My bad - you can ignore my previous email - i was thinking about some other scenario.
If the message says "Trusted Chain is Incomplete" - that means that your browser's certificate store doesn't have the updated information regarding root+intermediate CA certs. If you have import all the certificates correctly to your server keystore this shouldn't be happening. Check this post to see if you find any missing steps - https://www.digicert.com/util/repair-intermediate-ssl-certificate-errors-using-digicert-utility-for-microsoft-servers.htm . Regards, On 4 August 2017 at 17:38, M. Manna <manme...@gmail.com> wrote: > if you are testing locally (i.e. on localhost) you might want to check if > the root and intermediate CA exists. Or just import it > 1. Find out where your jdk is - say JDK_PATH > 2. keep a backup copy somewhere for JDK_PATH\jre\lib\security\cacerts > 2. run the following command for each root/intermediate CA cert > keytool -import -trustcacerts -keystore JDK_PATH\jre\lib\security\cacerts > -storepass changeit -noprompt -file CA_FILE_LOCATION > > Restart your tomcat. and check. > > > > On 4 August 2017 at 17:23, Hameed, Amir <amir.ham...@xerox.com> wrote: > >> Thank you for your reply. Please see my answers below: >> >> Have you imported the signed server certificate into the server keystore >> with all the root+intermediate certificates? in other words, does the >> "chain-of-trust" exist in server keystore? >> >> Yes, I have imported all trusted certificates (COMODORSAAddTrustCA.crt >> + AddTrustExternalCARoot.crt + >> COMODORSAOrganizationValidationSecureServerCA.crt) >> into the server key store along with the signed server certificate. >> >> You just need to add the root and intermediate CA certs to trust store - >> any server certs signed by them is by default, trusted. >> >> I am new to Tomcat. Where can I find the trust store and is it >> separate from the server key store? >> >> Thanks >> -----Original Message----- >> From: M. Manna [mailto:manme...@gmail.com] >> Sent: Friday, August 4, 2017 12:16 PM >> To: Tomcat Users List <users@tomcat.apache.org> >> Subject: Re: SSL is not working >> >> Have you imported the signed server certificate into the server keystore >> with all the root+intermediate certificates? in other words, does the >> "chain-of-trust" exist in server keystore? >> >> You just need to add the root and intermediate CA certs to trust store - >> any server certs signed by them is by default, trusted. >> >> >> On 4 August 2017 at 17:09, Hameed, Amir <amir.ham...@xerox.com> wrote: >> >> > Hi, >> > I am trying to configure Tomcat 8.0.36 with SSL and running into some >> > issues. The JDK version I am using is 1.8.0_64. I used the following >> > process to implement SSL: >> > >> > 1. Generated a java key store using the following command: >> > ${JAVA_HOME}/bin/keytool -genkey -alias [alias-name] -keyalg RSA >> > -keysize >> > 2048 \ >> > -keystore [key-store-path]/keystore.jks -dname >> > "CN=[common-name],OU=[org-unit], O=[company-name], L=[city], >> ST=[state], C=US" >> > >> > >> > 2. Generated CSR using the following command: >> > ${JAVA_HOME}/bin/keytool -certreq -alias [alias-name] -file >> > [key-store-path]/[csr-file-name] \ -keystore >> > [key-store-path]/keystore.jks >> > >> > >> > 3. Requested certificate from COMODO. >> > >> > 4. Imported all Trusted certificates from COMODO into the key >> store >> > using command. There were a total of three trusted certificates that >> > we received from COMODO: >> > ${JAVA_HOME}/bin/keytool -import -trustcacerts -alias [alias-name] >> > -file [ssl-cert-file] -keystore [key-store-path]/keystore.jks -v >> > >> > >> > 5. Modified Tomcat's server.xml file as shown below: >> > >> > <Connector port="[ssl-port]" protocol="org.apache.coyote. >> > http11.Http11NioProtocol" >> > >> > maxThreads="150" SSLEnabled="true" scheme="https" >> > secure="true" >> > >> > clientAuth="false" sslProtocol="TLS" >> > >> > keystoreFile="[key-store-path]/keystore.jks" >> > >> > keystoreType="JKS" keystorePass="[key-store-password]" >> > /> >> > >> > >> > >> > 6. Restarted Tomcat. >> > >> > 7. Accessed the Tomcat homepage from the browser using https and >> the >> > browser complained about page being insecure. When I looked at the >> > certificate from the browser, I see that the Certificate Path tab of >> > the certificate shows that the trusted chain is incomplete and does >> > not show the trusted certificates that I had imported into the key >> store. >> > >> > What am I missing here? Any help will be appreciated. >> > >> > >> > Thank you, >> > Amir >> > >> > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >
