Running the Smoke Test > Troubleshooting the Smoke Test > Missing Root or Intermediate Certificates
Missing Root or Intermediate Certificates
When trying to enable Tomcat for SSL/TLS with a certificate that is signed by a Certificate Authority (CA) that is not contained within the default JVM trust store, usually located at $JAVA_HOME//lib/security/cacerts, an error may be displayed. Without having to override the trust store, the following instructions take you through ensuring that the intermediate and root certificates are included within the keystore provided to Tomcat. The result is that Tomcat will be able to serve the missing CAs to the client during the SSL/TLS handshake.
1. File a Certificate Signing Request (CSR) with the Certificate Authority (CA) of choice. Follow the instructions provided by your chosen CA.
2. Create the PKCS#12 keystore using OpenSSL.
3. Update the Tomcat server.xml configuration file to use the PKCS#12 keystore:
a. Navigate to <tomcat_home>conf/, and open server.xml in a text editor.
b. Ensure that there is a Connector element like this:

<Connector port="8443"
protocol= org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="<./path/to/yourpkcs12.p12"
keystorePass="yourpkcs12.p12 password"
keystoreType="PKCS12" />
4. Restart Tomcat, using the appropriate means for your environment.
5. Verify that it works in a browser by pointing your browser to your ThingWorx Platform. For example:
https://<yourThingWorxHost>:8443/Thingworx/Composer/index.html
You should be able to log in to ThingWorx Composer.
* 
If your browser reports that the site is not trusted, it means that the browser was unable to authenticate the server based on the trusted root CA certificates that are stored in the browser, and/or the certificate chain that the server provides to your browser.
Make sure that your certificate has a path back to a root CA.
Notes
The use of port 8443 and maxThreads of 150 are just examples. You may substitute your own values.
If you would prefer to use a Java KeyStore rather than the PKCS#12 format, convert it. Then use the following settings for the keystore:
keystoreFilel="/path/to/yourjks.jks"
keystorePass="your jks password"
You do not need the keystoreType setting in the Tomcat configuration file since JKS is the default.