr.

So after you receive your zip file from Goddady type the following command.

keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file gd_bundle-g2-g1.crt

keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file 123456fgscd.crt

sudo initctl restart tomcat

Don't forget to setup Catalina to point to your keystore (server.xml file)

Bingo.

11,473

Author by

Goodwin

Updated on June 04, 2022

Comments

Goodwin almost 2 years

I recently bought ann SSL certificate for my website and came across something weird when generating the keystore. In the Godaddy Tutorial it says to import the root certificate, install the intermediate certificate and install the issued certificate into the keystore.

When downloading the files from GoDaddy though it gives me three .crt files. One having a hex name which is the actual certificate and two others files name: gdig2.crt and gd_bundle-g2-g1.crt.

How am I suppose to use import these files in the fashion that they do?

Note: when looking at the bundle file it contains 3 certificates.
Goodwin over 7 years

Do i need to import all the .crt files or just the bundle? Am I able to import all the certificates at ones from the bundle file?
Christopher Schultz over 7 years

I don't believe keytool can handle a bundle file (which is just all the certs together in a single file). I'd import them one-at-a-time and ignore the bundle file. Remember: backups.
Mr.Fireman over 6 years

Actually the bundle contains the intermediate cert and can be important in some cases. With keytool you can import it like this: keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore KeyStore.jks
Christopher Schultz over 6 years

@Mr.Fireman Yes, intermediate certs are important but your example only imports a single certificate, not multiple certs that might be in a chain in the intermediate.crt file.
AyukNayr over 5 years

Hi is this legit? and is it working today september 2, 2018? I tried and throws me an error certificate reply and certificate in keystore are identical
dave_thompson_085 about 4 years

This is wrong. The hex-named file is NOT a root certifcate. Not ever.
dave_thompson_085 about 4 years

Your first import is wrong; your second and third duplicate a correct answer posted two years ago.
dave_thompson_085 about 4 years

Christopher: actually if you have a 'bundle' file containing the chain including the leaf, keytool can (since at least j6 ~2005) import that to the matching privatekey entry all at once. But gd_bundle-g2-g1 contains only the intermediate, cross, and root, NOT the leaf. You're right that importing to a new (trustedcert) entry does only one cert (the first); gdig2 is (a copy of) the first cert in gd_bundle-g2-g1 and is sufficient if/when the cross isn't needed
Panneerchelvam Piratheepan about 4 years

do you mean is this not "gd_bundle-g2-g1.crt" is godady cert bundule file?
Panneerchelvam Piratheepan about 4 years

This i found at godaddy.com/help/… check it out
dave_thompson_085 about 4 years

gd_bundle-g2-g1.crt is one of about a dozen bundle files used by GoDaddy, and although it isn't actually just the intermediate cert, when read by keytool it does yield the intermediate cert, and so could be 'consider[ed]' the same. The 'hex name' file specified in the Q is the server (also called leaf) cert, NOT a root cert. The root cert is often not supplied because it isn't actually needed, but when present it is gdroot-g2.crt which you can easily see is not hex.
Panneerchelvam Piratheepan about 4 years

then can you can't find the root cert
dave_thompson_085 about 4 years

That page says to use 'name of the root certificate' which as it clearly says a few lines earlier is (now) gdroot-g2.crt -- which is not normally provided in the download, and accordingly was not in the question, and is NOT the hex-named file. If you do have gdroot-g2 putting it in 'root' is valid though unnecessary, but the long-existing answer was still better.
dave_thompson_085 about 4 years

You can if you want to, using AIA, the GoDaddy site, or the public transparency logs. But you don't need to because the server doesn't need the root cert -- see RFCs 2246, 4346, 5246, and 8446.