Import Intermediate CA Certificate

Hi All,

I am new to SSL certificate issue. My company plan to provide the web services on HTTPS, so I made the order of the trial SSL certificate for testing. I used keytool to create the keystore and csr, and then got the email back from Comodo with the attachment of certificate files.

According to Sectigo, it said there are 3 files compressed in the zip file, but in my email there are 5 certificates listed as below.

* Root CA Certificate - AddTrustExternalCARoot.crt
* Intermediate CA Certificate - UTNAddTrustServerCA.crt
* Intermediate CA Certificate - ComodoUTNServerCA.crt
* Intermediate CA Certificate - EssentialSSLCA.crt
* Your Free SSL Certificate - 10_xx_x_xx.crt

I would like to know that which Intermediate CA Certificate I need to make the keystore to trust.

Another issue I faced was that I tried to import ComodoUTNServerCA.crt as the Intermediate CA Certificate to the keystore. Then when I set the keystore to Tomcat server on Windows XP (will move to Tomcat on Sun Solaris for production environment), I got the result that the Internet Explorer 7 SSL Certificate Not trusted. However, it worked fine on IE6 and Firefox. I saw the same issue in,1277.0.html, but afcberty used Apache as webserver.

Could anyone please suggest me how to solve the problem? Thank you for help in advance.




Please visit and check the knowledgebase.

Your URL you have is to an old set of instructions.

Please make sure you install each intermediate by going through the intermediate instructions for each one.

If you need further help please submit a ticket at


 We were unable to find the updated directions in the knowledgebase.

 However, we got it working for our keystore used with TomCat by adding each certificate to the keystore in the order listed in the e-mail.  (You have the same order in your post.)

 Start by adding the " AddTrustExternalCARoot.crt" with an alias of "root" then you can just choose reasonable names for the other certificates as you work your way down.  For your own cert, you'll want to use the same alias name you used to generate the certificate request.