InstantSSL on Tomcat

Bought certificate and add it to the manual Certificate Installation: Java Based Web Servers (Tomcat) using keytool - Powered by Kayako Help Desk Software. In the same instructions (Organization Validation (SHA-2) - Powered by Kayako Help Desk Software) download certificate AddTrustExternalCARoot.crt, comodorsaaddtrustca.crt and comodorsaorganizationvalidationsecureserverca.crt. I write the command:
c:\Progra~1\Java\jre6\bin\keytool.exe -import -trustcacerts -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.crt -keystore krd.keystore
c:\Progra~1\Java\jre6\bin\keytool.exe -import -trustcacerts -alias comodorsaaddtrustca -file comodorsaaddtrustca.crt -keystore krd.keystore
c:\Progra~1\Java\jre6\bin\keytool.exe -import -trustcacerts -alias comodorsaorganizationvalidationsecureserverca -file comodorsaorganizationvalidationsecureserverca.crt -keystore krd.keystore
c:\Progra~1\Java\jre6\bin\keytool.exe -import -trustcacerts -alias -file krd_ru.crt -keystore krd.keystore

I did not get the message: Certificate reply was installed in keystore. I get the message: Certificate was added to keystore. After installation, I have problems.


It would be useful to know what the problem is you are seeing?

Plus, in your reply, could you list the certificates in the keystore using the command found here:



write that I’m using a self-signed certificate

file as an attachment

[attachment deleted by admin]


The issue I see is that the server is returning this error:

Technical Details uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for (Error code: sec_error_unknown_issuer)

This normally means that when you imported the main certificate for you used a different alias.
Looking at the file you attached I think the alias you used was ‘tomcat’.
So, importing the main certificate again using that alias might resolve the issue.


keytool error: Public key in reply and keysore don’t match. :embarassed:


At this stage I would suggest deleting the keystore and create the CSR again from the beginning.

Send the new CSR to support, with the order number, and ask them to reissue the certificate from the new CSR.

Submit a ticket here to do that:

Make a note of the alias you used when creating the CSR.

When you receive the newly issued certificates import them again and ensure the main site certificate is imported using the alias you made note of earlier.


Thank you very much.

I was able to create the key store using Keystore Explorer. In the Google Chrome website opens normally. And Firefox swears on the certificate.