Convert Windows IIS SSL Certificate to Tomcat Java Format

This is a follow-on to my earlier post Convert Apache Httpd SSL Certificate for Tomcat. This time around we’re converting a GoDaddy SSL server certificate that has already been issued and currently in-use with Windows IIS web server. The most important thing about this conversion is to ensure that the certificate key-pair entry in the resulting keystore file for Tomcat has the appropriate intermediate CA trust-chain stored under the same entry. Without this trust chain in the right place, Tomcat will fail to send the intermediate CA certs to SSL/TLS clients during the establishment of a secure session. For many clients the absense of intermediate CA will not be a problem because the client trust store already has the same intermediate CA on record in the local trust store. Unfortunately some popular mobile clients – most notably iOS (iPhone / iPad) have a stripped-down trust list that leaves out most if not all intermediate CA certs – thus the requirement that the server (Tomcat) present the appropriate intermediate certs with the server cert to avoid TLS/SSL trust errors when the client connects. These notes attempt to describe a repeatable process to reliably convert the Windows IIS server cert to Tomcat-compatible keystore. I will also include example commands to verify that the Tomcat keystore functions as required for clients that depend on intermediate certs presented in a trust-chain by the server (Tomcat).

The first step is through the Windows Certificates MMC snap-in, exporting the server certificate/key-pair with attached trust chain.

  • Windows Key + R (run), then type “mmc” in the “Open:” box and click “OK”
  • Ctrl + M (add-remove snap-in)
  • Double-click “Certificates” in the “Available snap-ins list
  • Select “Computer Account” radio button, then “Next”
  • Select “Local computer” radio button, then “Finish”
  • Click “OK” to return to the MMC window with the newly-added “Certificates” snap-in
  • Expand “Certificates” then “Personal” nodes
  • Right-click the server certificate you want to convert, then “All Tasks” – “Export”
  • Step through the wizard, Select “Yes, export the private key” (MANDATORY TO EXPORT KEY-PAIR)
  • Select “Include all certificates in the certification path” (MANDATORY TO EXPORT TRUST CHAIN)
    • NEVER EVER choose the delete-private-key option, THAT WOULD DESTROY THE CERTIFICATE IN Windows/IIS
  • Select “Export all extended properties”
  • Type the SAME PASSWORD you plan to use for your Tomcat Keystore (helps avoid keystore/private-key password mismatch problems with Tomcat)
  • BEFORE clicking “Finish” on the Cert Export Wizard, REVIEW THE SETTINGS SELECTED (export keys = yes, include all certificates in the certification path = yes). MAKE EXTRA SURE that you’re not accidentally deleting the private key from the Windows Certificate Store.

After you have the cert saved as a *.pfx (PKCS12) file, the Java keytool can handle the rest of the conversion process.

# USING PowerShell to run example commands (provides Select-String and other useful utilities)

keytool -list -v -keystore YOUR-CERT.pfx -storetype PKCS12 | select-string "Keystore |Alias |Entry |chain |Owner: |Issuer: |\]:"

# REVIEW OUTPUT, find "Alias name" for the cert you exported
# DOWNLOAD A COPY of root/intermediate certs corresponding to your server cert from https://certs.godaddy.com/repository/
# FILES are "gdroot-g2.crt" and "gdig2.crt" for GoDaddy G2 (generation 2) certs

keytool -import -alias gdroot-g2 -keystore TOMCAT-KEYSTORE.jks -trustcacerts -file gdroot-g2.crt
keytool -import -alias gdig2 -keystore TOMCAT-KEYSTORE.jks -trustcacerts -file gdig2.crt

# NOTE these root and intermediate certs are NOT the mandatory cert chain. They will be available to Tomcat/Java if needed.
keytool -importkeystore -srckeystore YOUR-CERT.pfx -srcstoretype PKCS12 -destkeystore TOMCAT-KEYSTORE.jks -srcalias ALIAS-FROM-KEYTOOL-LIST -destalias FRIENDLY-CERT-NAME
# This is the most important step for the conversion. The cert with matching ALIAS from YOUR-CERT.pfx is imported into your JKS file
# With the same command we're also renaming the random alias from Windows to a meaningful short alias of your choice FRIENDLY-CERT-NAME
# Verify the contents of your new Tomcat-compatible JKS file using a command like:

keytool -list -v -keystore TOMCAT-KEYSTORE.jks | select-string "Keystore |Alias |Entry |chain |Owner: |Issuer: |\]:"

# For GoDaddy G2, your "PrivateKeyEntry" should have a "chain length" of 3: Certs [1] server, [2] intermediate, and [3] root

After creating your new JKS file, you must configure Tomcat to use it (server.xml) and then RE-START the Tomcat service. You can verify that the chain presented by Tomcat is valid by connecting to your site with a browser that requires a server-provided trust-chain (most browsers on iOS mobile devices). Alternately, you can use an OpenSSL command to view the trust chain presented by the server – example command follows.

# bash shell is assumed for this example. Windows users can obtain bash with a Cygwin environment.
# Substitute your server full-qualified name and Tomcat SSL/TLS port number

echo "Q" | openssl s_client -connect YOUR-TOMCAT.YOUR-DOMAIN.COM:8443 | egrep 'chain|s:|i:|Verify return'

# SAMPLE OUTPUT if your new JKS file passes the trust-chain compatibility test
Certificate chain
 0 s:/OU=Domain Control Validated/CN=YOUR-TOMCAT.YOUR-DOMAIN.COM
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
    Verify return code: 0 (ok)
# NOTE that the chain received from Tomcat is displayed along with the chain-verification status "0 (ok)" means success

Hopefully these brief notes will help one or two people converting and testing IIS/Windows server certificates for use with the Apache Tomcat / Java JKS format keystore. Good luck with your IIS to Tomcat cert projects!

Advertisements

About notesbytom

Keeping technology notes on WordPress.com to free up my mind to solve new problems rather than figuring out the same ones repeatedly :-).
This entry was posted in System Administration. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s