Ok, have you ever had a day where you spent hours and hours only to feel the frustration of not reaching your goal.  I was *almost* there.

When you buy a Wildcard SSL certificate from GoDaddy and need to install it on Tomcat 5 or 6.  Don’t call GoDaddy.  I called only to be told follow the website instructions.  Ummm…yeah…I did that.  No go on that one. Riiigghhhhht…..

After 6 hours of living hell building a JKS keystore, here is what ultimately worked with the GoDaddy installation.  I will spare you the story of my pain.

Installation Environment

Tomcat 5 Installation on RedHat (CentOS) Linux with no self-signed certificate.  If you have a self -signed keystore, blow it away and start over.

Start with the CSR

Before you can get your GoDaddy Wildcard Cert, you need to generate a CSR and build a new keystore file for tomcat.  The keystore is in the JKS format and holds the chain of certificates.  The ones for your server and for your cert issuer.

I started by working in my home folder.  Let’s call it /home.

cd /home

Issue the following command to Create your keystore

keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore

You will be prompted for a password.  I used the default tomcat password of changeit.

My screens looked something like this.  Remember I am making a wildcard domain CSR.

Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]:  *.mydomain.com
What is the name of your organizational unit?
[Unknown]:  Web
What is the name of your organization?
[Unknown]:  Mydomain.com
What is the name of your City or Locality?
[Unknown]:  Tyler
What is the name of your State or Province?
[Unknown]:  TX
What is the two-letter country code for this unit?
[Unknown]:  US
Is CN=*.mydomain.com, OU=Web, O=Mydomain.com, L=Tyler, ST=TX, C=US correct?
[no]:  yes

Enter key password for <tomcat>
(RETURN if same as keystore password):

This will create a file called tomcat.keystore.  Be sure this is referenced in every command moving forward otherwise, you will be affecting the file named .keystore in your home folder.  This then gets confusing.

Now, create the CSR so you can go through the GoDaddy SSL process.*

*If this article is helpful, you can buy it here if you haven’t already and benefit our company. It’s still GoDaddy!

keytool -certreq -keyalg RSA -alias tomcat -file mydomain.csr -keystore tomcat.keystore

You will be asked for the password again.  Remember the password is changeit

You will now have two files.

1. tomcat.keystore – back this file up somewhere just in case you screw up somewhere

2.  mydomain.csr – This is your plain text CSR to use on GoDaddy’s website to gen your wildcard SSL cert.  Copy and paste this to get your certificate file.

…..Wait….. After submitting..you will wait. ….just wait….zzzzzzzzzzzzzzzzzzzzzzzzzzz

Install the Certificate

Once you have completed your waiting, you will receive a zip file containing several files.  The file we need the most is mydomain.crt.  This contains your certificate.  Now, if you were to attempt to follow GoDaddy’s installation certificate problems you would find you don’t have the materials to perform option 1.

http://help.godaddy.com/article/5239

As a result you would try option 2 and fail miserably.  Here is where we get creative.

Let’s examine the command for “Option 1″ and see what we need.

openssl pkcs12 -export -chain -CAfile gd_bundle.crt -in <name of your certificate> -inkey <name of your certificate private key file> -out keystore.tomcat -name tomcat -passout pass:changeit

Here is my checklist:

gd_bundle.crt – Don’t need it.  Found this out the hard way.  Just bear with me.

<name of your certificate> - this is mydomain.crt file – we have that. Check!

<name of your certificate private key file> – WTF?  Where do I get this?  See below.

keystore.tomcat – Oh yeah, we made that file earlier. Check!

sf_bundle.crt – You need this instead of gd_bundle.crt.  Needed to face lots of errors to figure that out.

