openssl req -newkey rsa:2048 -sha512 -subj "/C=US/ST=Texas/O=MyCompany, Inc./.mycompany.com" -reqexts SAN -config <(printf "[SAN]\nsubjectAltName=DNS:myserver.mycompany.com,DNS:othername.mycompany.com,DNS:othername2.mycompany.com\n[req]\ndistinguished_name = req_distinguished_name\n[req_distinguished_name]\n") -out ~/myserver.mycompany.com.csr -keyout myserver.mycompany.com.key
|
Submit the SSL cert at geocerts. When it is approved, download it again.
It will include an intermediate cert, so you have to combine the whole cert chain with the cert itself to have the cert be presented with its whole chain, e.g.:
curl https://www.geocerts.com/pickup/aafccdd107747f76d73048fee9db132352d7sdfsd0b8/dynamic
|
.zip > myserver.mycompany.com.zip
|
unzip myserver.mycompany.com.zip
|
cat GeoTrust_CA_Bundle.txt SSL_myserver_mycompany_com.txt > myserver.mycompany.com-certchain.crt
|
keytool -keystore keystore -import -alias myserver.mycompany.com -file myserver.mycompany.com-certchain.crt -trustcacerts
|
openssl pkcs12 -inkey myserver.mycompany.com.key -in myserver.mycompany.com-certchain.crt -export -out myserver.mycompany.com-certchain.pkcs12
|
keytool -importkeystore -srckeystore myserver.mycompany.com-certchain.pkcs12 -srcstoretype PKCS12 -destkeystore keystore
|
Now, copy this to the application's conf directory, where it expects the keytool to be, and restart the java/tomcat daemon.
If the daemon does not stay running, then are you sure that your private key and keystore passwords are the same? If not, do this to change the password for the private key to match the keystore (and also note that your app will have to be configured to know what the keystore password is):
keytool -keypasswd -alias 1 -keystore keystore
