Tomcat 4.1: JDK 1.4.2 Keystore issue?

Hi,

We have an issue with our Java JDK 1.4.2 Keystore.
It will not display a newly certified Cert for Tomcat.


OS/Tomcat/Java:
Windows 2003 Std R2 SP2.
Tomcat 4.1.31 - JDK 1.4.2.


Tomcat/Java References:
http://tomcat.apache.org/tomcat-4.1-doc/ssl-howto.html
http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html#Examples
http://help.godaddy.com/article/5239


Details:

Create a local/Self-signed Certificate (as described in the previous section):

1.

C:\xxxxx\_jvm\bin>keytool -genkey -alias supply -keyalg RSA -keysize 2048 -keystore supply_keystore

Enter keystore password: changeit
What is your first and last name?
[Unknown]: xxxxx.weirminerals.com
What is the name of your organizational unit?
[Unknown]: IT Dept
What is the name of your organization?
[Unknown]: Weir Minerals North America
What is the name of your City or Locality?
[Unknown]: XXXXX
What is the name of your State or Province?
[Unknown]: Wisconsin
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=xxxxx.weirminerals.com, OU=IT Dept, O=Weir Minerals North America, L=XXXXXX, ST=Wisconsin, C=US correct?
[no]: yes

Enter key password for <supply>
(RETURN if same as keystore password): changeit




2. Generate CSR here:

keytool -certreq -keyalg RSA -alias supply -file certreq.csr -keystore supply_keystore
Enter keystore password: changeit



The file should be encoded in PEM format?
Correct?

3. Here is what I have in the keystore:

C:\xxxxxxx\_jvm\bin>keytool -list -v -keystore supply_keystore
Enter keystore password: changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: supply
Creation date: Feb 18, 2010
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=xxxxxxx.weirminerals.com, OU=IT Dept, O=Weir Minerals North America,
L=xxxxxxx, ST=Wisconsin, C=US
Issuer: CN=xxxxxxx.weirminerals.com, OU=IT Dept, O=Weir Minerals North America
, L=, ST=Wisconsin, C=US
Serial number: 4b7d54b0
Valid from: Thu Feb 18 08:54:40 CST 2010 until: Wed May 19 09:54:40 CDT 2010
Certificate fingerprints:
MD5: C7:DF:DB:F0:1D:F4:55:C0:FE:24:A6:00:51:6B:F8:EF
SHA1: DE:64:58:38:8C:37:07:AC:8D:C8:70:CF:F0:83:FA:6E:E1:DA:63:A8


*******************************************
*******************************************


4. Import the root CA Cert:

C:\xxxxxxx\_jvm\bin>keytool -import -alias root -keystore supply_keystore -tru
stcacerts -file gd_bundle.crt
Enter keystore password: changeit
Owner: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=htt
p://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST
=Arizona, C=US
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.
", C=US
Serial number: 301
Valid from: Wed Nov 15 19:54:37 CST 2006 until: Sun Nov 15 19:54:37 CST 2026
Certificate fingerprints:
MD5: D5:DF:85:B7:9A:52:87:D1:8C:D5:0F:90:23:2D:B5:34
SHA1: 7C:46:56:C3:06:1F:7F:4C:0D:67:B3:19:A8:55:F6:0E:BC:11:FC:44
Trust this certificate? [no]: yes
Certificate was added to keystore


5. Import Cross Intermediate Cert from CA:

C:\xxxxxxx\_jvm\bin>keytool -import -alias cross -keystore supply_keystore -trustcacerts -file gd_cross_intermediate.crt
Enter keystore password: changeit
Owner: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc."
, C=US
Issuer: [email protected], CN=http://www.valicert.com/, OU=ValiCert
Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation
Network
Serial number: 10d
Valid from: Tue Jun 29 12:06:20 CDT 2004 until: Sat Jun 29 12:06:20 CDT 2024
Certificate fingerprints:
MD5: 82:BD:9A:0B:82:6A:0E:3E:91:AD:3E:27:04:2B:3F:45
SHA1: DE:70:F4:E2:11:6F:7F:DC:E7:5F:9D:13:01:2B:7E:68:7A:3B:2C:62
Trust this certificate? [no]: yes
Certificate was added to keystore

