VintageBigBlue.org

 
Nov 12, 2018

Creating a GoDaddy SHA2 SSL

Certificate for Tomcat

The instructions on the GoDaddy website for generating and installing your SSL certificate are incomplete and do not leave you with a SHA2 certificate. SHA1 is verbotten by most up to date browsers as a serious flaw was found in the hash function several years ago. This is the process I came up with when I tested my old certificate at Qualys SSL Labs and was shocked to discover it was out of date SHA1. This process is for a linux server, like the cleaning lady said "I Don't Do Windows".

From a terminal:

You will be asked to create and verify a password for the keystore. Note the "-sigalg SHA256withRSA" option is what GoDaddy is missing and is critical to getting a SHA2 certificate.

 

You will be asked the standard questions. Remember, when it first asks for your name enter the fully qualified domain name for the certifcate. Ex. vintagebigblue.org Organization and organizational unit are up to you. Most small websites will use the owner's name and maybe DBA 'some name' for the fields. If you are incorporated you should excercise due diligence on what your legal department wants here. City, state, and country code follow. Use the information GoDaddy has on file for your account. It will then print a summary of your entries and ask you to verify it's correctness. Your request is in my.csr and the begining of the begin line thru the end of the end line should be copied into the text area on GoDaddy's website. Wait a while and you get an email the cert is ready to download. The Tomcat instructions on GoDaddy also show file names that are not correct with respect to the files you actually get. Mine look like this:

<random hex string>.crt
gd_bundle-g2-g1.crt
gdig2.crt

Which leads to the following commands to put them in the keystore. You will be asked for the password on each of them.

 

On this one it will warn you it is already in the keystore. You want to respond "yes" to include it anyway.

 
 

When done your keystore is ready for use.

Another Note: If you should add additional domain names to an existing certifacte (a UCC cert) GoDaddy gives you the impression you do not have to start from the begining. This does not work (twice it failed for me) and you must start from scratch after adding the new domains.


Contact Us
This Site's Privacy Policy
Google's privacy policies