Get GoDaddy Bundle files here: https://certs.godaddy.com/anonymous/repository.seam

Getting your Private Key File

There are lots of ways to extract your private key, but I found the best way to be a  GUI Java app called KeyStore Explorer.  This is a super great tool.  http://www.lazgosoftware.com/kse/

1.  Download and install Keystore Explorer.  If you need java, goto java.com and install it first.

2.  Upload your tomcat.keystore file to your windows box.  This is a binary file.  Treat it as such.

3.  Open your tomcat.keystore file in Keystore Explorer.  Find the tomcat alias entry we craeated.  right click and Export -> Export Key Pair.  Do NOT enter a password.  Simply put the name of the file.  I called mine mykey.p12

4.  Copy this file back to your /home folder.

You now have a PKCS12 file with both your public and private key in there.  However, we still aren’t quite there.  We need to extract the Private key for the command above.

openssl pkcs12 -in mykey.p12 -nocerts -out privateKey.pem

Press Enter when prompted for the Import password.  When prompted for the PEM Pass phrase, I used changeit.

NOW WE ARE COOKIN!

Now we have a Private Key file that we can use in our OpenSSL command above.  The top of the file will look something like this:

[root@www tools]# head privateKey.pem
Bag Attributes
localKeyID: B7 5F 05 B7 5F FD 6C 33 EE F2 83 02 CE 13 2A 14 55 A2 BD 24
friendlyName: tomcat
Key Attributes: <No Attributes>
—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,E73EA2AB27EAE14C

RXEBrTW9KRqyYAA0JtTRek/YL3+8mW2xyoBhdjs9W0lNVL6FpefAArsyvMD0tjgK
jKhadkcV5xUjiK5KDamDk0MWpXY2OYSScKJZDFkjc9eAvFlCZVD2+yltND/5WGNJ

————————–

Now in order to get the file clean enough to use as our import, we need JUST the key.  So, edit the file and delete the lines before:

—–BEGIN RSA PRIVATE KEY—

Now the top of your file looks like this:

—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,E73EA2AB27EAE14C

RXEBrTW9KRqyYAA0JtTRek/YL3+8mW2xyoBhdjs9W0lNVL6FpefAArsyvMD0tjgK
jKhadkcV5xUjiK5KDamDk0MWpXY2OYSScKJZDFkjc9eAvFlCZVD2+yltND/5WGNJ

—————————————

Save and let’s get finished.

Finally – Importing your Certificate

Let’s go back and get us a working keystore for our SSL installation for Tomcat.  We now have everything we need.

openssl pkcs12 -export -chain -CAfile sf_bundle.crt -in mydomain.com.crt -inkey privateKey.pem -out keystore.tomcat -name tomcat -passout pass:changeit

Ok, notice we are NOT referencing tomcat.keystore, but instead we created a new PKCS12 Keystore called keystore.tomcat.

Now, let’s see if it works.

Installing the Certificate in Tomcat

Let’s copy the file to our tomcat installation configuration directory.  My tomcat was in /usr/local/tomcat5

cp keystore.tomcat /usr/local/tomcat5/conf

Now, we need to enable SSL.  So, we need to edit the server-wide server.xml file.  Find the section like this:

<!– Define a SSL Coyote HTTP/1.1 Connector on port 8443 –>
<!–
<Connector port=”8443″
maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″
enableLookups=”false” disableUploadTimeout=”true”
acceptCount=”100″ debug=”0″ scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS” />
–>

Replace it.  Mine looks like this:

<!– Define a SSL Coyote HTTP/1.1 Connector on port 8443 –>
<Connector port=”443″
maxHttpHeaderSize=”8192″ maxThreads=”250″ minSpareThreads=”25″ maxSpareThreads=”75″
enableLookups=”false” disableUploadTimeout=”true”
acceptCount=”100″ debug=”0″ scheme=”https” secure=”true” SSLEnabled=”true”
clientAuth=”false” sslProtocol=”TLS” keyAlias=”tomcat”
keystoreFile=”/usr/local/tomcat5/conf/keystore.tomcat”
keystorePass=”changeit”
keystoreType=”PKCS12″ />

Lastly, find any other references to port 8443 in the server.xml file and replace them with just 443.

Now, restart Tomcat and enjoy your newly functioning wildcard certificate.

I hope this bridges the gaps on some of the other articles out there.

Please comment if it helps you.

Good Luck!