Today I will be walking you through the process of setting up your Tomcat installation to use a public SSL certificate. I will be using examples from my Ubuntu 11 box but this will work with any linux based Tomcat install. We should have you up and running in just a few minutes, here is what we are going to be doing.
- · Enable and initialize an empty keystore
- · Generate a certificate signing request (CSR)
- · Add a root certificate authority (CA) to your keystore
- · Import the generated certificate for use in Tomcat
To create and configure a public certificate for your Tomcat installation:
- Open a SSH Terminal to the server.
- In Terminal, navigate to the Tomcat directory by typing the following command:
- Type the following command to generate the keystore:
sudo keytool -genkey -alias Tomcat -keysize 2048 -keyalg RSA –keystore /var/lib/tomcat/.mykeystore
- Fill in the appropriate information when prompted. Type a new keystore password and when the prompt asks for a first and last name, it is requesting the Fully Qualified Domain Name (FDQN). All other information is not as important as the first and last name as this will define the URL the SSL is good for.
- Let’s now generate a certificate signing request by typing the following command:
sudo keytool -certreq -alias tomcat -keystore /var/lib/tomcat/.mykeystore -file godaddy-ssl-cert.req
- Copy the entire text from the .req file and paste it in the Cert request window for GoDaddy SSL request form on the Godaddy.com website. Once approved GoDaddy will provide a download zip file that includes your new SSL certificate and the GoDaddy RootCA cert. We will be installing both certs in to the keystore. You will need to copy these certificates up to your Ubuntu (Linux) system.
- Import the CA’s root certificate using the following command: (Replace the file location with the location you placed your new certificates from GoDaddy)
sudo keytool -import -trustcacerts -alias rootCA –file /home/myuser/gd_bundle.crt -keystore /var/lib/tomcat/.mykeystore
- Import your certificate signed by GoDaddy by typing the following command: (Replace myFQDN.crt with the file name and location of the new GoDaddy certificate)
sudo keytool -import -alias tomcat -keystore /var/lib/tomcat/.mykeystore -trustcacerts -file /home/myuser/myFQDN.crt
- Lastly we will edit the /var/lib/tomcat/conf/server.xml file. Point the “keystoreFile” attribute to the location of the keystore, and include the “keystorePass” containing the password to your keystore.This is the part of the file that you should modify: <Connector port=”8443″ protocol=”HTTP/1.1″ SSLEnabled=”true”
maxThreads=”150″ scheme=”https” secure=”true”
keystorePass=”your keystore password” />
The instructions below can be followed to update a certificate, assuming you will be using the same keystore.
How-To clear the Tomcat alias:
1. Open a SSH terminal session to Ubuntu.
2. Create a backup of the previous alias by typing the following command:
sudo keytool -export -alias Tomcat -keystore /var/lib/tomcat/.mykeystore -file MyBackup.cer
3. After a successful backup, type the following command to clear out the Tomcat alias:
sudo keytool -delete -alias Tomcat -keystore /var/lib/tomcat/.mykeystore
You should now be able to run the commands to create and import a new certificate.
I hope this makes quick work for somone out there..