Enable SSL on Tomcat using SSL CERTIFICATE, PRIVATE KEY and SSLCertificateChain CERTIFICATE

0
votes

I have SSL CERTIFICATE, PRIVATE KEY and SSLCertificateChain CERTIFICATE as follows:

  • SSL CERTIFICATE:

    -----BEGIN CERTIFICATE-----

    certificate here

    -----END CERTIFICATE-----

  • PRIVATE KEY:

    -----BEGIN RSA PRIVATE KEY-----

    key here

    -----END RSA PRIVATE KEY-----

  • SSLCertificateChain CERTIFICATE:

    -----BEGIN CERTIFICATE-----

    SSLCertificateChain here

    -----END CERTIFICATE-----

  • I have saved certificate in SSLCertificateFile.crt, key in SSLCertificateKeyFile.key and SSLCertificateChain certificate in SSLCertificateChainFile.crt. All the three files are saved at /opt/tomcat/conf/

  • In /opt/tomcat/conf/server.xml modified the connector as:

<Connector executor="tomcatThreadPool" scheme="https" secure="true" port="443" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" acceptCount="100" SSLEnabled="true" maxConnections="100000" SSLCertificateFile="/opt/tomcat/conf/SSLCertificateFile.cert" SSLCertificatKeyFile="/opt/tomcat/conf/SSLCertificateKeyFile.key" SSLCertificateChainFile="/opt/tomcat/conf/SSLCertificateChainFile.cert" SSLProtocol="TLSv1"/>

I've restarted the tomcat server, http://www.digicert.com/help/ show the error "SSL Certificate is not trusted" as shown in the image.

enter image description here

Is there anything wrong in file extensions or the connetcor?

1
securitytomcatsslhttps

1 Answers

1
votes

You've blanked out the information that would be required to give you the definitive answer:

"Certificate does not match name" means that you have a certificate for one server name, but access it as another server - this could be as simple as accessing "www.example.com" as "example.com" if the certificate is only valid for "www.example.com"

The "not trusted" points either again to the mismatch, but more likely you have a self-signed certificate? You don't mention where you got the certificate from, only that you have it. By going directly to your server (not to digicert) you probably will get the same mismatch.

Even if you got the certificate from a certification authority, make sure that it indeed is trusted. I've seen "demo" certificates (or "class 0" certificates) which were issued to demonstrate the ease of certification, but without any identity check free of charge. Those class 0 certificates are not trusted. Typically you'll need to pay some money for a trusted certificate to some certification agency.

I assume the server is visible on the internet (otherwise digicert won't see it), so if you would share the address, it would be easy to point you to the actual root cause. You can also inspect the certificate, e.g. with Firefox: This is offered through a dialog that opens from the button on the "not trusted" warning page.