Add a GoDaddy SSL Certificate to Tomcat 6

Here are some steps that should work for most installations on recent Tomcat builds.

This procedure could easily be used for any other SSL verification service, the names and number of certs to import may change.

These steps will assume that you are using the default .keystore file located in tomcat’s home directory (/usr/local/tomcat6/ for example).

If this keystore exists, I would recommend removing it.

Also, you need to ensure that you are using the keytool binary that belongs to the version of Java that Tomcat is referencing.

When starting or stopping Tomcat (/usr/local/tomcat6/bin/catalina.sh stop/start), it will output the current JRE_HOME settings. This will tell you the path you should use to point to keytool. For example /usr/java/jdk1.6.0_14/bin/keytool

To see the available binaries, try:

locate keytool

The one used by just typing keytool may not be the correct binary.

Once you have determined this, become the tomcat user (or whatever user runs Tomcat/Catalina)

su tomcat -

Using the full path to keytool, create the keystore and server key.

/usr/java/jdk1.6.0_14/bin/keytool -genkey -alias server -keyalg RSA

Answer the questions. First and last name are the CN, or website Fully Qualified Domain Name. In the case of a wildcard cert request, this would be *.domain.name

Any password should be entered the same each time.

Create the CSR:

/usr/java/jdk1.6.0_14/bin/keytool -certreq -alias server -file csr.txt

Now, this file, csr.txt, contains the text you need to copy and paste into whatever form is provided for you to submit your Certificate Signature Request.

Once this is submitted, you will be given a set of files. More specifically, a CA cert, which in the case of most verification services and distributions, should not be needed, as it is usually installed on the system. To be safe, you can import it. Also, from GoDaddy, you will receive an intermediate and cross cert. You will also receive the wildcard cert for your domains/domains.

Import the root certificate:

/usr/java/jdk1.6.0_14/jre/bin/keytool -import -alias root -trustcacerts -file valicert_class2_root.cer

Import the cross certificate:

/usr/java/jdk1.6.0_14/jre/bin/keytool -import -alias cross -trustcacerts -file gd_cross_intermediate.cer

Import the intermediate certificate:

/usr/java/jdk1.6.0_14/jre/bin/keytool -import -alias intermed -trustcacerts -file gd_intermediate.cer

Import the wildcard certificate:

/usr/java/jdk1.6.0_14/jre/bin/keytool -import -alias server -trustcacerts -file _.yourdomain.com.crt

You need to configure the Tomcat server.xml file to provide port 443 (or whatever port you want).

You can uncomment the included section for this, or you can use this example below:

<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/usr/local/tomcat6/.keystore" keystorePass="whatever"
clientAuth="false" sslProtocol="TLS" />