SSL Certificate Import to ssa.jks Failed

Document ID : KB000103467
Last Modified Date : 26/06/2018
Show Technical Document Details
Issue:
I have downloaded some new digi-certs that work with Chrome. I deleted the old certs from the ssa.jks and imported the new ones. I am now getting an error message Unsupported protocol The client and server don't support a common SSL protocol version or cipher suite.
Cause:
- The certificate file was in p7b format 
- ssa.jks file only had the certificate and no key
Resolution:
- Open the p7b file that contains the SSL certificates, right click on opened file then convert to x.509 format, the certificates will be extracted in to multiple files in x.509 format.
- Use the following openSSL command to create a pfx file to add the certificate including the key in to it
  NOTE: OpenSSL is a open source third party utility which can be downloaded from internet.
  C:\openSSL>openssl pkcs12 -export -out ssa.pfx -inkey <path to>\yourkey.key -in <path to>\your.crt -certfile <path to additional crt>\yoursecond.crt 
  NOTE: your.key, your.crt and yoursecond.crt needs to replaced with actual key and crt file names and their path. The crt extension can be crt or cer or something else. 
- Once the pfx file is created you can create the ssa.jks file and import the certificates and the key in to it. You can   use keytool command from the CA\SOI\jre-64\bin folder to do it
   keytool -importkeystore -srckeystore <path to >\ssa.pfx  -srcstoretype pkcs12 -destkeystore <path to>\ssa.jks   -deststoretype jks
   Enter destination keystore password: <type catalyst>
   Re-enter new password:<type catalyst>
   Enter source keystore password: <type catalyst>
   - Here is what you'll see when the command is successful
   Entry for alias 1 successfully imported.
   Import command completed:  1 entries successfully imported, 0 entries failed or
   cancelled
   NOTE: You'll need to enter the password as catalyst, this is the default password SOI uses. If you change the password to something else then you'll have to make changes to few SOI                        files to reflect it. Password and Alias name in the keystore file can always be changed later on using keytool command
- The ssa.jks created above will contain alias name as 1 and needs to be changed to tomcat using the following command
   keytool -changealias -keystore <path to>\ssa.jks -alias 1
   Enter destination alias name:  tomcat
   Enter keystore password: <type catalyst>