6. Import the Intermediate CA Cert:

C:\xxxxxxx\_jvm\bin>keytool -import -alias intermed -keystore supply_keystore
-trustcacerts -file gd_intermediate.crt
Enter keystore password: changeit
Certificate already exists in keystore under alias <root>
Do you still want to add it? [no]: yes
Certificate was added to keystore


7. Review Keystore again:

C:\xxxxxxx\_jvm\bin>keytool -list -v -keystore supply_keystore
Enter keystore password: changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 4 entries

Alias name: root
Creation date: Feb 18, 2010
Entry type: trustedCertEntry

Owner: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=htt
p://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST
=Arizona, C=US
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.
", C=US
Serial number: 301
Valid from: Wed Nov 15 19:54:37 CST 2006 until: Sun Nov 15 19:54:37 CST 2026
Certificate fingerprints:
MD5: D5:DF:85:B7:9A:52:87:D1:8C:D5:0F:90:23:2D:B5:34
SHA1: 7C:46:56:C3:06:1F:7F:4C:0D:67:B3:19:A8:55:F6:0E:BC:11:FC:44


*******************************************
*******************************************


Alias name: supply
Creation date: Feb 18, 2010
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=xxxxxxx.weirminerals.com, OU=IT Dept, O=Weir Minerals North America,
L=xxxxxxx, ST=Wisconsin, C=US
Issuer: CN=xxxxxxx.weirminerals.com, OU=IT Dept, O=Weir Minerals North America
, L=xxxxxxx, ST=Wisconsin, C=US
Serial number: 4b7d54b0
Valid from: Thu Feb 18 08:54:40 CST 2010 until: Wed May 19 09:54:40 CDT 2010
Certificate fingerprints:
MD5: C7:DF:DB:F0:1D:F4:55:C0:FE:24:A6:00:51:6B:F8:EF
SHA1: DE:64:58:38:8C:37:07:AC:8D:C8:70:CF:F0:83:FA:6E:E1:DA:63:A8


*******************************************
*******************************************


Alias name: cross
Creation date: Feb 18, 2010
Entry type: trustedCertEntry

Owner: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc."
, C=US
Issuer: [email protected], CN=http://www.valicert.com/, OU=ValiCert
Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation
Network
Serial number: 10d
Valid from: Tue Jun 29 12:06:20 CDT 2004 until: Sat Jun 29 12:06:20 CDT 2024
Certificate fingerprints:
MD5: 82:BD:9A:0B:82:6A:0E:3E:91:AD:3E:27:04:2B:3F:45
SHA1: DE:70:F4:E2:11:6F:7F:DC:E7:5F:9D:13:01:2B:7E:68:7A:3B:2C:62


*******************************************
*******************************************


Alias name: intermed
Creation date: Feb 18, 2010
Entry type: trustedCertEntry

Owner: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=htt
p://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST
=Arizona, C=US
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.
", C=US
Serial number: 301
Valid from: Wed Nov 15 19:54:37 CST 2006 until: Sun Nov 15 19:54:37 CST 2026
Certificate fingerprints:
MD5: D5:DF:85:B7:9A:52:87:D1:8C:D5:0F:90:23:2D:B5:34
SHA1: 7C:46:56:C3:06:1F:7F:4C:0D:67:B3:19:A8:55:F6:0E:BC:11:FC:44


*******************************************
*******************************************

8. Import the CSR - signed Cert from GoDaddy CA:

C:\xxxxxxx\_jvm\bin>keytool -import -alias supply -keystore supply_keystore -trustcacerts -file xxxxxxx.weirminerals.com.crt
Enter keystore password: changeit
keytool error: java.lang.Exception: Failed to establish chain from reply

C:\xxxxxxx\_jvm\bin>

Not sure what happened here?
Any clues as to why I can't import?
If I change the alias it works but then I can't use this new certified Cert - the self-signed one is the only one Tomcat will use!

Any ideas?

Thanks in advance.

-P

Welcome to the JavaRanch, Scott!

First of all, I'm obliged to point out that Java 1.4 has passed End Of Life. Sun, er Oracle doesn't support it anymore. If you really meant 1.4.2, there are also serious security problems that were repaired in later 1.4 releases.

The problem is with your certificate, not with Java. See if this helps:

https://coderanch.com/t/420253/Security/Failed-establish-chain