This how-to illustrates how to install SSL certificates on a Tomcat or other Java-based server with keytool, a command-line tool for managing keys and certificates in a Java KeyStore.
Root and Intermediate Certificates
Proper functioning of a server certificate depends on the successful installation of intermediate and root certificates. The complete SSL.com certificate chain typically includes 4 files (the older USERTRUST roots also use 4 files):
SSL.com roots
| Certificate Files |
Description |
|---|---|
| CERTUM_TRUSTED_NETWORK_CA.crt | Root 1 Certificate |
| SSL_COM_ROOT_CERTIFICATION_AUTHORITY_RSA.crt | Root 2 Certificate |
| SSL_COM_RSA_SSL_SUBCA.crt | Intermediate Certificate |
| your_domain_here.crt | Signed Server Certificate |
USERTRUST roots
| Certificate Files |
Description |
|---|---|
| AAACertificateServices.crt | Root Certificate |
| USERTrustRSAAAACA.crt | Intermediate Certificate 1 |
| SSLcomDVCA_2.crt | Intermediate Certificate 2 |
| your_domain_here.crt | Signed Server Certificate |
Certificate Installation with Keytool
domain.key with your keystore name.Use the keytool command to import the root certificate(s) as follows (use the clickable tabs to select between instructions for SSL.com roots and USERTRUST roots:
Use the keytool command to import the Certum root certificate as follows:
keytool -import -trustcacerts -alias root1 -file CERTUM_TRUSTED_NETWORK_CA.crt -keystore domain.key
Use the same process for the SSL.com root certificate using the keytool command(notice that the alias is slightly different than before):
keytool -import -trustcacerts -alias root2 -file SSL_COM_ROOT_CERTIFICATION_AUTHORITY_RSA.crt -keystore domain.key
Next, you’ll install the intermediate certificate:
keytool -import -trustcacerts -alias INTER -file SSL_COM_RSA_SSL_SUBCA.crt -keystore domain.key
Use the keytool command to import the USERTRUST root certificate as follows:
keytool -import -trustcacerts -alias root -file AAACertificateServices.crt -keystore domain.key
Use the same process for the first intermediate certificate using the keytool command:
keytool -import -trustcacerts -alias INTER1 -file USERTrustRSAAAACA.crt -keystore domain.key
Next, you’ll install the second intermediate certificate (notice that the alias is slightly different than before):
keytool -import -trustcacerts -alias INTER2 -file SSLcomDVCA_2.crt -keystore domain.key
Use the same process for the site certificate using the keytool command. The alias for this certificate should match the alias that you used when creating the CSR.
keytool -import -trustcacerts -alias yyy (where yyy is the alias specified during CSR creation) -file domain.crt -keystore domain.key
The password is then requested:Enter keystore password: (This is the one used during CSR creation)
The following information will be displayed about the ssl certificate and you will be asked if you want to trust it (the default is no so type ‘y’ or ‘yes’):
Owner: CN= Root, O=Root, C=US Issuer: CN=Root, O=Root, C=US Serial number: 111111111111 Valid from: Fri JAN 01 23:01:00 GMT 1990 until: Thu JAN 01 23:59:00 GMT 2050 Certificate fingerprints: MD5: D1:E7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58 SHA1: B6:GE:DE:9E:4C:4E:9F:6F:D8:86:17:57:9D:D3:91:BC:65:A6:89:64 Trust this certificate? [no]:
Then an information message will display as follows:
Certificate was added to keystore
All the certificates are now loaded and the correct root certificate will be presented.
