Thanks Vamsi! The post you mention pointed me in the right direction and I have it up and running. Great! Wasted 3 days on this one. I needed to transform my certificate to PKCS12, I missed that.
Here is how for further reference: Create a new keystore with the signed certificate, the key and the chainfile. The keystore needs to be PKCS12, the default JKS Java keystore is not accepted if you created the certiface with OpenSSL. The chainfile is a file with all the certificates from you to a trusted root authority. openssl pkcs12 -export -inkey mycert.key -in mycert.pem -out mycert.pkcs12 -chain -CAfile rootchain.pem We changed the storetype so from now on you'll always have to specify the storetype (PKCS12) as a parameter. keytool -v -list -keystore keystore.pkcs12 -storetype PKCS12 Check the chain length, it has to be > 1 or you certainly don't have a valid path to the root authority. Add the right keystore to the Tomcat server.xml file. You don't need to specify a keyAlias as there is only one certificate in the keystore. Vamsavardhana Reddy-2 wrote: > > You should be able to create a PKCS12 keystore using OpenSSL with the > private key and the certificate you have. See if the following thread > helps. > > http://www.mail-archive.com/[EMAIL PROTECTED]/msg08816.html > > ++Vamsi > > On Wed, Mar 12, 2008 at 6:59 PM, Some user <[EMAIL PROTECTED]> > wrote: > >> >> Dear Tomcat wizards, >> >> I need a signed multi domain certificate for Tomcat (x.example.com, >> y.example.com, z.example.com). I do have a signed certificate but can't >> import this in the keystore with the keytool command as I generated the >> request with OpenSSL and now keytool complains that the keys don't match. >> >> Fine, so I need to generate a CSR request with keytool first. When I run >> the >> "keytool -genkey -alias..." command I get these questions where I need to >> enter my first and last name: >> >> What is your first and last name? >> [Unknown]: x.example.com >> >> This is where I enter my fully qualified server name for the certificate. >> Problem is I can't enter MULTIPLE DOMAINS. I need more subdomains here as >> my >> server listens to x.example.com, y.example.com and z.example.com. A >> wildcard >> certificate is not an option as the signing authority doesn't want to >> sign >> wildcard certificates. >> >> Does anyone know how to generate a multi domain request with keytool? I >> know >> how to do this with openssl but I need a keytool one... >> >> Thanks! >> -- >> View this message in context: >> http://www.nabble.com/Multi-domain-certificate-with-keytool-tp16002309p16002309.html >> Sent from the Tomcat - User mailing list archive at Nabble.com. >> >> >> --------------------------------------------------------------------- >> To start a new topic, e-mail: users@tomcat.apache.org >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > -- View this message in context: http://www.nabble.com/Multi-domain-certificate-with-keytool-tp16002309p16025518.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
