This is a follow-on to my earlier post Convert Apache Httpd SSL Certificate for Tomcat. This time around we’re converting a GoDaddy SSL server certificate that has already been issued and currently in-use with Windows IIS web server. The most important thing about this conversion is to ensure that the certificate key-pair entry in the resulting keystore file for Tomcat has the appropriate intermediate CA trust-chain stored under the same entry. Without this trust chain in the right place, Tomcat will fail to send the intermediate CA certs to SSL/TLS clients during the establishment of a secure session. For many clients the absense of intermediate CA will not be a problem because the client trust store already has the same intermediate CA on record in the local trust store. Unfortunately some popular mobile clients – most notably iOS (iPhone / iPad) have a stripped-down trust list that leaves out most if not all intermediate CA certs – thus the requirement that the server (Tomcat) present the appropriate intermediate certs with the server cert to avoid TLS/SSL trust errors when the client connects. These notes attempt to describe a repeatable process to reliably convert the Windows IIS server cert to Tomcat-compatible keystore. I will also include example commands to verify that the Tomcat keystore functions as required for clients that depend on intermediate certs presented in a trust-chain by the server (Tomcat).
The first step is through the Windows Certificates MMC snap-in, exporting the server certificate/key-pair with attached trust chain.
- Windows Key + R (run), then type “mmc” in the “Open:” box and click “OK”
- Ctrl + M (add-remove snap-in)
- Double-click “Certificates” in the “Available snap-ins list
- Select “Computer Account” radio button, then “Next”
- Select “Local computer” radio button, then “Finish”
- Click “OK” to return to the MMC window with the newly-added “Certificates” snap-in
- Expand “Certificates” then “Personal” nodes
- Right-click the server certificate you want to convert, then “All Tasks” – “Export”
- Step through the wizard, Select “Yes, export the private key” (MANDATORY TO EXPORT KEY-PAIR)
- Select “Include all certificates in the certification path” (MANDATORY TO EXPORT TRUST CHAIN)
- NEVER EVER choose the delete-private-key option, THAT WOULD DESTROY THE CERTIFICATE IN Windows/IIS
- Select “Export all extended properties”
- Type the SAME PASSWORD you plan to use for your Tomcat Keystore (helps avoid keystore/private-key password mismatch problems with Tomcat)
- BEFORE clicking “Finish” on the Cert Export Wizard, REVIEW THE SETTINGS SELECTED (export keys = yes, include all certificates in the certification path = yes). MAKE EXTRA SURE that you’re not accidentally deleting the private key from the Windows Certificate Store.
After you have the cert saved as a *.pfx (PKCS12) file, the Java keytool can handle the rest of the conversion process.
# USING PowerShell to run example commands (provides Select-String and other useful utilities) keytool -list -v -keystore YOUR-CERT.pfx -storetype PKCS12 | select-string "Keystore |Alias |Entry |chain |Owner: |Issuer: |\]:" # REVIEW OUTPUT, find "Alias name" for the cert you exported # DOWNLOAD A COPY of root/intermediate certs corresponding to your server cert from https://certs.godaddy.com/repository/ # FILES are "gdroot-g2.crt" and "gdig2.crt" for GoDaddy G2 (generation 2) certs keytool -import -alias gdroot-g2 -keystore TOMCAT-KEYSTORE.jks -trustcacerts -file gdroot-g2.crt keytool -import -alias gdig2 -keystore TOMCAT-KEYSTORE.jks -trustcacerts -file gdig2.crt # NOTE these root and intermediate certs are NOT the mandatory cert chain. They will be available to Tomcat/Java if needed. keytool -importkeystore -srckeystore YOUR-CERT.pfx -srcstoretype PKCS12 -destkeystore TOMCAT-KEYSTORE.jks -srcalias ALIAS-FROM-KEYTOOL-LIST -destalias FRIENDLY-CERT-NAME # This is the most important step for the conversion. The cert with matching ALIAS from YOUR-CERT.pfx is imported into your JKS file # With the same command we're also renaming the random alias from Windows to a meaningful short alias of your choice FRIENDLY-CERT-NAME # Verify the contents of your new Tomcat-compatible JKS file using a command like: keytool -list -v -keystore TOMCAT-KEYSTORE.jks | select-string "Keystore |Alias |Entry |chain |Owner: |Issuer: |\]:" # For GoDaddy G2, your "PrivateKeyEntry" should have a "chain length" of 3: Certs  server,  intermediate, and  root
After creating your new JKS file, you must configure Tomcat to use it (server.xml) and then RE-START the Tomcat service. You can verify that the chain presented by Tomcat is valid by connecting to your site with a browser that requires a server-provided trust-chain (most browsers on iOS mobile devices). Alternately, you can use an OpenSSL command to view the trust chain presented by the server – example command follows.
# bash shell is assumed for this example. Windows users can obtain bash with a Cygwin environment. # Substitute your server full-qualified name and Tomcat SSL/TLS port number echo "Q" | openssl s_client -connect YOUR-TOMCAT.YOUR-DOMAIN.COM:8443 | egrep 'chain|s:|i:|Verify return' # SAMPLE OUTPUT if your new JKS file passes the trust-chain compatibility test Certificate chain 0 s:/OU=Domain Control Validated/CN=YOUR-TOMCAT.YOUR-DOMAIN.COM i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 Verify return code: 0 (ok) # NOTE that the chain received from Tomcat is displayed along with the chain-verification status "0 (ok)" means success
Hopefully these brief notes will help one or two people converting and testing IIS/Windows server certificates for use with the Apache Tomcat / Java JKS format keystore. Good luck with your IIS to Tomcat cert projects!