Friday, November 25, 2011

How to install (Go Daddy) certificate on Tomcat/Ubunto

Recently I spent a lot of time installing new certificate I bought from GoDaddy on my Tomcat server.
Although this process should be common, I could not create certificate chain via java keytool.
At the end I found that the GoDaddy documentation was lacking some basic info and I needed to find it my self.

So, for any of you who bought certificate via GoDaddy and need to deploy it into tomcat, here is the complete guide:

1. Create new public/private key (key pair) via keytool
- It is important to provide complete path to keytool. Verify it located in the same JRE folder tomcat use.
- Mind the alias name, we need to keep consistency with the next steps.
/complete/path/to/keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore /path/cer/tomcat.jks

2. Create server csr file.
Needed to issue certificates from your CA (e.g. GoDaddy).
- Use RSA as key algorithm
- Use same alias as you used in previous step
/complete/path/to/keytool -certreq -keyalg RSA -alias tomcat -file /path/cer/tomcat.csr -keystore /path/cer/tomcat.jks

At the end of this step, go to your CA certificate management panel and re-key the certificate using the tomcat.csr file content.
Save the (extracted) files on your sever (in our example /path/cer/)

3. Get your server private key.
This step needed, since the private key required for the certification chain creation. The keystore file we created contains both public and private key.
Since keytool can not get the private key, we need to use additional tool.
For me KeyTool-IUI did the trick. You can use this link too.
The relevant menu item is specified in the image below:

The private key file should be in the format specified in the image below:

4. Create the certificate chain:
- You can replace gd_bundle.crt with any root certificate given by your CA.
- Make sure the "-name" variable is the same as alias given in step #1.
openssl pkcs12 -export -chain -CAfile /path/cert/gd_bundle.crt -in /path/cert/your_domain.crt -inkey /path/cert/tomcat.pem -out /path/cert/keystore.tomcat -name tomcat -passout pass:YOUR_PASSWORD

5. Update Tomcat server.xml file:
<Connector executor="tomcatThreadPool" protocol="org.apache.coyote.http11.Http11Protocol"
        enableLookups="true" disableUploadTimeout="true"
        scheme="https" secure="true" SSLEnabled="true"
        keyAlias="tomcat" keystoreType="PKCS12"
        clientAuth="false" sslProtocol="TLS"

Restart Tomcat and you are ready to go!

If this post saved you time, kindly share it with others.


  1. Hello i am facing some problems to import godaddy cert. i cannot use the keytool-uiu after i give to java the permission to be executed the app doesnt load. Can you help me to build the chain, or especify how do i export the private key from my keystore?

  2. DreamHost is ultimately one of the best website hosting company for any hosting services you require.