Have you imported the signed server certificate into the server keystore with all the root+intermediate certificates? in other words, does the "chain-of-trust" exist in server keystore?
You just need to add the root and intermediate CA certs to trust store - any server certs signed by them is by default, trusted. On 4 August 2017 at 17:09, Hameed, Amir <amir.ham...@xerox.com> wrote: > Hi, > I am trying to configure Tomcat 8.0.36 with SSL and running into some > issues. The JDK version I am using is 1.8.0_64. I used the following > process to implement SSL: > > 1. Generated a java key store using the following command: > ${JAVA_HOME}/bin/keytool -genkey -alias [alias-name] -keyalg RSA -keysize > 2048 \ > -keystore [key-store-path]/keystore.jks -dname > "CN=[common-name],OU=[org-unit], > O=[company-name], L=[city], ST=[state], C=US" > > > 2. Generated CSR using the following command: > ${JAVA_HOME}/bin/keytool -certreq -alias [alias-name] -file > [key-store-path]/[csr-file-name] \ > -keystore [key-store-path]/keystore.jks > > > 3. Requested certificate from COMODO. > > 4. Imported all Trusted certificates from COMODO into the key store > using command. There were a total of three trusted certificates that we > received from COMODO: > ${JAVA_HOME}/bin/keytool -import -trustcacerts -alias [alias-name] -file > [ssl-cert-file] -keystore [key-store-path]/keystore.jks -v > > > 5. Modified Tomcat's server.xml file as shown below: > > <Connector port="[ssl-port]" protocol="org.apache.coyote. > http11.Http11NioProtocol" > > maxThreads="150" SSLEnabled="true" scheme="https" > secure="true" > > clientAuth="false" sslProtocol="TLS" > > keystoreFile="[key-store-path]/keystore.jks" > > keystoreType="JKS" keystorePass="[key-store-password]" /> > > > > 6. Restarted Tomcat. > > 7. Accessed the Tomcat homepage from the browser using https and the > browser complained about page being insecure. When I looked at the > certificate from the browser, I see that the Certificate Path tab of the > certificate shows that the trusted chain is incomplete and does not show > the trusted certificates that I had imported into the key store. > > What am I missing here? Any help will be appreciated. > > > Thank you, > Amir > >