Recently while working with a new warehouse management system with a java/Tomcat powered public portal I needed to to learn a few things. Coming to the party was the Java KeyTool utility  (which I had encountered publishing Android Apps), an SSL bundle from GoDaddy and a Tomcat 7 server.

I tried many experiments but none worked.

I started here with the Tomcat documentation:

http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

This covers a lot and got me to the self signed stage. From this I was able to generate a certificate request file I passed on to the IT people to actually purchase the SSL certificate from GoDaddy. We did get a domain wild card *.domainname.com and will use it in this instance to cover “portal.domanname.com”.

FYI.. the Keytool on the server was located at: "C:\Program Files\Java\jdk1.7.0_25\jre\bin\keytool" . That specific location will change depending on the version of Java installed.

The “bundle” of certs for “Tomcat” came back from GoDaddy with three certificates. A couple of intermediate godaddy certs and the actual server aka client certificate.

I tried many ways to get these into the java keystore I had created and to get tomcat to recognize them.

I could see that the keychain from godaddy to the client  certficate was not correct, the two keys were:

  1. I needed to get the correct root and intermediate certificate from GoDaddy. What was sent in the bundle was not correct. To do this you can double click on your client certificate and the windows crypto extensions will display the certificate paths. It will also allow you to export these into a file which I did, one for the root and one for the intermediate cert. This stack overflow helped me with that: http://stackoverflow.com/questions/23611688/keytool-error-java-lang-exception-failed-to-establish-chain-from-reply
  2. I needed to make a certificate chain in my keystore with the root, intermediate and client certificates in the right order. This is done by creating a “.pem” file with the three certificates and then importing that file into the keystore. Then using that alias in TomCat will work. I exported the self-signed key/alias to a .pem file, deleted that alias from the keystore then imported the new pem with the real certificates into the keystore with that same alias. That is described here: http://stackoverflow.com/questions/9299133/why-doesnt-java-send-the-client-certificate-during-ssl-handshake/9300727#9300727