I have a root certificate that signs an intermediate certificate that signs a server certificate.
I tried two things:
- Importing the original server certificate into a keystore and directing the tomcat server to use it via applications.properties. This is what shows up in the Google Chrome browser.
- I thought that I needed to somehow bundle up the certificates so I read how to do it from this website, which said:
So, I imported the content from my intermediate key and appended it to the original server certificate file, and then also added the contents of the root certificate file to the original server certificate file, and saved it. Then I replaced the old entry of the server certificate that I already had in the keystore with this newly modified file.
I still get this image from Google Chrome:
I want the certificate display to show the certificate chain, such as this:
Edit: Here is the output of keytool -list -v -keystore $ksfile
Keystore type: PKCS12 Keystore provider: SUN
Your keystore contains 1 entry
Alias name: localhost Creation date: Aug 20, 2021 Entry type: PrivateKeyEntry Certificate chain length: 3 Certificate1: Owner: CN=localhost, O=Bash, L=NYC, C=US Issuer: CN=inter, O=Bash, L=NYC, C=US Serial number: b98987ce22901fab3491a5ad154b347acb7921b Valid from: Fri Aug 20 04:30:05 EDT 2021 until: Sat Aug 20 04:30:05 EDT 2022 Certificate fingerprints: SHA1: 0E:DC:9E:57:E9:AE:DA:3D:6A:43:8B:4C:0A:33:F8:51:6D:B0:B9:40 SHA256: 74:D1:67:00:C1:38:AB:21:A1:85:BA:2F:F5:51:91:92:6B:C6:91:F4:EB:F0:A7:9E:52:B2:F4:EB:A7:F7:63:A4 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 4096-bit RSA key Version: 3
Extensions:
#1: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth ]
#2: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: localhost IPAddress: 192.168.0.10 IPAddress: 127.0.0.1 ]
Certificate2: Owner: CN=inter, O=Bash, L=NYC, C=US Issuer: CN=ca, O=Internet Widgits Pty Ltd, ST=Some-State, C=AU Serial number: 26881cd1d803489c8956034f81f43ddd8a0fd593 Valid from: Fri Aug 20 04:27:40 EDT 2021 until: Sat Aug 20 04:27:40 EDT 2022 Certificate fingerprints: SHA1: 08:CA:5C:76:E8:9F:FC:BA:0D:36:B6:C3:90:1C:0A:0B:C6:97:FF:BB SHA256: 96:14:FF:E5:1A:D9:AA:ED:90:25:4B:56:D8:34:BD:94:27:1C:F2:29:24:1C:40:F2:D8:E4:25:5F:96:7E:2C:88 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 4096-bit RSA key Version: 3
Extensions:
#1: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth ]
#2: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: inter IPAddress: 192.168.0.10 IPAddress: 127.0.0.1 ]
Certificate3: Owner: CN=ca, O=Internet Widgits Pty Ltd, ST=Some-State, C=AU Issuer: CN=ca, O=Internet Widgits Pty Ltd, ST=Some-State, C=AU Serial number: 27018395ed4f99502a78393ac438e6cee90dcaf6 Valid from: Fri Aug 20 04:24:47 EDT 2021 until: Sat Aug 20 04:24:47 EDT 2022 Certificate fingerprints: SHA1: 9A:35:88:C7:B3:E4:1D:02:17:F9:52:7F:32:95:D5:75:DF:E1:92:F3 SHA256: 92:BF:BC:20:C7:2B:65:6B:CE:D7:89:9B:02:2A:3E:0E:E3:7B:A9:AA:BF:FF:25:AE:9C:DC:FC:A1:60:48:7C:94 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 4096-bit RSA key Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 66 A6 FA 5A 66 1E B7 74 55 6A 39 52 0B 37 2F 30 f..Zf..tUj9R.7/0 0010: 10 E1 FD D4
.... ] ]#2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ]
#3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 66 A6 FA 5A 66 1E B7 74 55 6A 39 52 0B 37 2F 30 f..Zf..tUj9R.7/0 0010: 10 E1 FD D4
.... ] ]
keytool -list -v -keystore $ksfileto see whether what you have in the keystore is correct, or if you prefer a GUI download keystore-explorer.org and use that. If the keystore is correct, make sure your tomcat is using it correctly, i.e. has been restarted and points to the correct file and entry (alias). And make sure your root cert is in Chrome's truststore. – dave_thompson_085