how does tomcat know which certificaate to provide

Question

I'm using tomcat server as a servlet container, I wanted the connections to this server to be secure "https" so I created a keystore, using the command keytool -genkey -keyalg RSA -keystore tomcat.jks I filled the prompt questions and then generated a CSR from this key and signed it using another certificate, then I imported the signed certificate to my keystore, but after running the server, and check the certificate came to the browser, I find that it is the same as the privateKeyentry in the keystore not the signed certificate, it even have the SHA1 finger print of the entry that matches the privatekeyentry . my question is should the tomcat provide the signed certificate in this case? and why it is providing the privatekeyentry when asked for a certificate, and what it will do if there is more than one certificate in the keystore file, and more than one private key entry?

Answer 1

You need to import the signed certificate using the same alias as when you generated the private/public key pair. Otherwise the certificate isn't associated with the private key, which is required for SSL, and the original certificate-wrapper for the private key is used instead.

Answer 2

I have multiple certificates in my tomcat keystore. Each of my <Connector> elements in my server.xml refers to the same keystore but a different certificate. When you import the certificate into the keystore, you should specify an alias for that entry and tell the connector which alias to use.

<Connector ... keyAlias="myalias" ... >