How to Identify and Install GoDaddy SSL Certificate Files (gd_bundle, gdig2, 2b9918dccf2f1d.crt) in Tomcat


2 views

When working with GoDaddy SSL certificates for Tomcat, you'll typically receive three critical files:

gd_bundle-g2-g1.crt
gdig2.crt  
2b9918dccf2f1d.crt

Here's how to distinguish them:

  • 2b9918dccf2f1d.crt - Your primary server certificate (contains your domain name)
  • gd_bundle-g2-g1.crt - The intermediate certificate bundle
  • gdig2.crt - GoDaddy's root certificate

You can inspect each file using OpenSSL:

openssl x509 -in 2b9918dccf2f1d.crt -text -noout
openssl x509 -in gdig2.crt -text -noout
openssl x509 -in gd_bundle-g2-g1.crt -text -noout

For proper installation in server.xml:

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           keystoreFile="conf/keystore.jks"
           keystorePass="yourpassword"
           clientAuth="false" sslProtocol="TLS"
           keyAlias="tomcat" />

The complete import process:

keytool -import -alias root -keystore keystore.jks -trustcacerts -file gdig2.crt
keytool -import -alias intermed -keystore keystore.jks -trustcacerts -file gd_bundle-g2-g1.crt
keytool -import -alias tomcat -keystore keystore.jks -file 2b9918dccf2f1d.crt
  • Ensure the certificate chain is complete
  • Verify the private key matches the CSR
  • Check Tomcat's SSL logs for errors

Use this OpenSSL command to verify:

openssl s_client -connect yourdomain.com:443 -showcerts

When working with GoDaddy SSL certificates for Tomcat installations, you'll typically receive three critical files:

gd_bundle-g2-g1.crt  // Intermediate certificate bundle
gdig2.crt            // Root certificate
2b9918dccf2f1d.crt   // Your domain's primary certificate

Here's how to programmatically inspect each certificate type using OpenSSL:

openssl x509 -in gd_bundle-g2-g1.crt -text -noout | grep "CA:TRUE"
openssl x509 -in gdig2.crt -text -noout | grep "Subject: CN=Go Daddy Root"
openssl x509 -in 2b9918dccf2f1d.crt -text -noout | grep "DNS:"

For your Tomcat server.xml configuration, use this pattern:

<Connector 
    port="8443" 
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" 
    SSLEnabled="true" 
    scheme="https" 
    secure="true"
    keystoreFile="/path/to/your_keystore.jks"
    keystorePass="your_password"
    keyAlias="tomcat"
    sslProtocol="TLS"
    truststoreFile="/path/to/truststore.jks"
    truststorePass="truststore_password"
/>

To properly create the certificate chain file for Tomcat:

cat 2b9918dccf2f1d.crt gd_bundle-g2-g1.crt > domain_chain.crt

Verify your installation with this OpenSSL command:

openssl s_client -connect yourdomain.com:443 -showcerts

Look for these critical indicators in the output:

  • Complete certificate chain (2-3 certificates)
  • No "self-signed certificate" warnings
  • Proper SAN (Subject Alternative Name) entries

For quick validation, use this bash script:

#!/bin/bash
DOMAIN="yourdomain.com"
PORT=443

echo "Testing ${DOMAIN}:${PORT}..."
openssl s_client -connect ${DOMAIN}:${PORT} -servername ${DOMAIN} 2>/dev/null | \
  openssl x509 -noout -dates -issuer -subject