I normally install SSL by creating a CSR and then have the SSL provider generate the certificates. GoDaddy would normally give a zip of 3 certificates files, root, interm, website. This works fine.
But not I am trying to install a certificate from Ionos on a Tomcat server. I followed, How to install GoDaddy SSL certificates in Tomcat without CSR?
This is because you can't give Ionos a CSR, but need to download your private key and certificate files. This worked, sort of, web browsers https works and they say the certificate is valid. But it fails on Android. If I check the certificate here, https://www.digicert.com/help/
It shows, "The certificate is not signed by a trusted authority (checking against Mozilla's root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform."
Which seems to mean the root or interm certificate can't be found. Ionos only gives me 2 certificate files, the website, and the interm, it does not give me the root. Any idea on how to get the root certificate for Ionos?
What I did for Tomcat was,
openssl pkcs12 -export -in web.cer -inkey private.key -out cert_and_key.p12 -name tomcat -CAfile interm.cer -caname root
./keytool -importkeystore -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -alias tomcat -keystore tomcat.keystore
./keytool -import -trustcacerts -alias intermed -file inter.cer -noprompt -keystore tomcat.keystore
I think the issue is the first command should have the root not interm? Any ideas?
Okay, finally got this working.
Hint was from, GoDaddy SSL Certificate installation in tomcat... No certificate matches private key
need to use the -chain argument in openssl, final code,