HomePage » Security » Certificate » JavaKeystoreCert


Configuring SSL on Tomcat

Use Apache + tomcat connector or mod_proxy whenever possible. Using tomcat as a web server is a bad idea.

Step 1: Generate a keystore with a private key
$ keytool -genkey -keystore my.keystore -storepass mysecret -alias tomcat -dname "cn=tomcat,ou-admin,o=myorg,c=us"


Step 2: Generate a CSR from that private key
$ keytool -certreq -keystore my.keystore -storepass mysecret -alias tomcat -file tomcat_req.csr


Step 3: Sign the CSR with a self-generated CA cert or submit the CSR to a trusted signer
$ openssl x509 -in tomcat_req.csr -out www.mydomain.com.crt -CA ca.crt -CAkey ca.key -days 360 -req


Step 4: Import the CA certificate into the keystore. If the certificate is issued by a trusted signer, import their CA certificated
If you skip this step and go directly to step 5, you will get this error message:
keytool error: java.lang.Exception: Failed to establish chain from reply


Self-signed
$ keytool -import -keystore my.keystore -storepass mysecret -alias MyCA -file ca.crt -trustcacerts


GoDaddy
GoDaddy 's CA certs: https://certificates.godaddy.com/Repository.go
$ keytool -import -keystore my.keystore -storepass mysecret -alias gd_intermediate -file gd_intermediate.crt.1 -trustcacerts
$ keytool -import -keystore my.keystore -storepass mysecret -alias gd_cross_intermediate -file gd_cross_intermediate.crt.1 -trustcacerts
$ keytool -import -keystore my.keystore -storepass mysecret -alias gd-class2-root -file gd-class2-root.crt -trustcacerts
# say yes on the last one


Step 5: Import the SSL certificate into the keystore
$ keytool -import -keystore my.keystore -storepass mysecret -alias tomcat -file www.mydomain.com.crt
Certificate reply was installed in keystore


Step 6: Configuring Tomcat connetor
Create a connector like the following one
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
		address="1.2.3.4"
		port="443" minProcessors="5" maxProcessors="75" enableLookups="true"
		acceptCount="10" debug="0" scheme="https" secure="true"
		useURIValidationHack="false">
  <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
		clientAuth="false" protocol="TLS"
		keystoreFile="/secure/my.keystore" keystorePass="mysecret" />
</Connector>


Converting existing PEM key / cert into Java Keystore
Original link: http://www.agentbob.info/agentbob/79-AB.html

Change key and cer tinto DER format

openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER


Run ImportKey

java ImportKey key.der cert.der alias_name


List cert content
Export the cert and pipe it to openssl. -rfc option will produce PEM output.
keytool -export -keystore server.keystore -alias www.domain.com -storepass foo1234 -rfc | openssl x509 -noout -subject


Other notes
One may also use a graphical tool from IBM to do the same thing. The tool is called ikeyman, which is bundled with IBM HTTP Server. Google IHS download and you'll find it. You will need ikeyman to work with IBM CMS keystore, which is the default keystore used by IHS.

Comments [Hide comments/form]
Valid XHTML 1.0 Transitional :: Valid CSS :: Powered by WikkaWiki