Another option I normally use that may work for you (just confirmed it for myself with tomcat):
1. Copy your private key and signed public certificate in PEM format into a single file looking like this: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,F2CCC247CCCCE25D . . . -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- . . -----END CERTIFICATE----- 2. Run portecle 3. File --> New Keystore (JKS) 4. Tools -> Import Key Pair... 5. Select your file, take the defaults. You'll need to provide the password for your private key if you had one. 6. Save your JKS file. Provide a password. 7. Reference it in your tomcat config. Omit the alias. Your server will now present just the signed public certificate but not any others in the chain. Once you get this working, you can update the JKS with portecle to add intermediate certs. HTH, Toby ******************************* Toby Lazar Capital Technology Group Email: tla...@capitaltg.com Mobile: 646-469-5865 ******************************* On Fri, Apr 4, 2014 at 5:01 PM, Mark Murphy <jmarkmur...@gmail.com> wrote: > Sorry for the dumb questions, I am new to SSL, and want to understand what > I am doing, not just run these instructions, and it should work. > > > On Fri, Apr 4, 2014 at 5:00 PM, Mark Murphy <jmarkmur...@gmail.com> wrote: > > > So let me try to understand what is going on here. I generate a keystore > > using keytool, that contains a key. At this point it is equal to a self > > signed certificate, and it works, but the browser complains that there is > > no CA. I then need to create a certificate request ad send that off to > > goDaddy. What is this? a public key that matches up with the private key? > > Then I have to import the certificates that goDaddy returns to me because > > that validates the private key that is already in the keystore? > > > > > > On Fri, Apr 4, 2014 at 4:46 PM, Mark Thomas <ma...@apache.org> wrote: > > > >> On 04/04/2014 21:42, Mark Murphy wrote: > >> > I saw something on StackOverflow that said the key type in the > keystore > >> > needs to be PrivateKeyEntry and not trustedCertEntry. Is this true? > >> When I > >> > look at my keystore, it is trustedCertEntry for all the certs. > >> > > >> > But when I look at the type for the self signed certificate (which > >> works), > >> > it shows keyEntry. > >> > > >> > Does, or should this matter? and if so, how do I change the type? > >> > >> Yes, this matters a lot. > >> > >> You must import the cert you receive from the CA into the same keystore > >> you used to generate the CSR since that is where the private key is and > >> the server has to have access to the private key. > >> > >> Mark > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > >
