Jboss7上的COMODO SSL证书

Question

I registered a domain and would like to set up SSL encryption for it. My domain provider offered me to get a SSL certificate from COMODO. I generated a key and a csr file using openSSL:

openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr

The command produced a private key, myserver.key and the csr file. I uploaded the content of the csr to comodo, and after verification, they sent me the following files:

Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - COMODORSAAddTrustCA.crt
Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - mydomain.crt

I'm lost on where to go from here. I followed these instructions:

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/638/0/certificate-installation-java-based-web-servers-tomcat-using-keytool

and created a domain.keystore file, but I'm not sure if that's the right thing to do or not. My configuration in Jboss now looks like this:

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
    <ssl name="mydomain" password="*****" protocol="TLSv1" certificate-key-file="../standalone/configuration/domain.keystore"/>
</connector>

But that doesn't seem to work. I get no error in the server log, the page simply times out. If i use http it works normally. Any advice?

EDIT:

I took a different approach, I generated my keystore in this way:

keytool -genkey -alias domain -keyalg RSA -keysize 2048 -keystore domain.keystore

then I uploaded the new csr info to comodo and got the three .crt certificates back. I imported them into the keystore with this command:

keytool -import -trustcacerts -alias domain -file domain.crt -keystore domain.keystore

and then I used the keystore in the standalone.xml in this way:

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
    <ssl name="domain-ssl" key-alias="domain" password="******" certificate-key-file="../standalone/configuration/domain.keystore" protocol="TLSv1"/>
</connector>

The server starts, but when I try to connect to it, my browser says that the connection is untrusted:

domain uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
(Error code: sec_error_ca_cert_invalid)

Answer 1

I finally managed to get the installation right! Here's how you do it:

Install the COMODO certificates into your keystore wit this command:

keytool -import -trustcacerts -alias <filename> -file <filename>.crt -keystore domain.keystore

in the following order:

» Root: AddTrustExternalCARoot.crt
» Intermediate 1: COMODOAddTrustServerCA.crt
» Intermediate 2: COMODOExtendedValidationSecureServerCA.crt 

Then install your domain certificate:

keytool -import -trustcacerts -alias mykey -file yourDomainName.crt -keystore domain.keystore

You should use the same alias instead of mykey, that you used to generate your keystore. If you do everything correctly, you should get this output:

Certificate reply was installed in keystore

Anything else means, you probably didn't use the correct alias. The final thing you need to do is to modify your standalone.xml like this:

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
    <ssl name="<domain>-ssl" key-alias="<domain>" password="******" certificate-key-file="../standalone/configuration/<domain>.keystore"/>
</connector>

And you should be good to go!

Answer 2

 My domain provider offered me to get a SSL certificate from COMODO... ... Any advice? 

Don't pay for the certificate. You can get a free Class 1 certificate from Startcom . The Class 1 is good for server authentication without a wildcard domain. If you want an extended validation certificate or a wilcard certificate, then you will have to buy a Class 2 or higher.

Also, while Startcom issues the certificate for free, they charge for revocation because that's where the cost lies.

---

I'm lost on where to go from here...

Convert Intermediate CA Certificate - COMODORSAAddTrustCA.crt , Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt and Your PositiveSSL Certificate - mydomain.crt to PEM files. PEM are the ones that start with ----- BEGIN CERTIFICATE ----- and finish with ----- END CERTIFICATE ----- .

Then, concatenate your three PEM files into a single file. The file will have three certificates in it. Call it mydomain-chain.pem , and load that into your server. Also load myserver.key into your server.

Don't do anything with Root CA Certificate - AddTrustExternalCARoot.crt . Clients have to use it as a root. There's no {use|need} to send it to the client in the ServerHello .

You can test your setup with the following. Notice how the client uses the root:

openssl s_client -connect myserver:443 -CAfile AddTrustExternalCARoot.crt

The command should end with Verify (0) OK or similar.

Answer 3

Failed to load keystore type JKS with path ../standalone/configuration/mydomain-chain.pem due to Invalid keystore format: which mean your keystore is not valid. Dont create new one use the keystore file you were created while submitting csr file to them. Use same keystore if you change the keystore its not accept.