So I recently acquired a free https certificate from StartSSL. All well and good, this was fairly easy. Now, I have 4 files at my disposal:
At that stage I'm fine. I'm about to configure https and will go on with my life. As it turned out, things aren't exactly going to turn out that way.
Tomcat needs a keystore. None of those files will make the trick of course, but none of the stupid attempts I was about to try made it any more. It's not about just throwing the three certs in a keystore. Oh no, it's a bit more than that.
As usual, Stackoverflow bootstrapped me in the right direction.
openssl rsa -in pk.mydomain.com -out out/ssl.key
cat sub.class1.server.ca.pem ca.pem > out/intcacerts.pem
openssl pkcs12 -export -in ssl.crt -inkey out/ssl.key -certfile out/intcacerts.pem -name "mydomain" -out out/keyandcerts.p12
And that's it. Now, in the server.xml
you would find the following:
And that's all. If you have several domain names running on your Tomcat instance, you need a certificate that will accommodate them all, because to this day, Tomcat cannot use a different certificate for different hosts.