How to setup at tomcat to consume the https cert

After I get my signed ssl/https cert from a CA, I need to use it for web server like apache, nginx and tomat. Here I give one example how to import the cert to key store and then config the tomcat to use it at 443 port:

1. To import an existing certificate signed by root CA into a PKCS12 keystore using OpenSSL you would execute a command like:

openssl pkcs12 -export -in wayneshare.crt -inkey mykey.key -out wayneshare.p12 -name mycerts -CAfile myCA.crt -caname root -chain

Or by keytool:

The cert you got from CA normally is signed by several level root CA in cert, it is a chain cert structure. So if you import the Chain Certificate into your keystore by key tool, you need import the root CA cert first by levels:

keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_chain_certificate>

And finally you can import your signed new Certificate

keytool -import -alias mycerts -keystore <your_keystore_filename> -trustcacerts -file <your_certificate_filename>

Such as for my case, i have two levels of root Cert to import before I import my real cert:

keytool -import -alias root -keystore keystore.jks -trustcacerts -file wayneshare_com.ca0.crt
keytool -import -alias intermed -keystore keystore.jks -trustcacerts -file wayneshare_com.ca1.crt
keytool -import -alias waynecert -keystore keystore.jks -storepass mypass -trustcacerts -file wayneshare_com.crt

 

2. After crt is added to the key store, not we can change the server.xml of tomcat to add key store there:

<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="443" maxThreads="500"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/home/certificate/keystore.jks" keystorePass="mypass"
clientAuth="false" sslProtocol="TLS"/>

/home/certificate/ is a folder i use to put my cert and keystores

3. restart your tomcat then you should be ok at 443 port!

 

 

 

Advertisements